by Hitesh Ballani, Paul Francis, Xinyang Zhang
Slides by Benson Luk for CS 217B





An AS advertises a false
route for an IP prefix,
stealing traffic that is
heading for those IPs
May be configuration error
or malicious
Can DOS actual destination
Can redirect to phishing
servers
Has occurred multiple times
in the past


When will Y choose X’s invalid path over the
original, correct path?
Depends on:
◦ 1. Provider-peer-customer relationship
◦ 2. Advertised AS-hop distance to destination
◦ 3. Y’s internal routing
AS Y’s traffic to prefix p can (✓), cannot (✗) or can
partly (–) be hijacked depending on its existing route
and the invalid route.



Hijack traffic for a
prefix, then forward it
to the real destination
Man in the middle
attack
Transparent to victim
X’s original path to C3:
X-W-Q-C1-C2-C3
1.
2.
3.

X sends false
advertisement to Z
Z propagates path
to W
W changes its path
to C3: W-Z-X-?
Requirement: None of the ASes along the
route to the actual destination used by the
hijacking AS should choose the invalid route
advertised

Assuming “valley-free” property (majority of Internet):
◦ All route paths and route advertisement propagation paths
consist of:
 0 or more customer-provider links, followed by
 0 or 1 peer link, followed by
 0 or more provider-customer links
In exactly that order

3 cases:
◦ X’s existing route is a customer route
 X can safely advertise hijack path to all neighbors. The
advertisement will never loop back to X’s real path
◦ X’s existing route is a peer route
 X can safely advertise hijack path to all neighbors
◦ X’s existing route is a provider route
 X can safely advertise hijack path to customers and peers.
Advertising to providers may cause a loop.

Advertise to neighbors that its distance to a
target prefix is 1 hop
◦ Hijacks all traffic for that prefix from peers with
existing provider routes to the prefix
◦ Hijacks all traffic for that prefix from peers with
existing peer routes with length > 1 to the prefix
◦ Hijacks some traffic for peers with existing peer
routes of length 1 to the prefix
 We’ll have an upper and lower bound of hijacked traffic
based on this

Tier 1 ASes only have peers and customers
◦ Can always intercept if it hijacks


Collected routing tables from University of
Oregon’s Route-Views repository for 7 Tier 1
ASes
For each AS, determine the prefixes in the
Internet routing table whose traffic can be
hijacked from the other 6 ASes



Used all 34 ASes in Route-Views repository
◦ 7 tier 1, 19 tier 2, 8 tier 3+
Used Cooperative Association for Internet Data
Analysis (CAIDA)’s AS relationship data to determine
provider-peer-customer topology
For each AS: Can it hijack traffic for prefix p (in one
of the 33 other ASes)? If yes, can it route the traffic to
p’s owner?


Actual hijacking % is the percentage of ASes in the Route-View
set that chose the invalid route
Real-world results are within estimated range for 11 of 16 events

Deployed hosts at 5 different sites.
◦ 1 host would be a target
◦ Other 4 emulate an ISP and try to intercept target’s
traffic


Stub AS with only provider links to the rest of
internet, so manually configured which
routers advertise invalid paths and which
don’t in order to not create loops
Used 23k recursive nameservers in 7.5k
different ASes to generate traffic aimed at
target host



Traffic interception can cause next-hop
anomalies
Used the Route-Views repository to determine
the sets of next-hop ASes
For date-plane information, used traceroutes
collected in IPlane project
◦ Traceroutes to ~100,000 prefixes from ~200 nodes daily

Mapped IPs to ASes and compared with next-hop
data for four different days

Majority of anomalies detected were due to incorrect IP-to-AS mapping
data
◦ Many cases in which an AS uses IPs which appear to belong to another AS’s address
space




Many anomalies due to traffic engineering: propagating specific paths
only to specific peers, etc.
The vast majority of detected anomalies are explained away with these
reasons.
Unable to conclusively classify any anomalies as traffic interception
Does not rule out existing traffic interception
◦ These anomalies occur only for certain specific cases of traffic interception. Other
cases of traffic interception may not create this anomaly




ASes higher up in the routing hierarchy can
hijack and intercept prefixes from the
majority of ASes on the Internet
Even small ASes can hijack and intercept
prefixes from a significant number of ASes
Proof of concept suggests that it is simple for
ASes to intercept traffic within the existing
routing setup
Attempt to detect interception shows some of
the many challenges in accurately detecting
interception


Made a lot of assumptions and simplifications
on how ASes decide to route
Sample size for estimated numbers seems
low
◦ Used 34 ASes, currently there are over 49k assigned
ASNs

Does it really matter?