Profiling BGP Serial Hijackers: Capturing Persistent Misbehavior in the Global Routing Table

C. Testart, P. Richter, A. King, A. Dainotti, D. Clark
Type
Conference paper
Publication
ACM Internet Measurement Conference (IMC)
Location
Amsterdam, Netherlands
Date
Abstract

BGP hijacks remain an acute problem in today’s Internet, with widespread consequences. While hijack detection systems are readily available, they typically rely on a priori prefix-ownership information and are reactive in nature. In this work, we take on a new perspective on BGP hijacking activity: we introduce and track the long-term network behavior of serial hijackers, networks that repeatedly hijack address blocks for malicious purposes, often over the course of many months or even years. Based on a ground-truth dataset that we construct by extracting information from operator mailing lists, we illuminate the dominant network characteristics of serial hijackers, and how they differ from legitimate networks. We then distill features that can capture these behavioral differences and train a machine learning model to automatically identify Autonomous Systems (ASes) that exhibit characteristics similar to serial hijackers. Our classifier identifies some ~1,000 potentially misbehaving ASes in the global IPv4 routing table. We analyze and categorize these networks, finding a wide range of indicators both for malicious activity, misconfiguration, as well as benign cases of hijacking activity. Our work presents a solid first step towards identifying and understanding this important category of networks, which can aid network operators in taking proactive measures to defend themselves against prefix hijacking and serve as input for current and future detection systems.