Data-Plane Telemetry to Mitigate Long-Distance BGP Hijacks

TL;DR

This paper proposes a delay-based detection system called HiDe to identify long-distance BGP hijacks by monitoring increased propagation delays, demonstrating high accuracy and practicality in real-world deployments.

Contribution

It introduces a novel data-plane telemetry approach using delay variations for hijack detection and designs HiDe, a system capable of real-time, line-rate detection without disrupting normal operations.

Findings

Delay increases of at least 25% are observed in 86% of victim-attacker country pairs.

HiDe reliably detects delay surges caused by hijacks at line rate.

The system's accuracy and false-positive rate are validated with real-world data and ethical hijacking experiments.

Abstract

Poor security of Internet routing enables adversaries to divert user data through unintended infrastructures (hijack). Of particular concern -- and the focus of this paper -- are cases where attackers reroute domestic traffic through foreign countries, exposing it to surveillance, bypassing legal privacy protections, and posing national security threats. Efforts to detect and mitigate such attacks have focused primarily on the control plane while data-plane signals remain largely overlooked. In particular, change in propagation delay caused by rerouting offers a promising signal: the change is unavoidable and the increased propagation delay is directly observable from the affected networks. In this paper, we explore the practicality of using delay variations for hijack detection, addressing two key questions: (1) What coverage can this provide, given its heavy dependence on the geolocations of the sender, receiver, and adversary? and (2) Can an always-on latency-based detection system be deployed without disrupting normal network operations? We observe that for 86% of victim-attacker country pairs in the world, mid-attack delays exceed pre-attack delays by at least 25% in real deployments, making delay-based hijack detection promising. To demonstrate practicality, we design HiDe, which reliably detects delay surges from long-distance hijacks at line rate. We measure HiDe's accuracy and false-positive rate on real-world data and validate it with ethically conducted hijacks.