Incremental deployment strategies for effective detection and prevention of BGP origin Hijacks


A variety of solutions have been proposed for detecting and preventing IP hijack attacks. Despite potentially serious consequences these solutions have not been widely deployed, partially because many ISPs do not view their risk as large enough to warrant investment. Nevertheless, a number of organizations such as critical national infrastructure are at a very high risk level and require a deployed solution. Is it possible for these sites to be protected despite the majority apathy, given that a critical mass of ISPs is generally required to participate in the solution? We examine this conflict by presenting an approach which determines AS vulnerability based on topological location. We next examine the effectiveness of incremental security deployment. We separately examine BGP hijack detection which, if improperly peered, may completely miss a hijack. Finally, we address a pessimistic view with respect to deployment and propose an approach in which an autonomous system can act in its own self-interest to determine a minimal threshold for hijack detection or prevention.

Publication Title

Proceedings - International Conference on Distributed Computing Systems