Is Crunching Public Data the Right Approach to Detect BGP Hijacks?

TL;DR

This paper demonstrates that current BGP hijack detection methods based on public data and machine learning are vulnerable to data poisoning attacks, which can evade detection with minimal malicious injections.

Contribution

It reveals the vulnerability of existing ML-based BGP hijack detection systems to data poisoning and highlights the limitations of relying solely on public BGP data for security.

Findings

State-of-the-art systems like DFOH and BEAM are susceptible to data poisoning.

Attackers can evade detection with only a few crafted announcements.

Data poisoning can significantly distort detection metrics.

Abstract

The Border Gateway Protocol (BGP) remains a fragile pillar of Internet routing. BGP hijacks still occurr daily. While full deployment of Route Origin Validation (ROV) is ongoing, attackers have already adapted, launching post-ROV attacks such as forged-origin hijacks. To detect these, recent approaches like DFOH [Holterbach et al., USENIX NSDI '24] and BEAM [Chen et al., USENIX Security '24] apply machine learning (ML) to analyze data from globally distributed BGP monitors, assuming anomalies will stand out against historical patterns. However, this assumption overlooks a key threat: BGP monitors themselves can be misled by adversaries injecting bogus routes. This paper shows that state-of-the-art hijack detection systems like DFOH and BEAM are vulnerable to data poisoning. Using large-scale BGP simulations, we show that attackers can evade detection with just a handful of crafted announcements beyond the actual hijack. These announcements are indeed sufficient to corrupt the knowledge base used by ML-based defenses and distort the metrics they rely on. Our results highlight a worrying weakness of relying solely on public BGP data.