A System to Detect Forged-Origin Hijacks

@inproceedings{Holterbach2024,
	title        = {A System to Detect Forged-Origin Hijacks},
	author       = {Thomas Holterbach and Thomas Alfroy and Amreesh Phokeer and Alberto Dainotti and Cristel Pelsser},
	year         = 2024,
	booktitle    = {21th USENIX Symposium on Networked Systems Design and Implementation ({NSDI} 24)},
	publisher    = {USENIX Association},
	abstract     = {Despite global efforts to secure Internet routing, attackers still successfully exploit the lack of strong BGP security mechanisms. This paper focuses on an attack vector that is frequently used: Forged-origin hijacks, a type of BGP hijack where the attacker manipulates the AS path to make it immune to RPKI-ROV filters and appear as legitimate routing updates from a BGP monitoring standpoint. Our contribution is DFOH, a system that quickly and consistently detects forgedorigin hijacks in the whole Internet. Detecting forged-origin hijacks boils down to inferring whether the AS path in a BGP route is legitimate or has been manipulated. We demonstrate that current state-of-art approaches to detect BGP anomalies are insufficient to deal with forged-origin hijacks. We identify the key properties that make the inference of forged AS paths challenging, and design DFOH to be robust against real-world factors (e.g., data biases). Our inference pipeline includes two key ingredients: (i) a set of strategically selected features, and (ii) a training scheme adapted to topological biases. DFOH detects 90.9% of the forged-origin hijacks within only ≈5min. In addition, it only reports ≈17.5 suspicious cases every day for the whole Internet, a small number that allows operators to investigate the reported cases and take countermeasures.},
	groups       = {International Conferences}
}