iSPY: Detecting IP Prefix Hijacking on My Own


What is iSPY?

iSPY is a defense system against IP prefix hijacking.

IP prefix hijacking poses a serious threat to the robustness and security of the Internet routing system. Any network whose prefix is hijacked may experience reachability problems and cannot easily identify the actual cause. IP prefix hijacking is essentially a special form of denial of service attack. Hijacked prefixes can also be used for carrying out malicious activities, raising the challenge of identifying the actual perpetrator. Eliminating IP prefix hijacking is close to impossible given today's routing design, partly due to the lack of authoritative information on prefix ownerships. Even with such information, topology can still be spoofed without modifying prefix owners, resulting in intercepted traffic. Thus, there is a critical need to design an effective IP prefix hijacking detection system to inform the mitigation response and help locate the responsible AS for the attack. Such a detection system should satisfy all of the following critical requirements:

iSPY is an IP prefix hijacking detection system that satisfies all of the above requirements. It exploits a key observation about IP prefix hijacking: due to the rich connectivity of the ASes in the Internet, a prefix hijack almost always pollutes a significant percentage of the ASes, i.e., those ASes will route any packet destined to the hijacked prefix to the attacker's network, as opposed to the victim's network. In other words, when a prefix hijack is ongoing, the victim's network will experience failure in probing a large number of networks, as the probe reply will be routed to the attacker's network. This observation motivates our prefix-owner-centric data-plane-based hijacking detection system. Essentially, each network deploys iSPY to detect hijacking of its own prefixes, and iSPY simply performs continuous probing to transit ASes and detects hijacking events based on the observed reachability to these ASes.

A fundamental difference between iSPY and previous approaches using data-plane information is that iSPY is prefix-owner-centric in that each network performs real-time probing in the data plane to detect potential hijacking of its own prefix(es). This approach makes the detection system not only

same as previous proposals, but also exhibit the following additional properties: Furthermore, the prefix-owner-initiated probing for AS-level paths in iSPY avoids the firewall problem in previous vantage-point-based probing: since the probing is initiated from inside the network, the probe packets can usually exit the prefix owner's network. Most transit networks enable ICMP replies; thus, the probes can effectively test reachability to such networks. Lastly, upon detecting a hijacking event, the victim network has also identified the set of polluted networks and can notify them of the event, e.g., using a different prefix.

iSPY Software Download


Faculty: Y. Charlie Hu, Z. Morley Mao
Students: Zheng Zhang, Ying Zhang
and Randy Bush


iSPY: Detecting IP Prefix Hijacking on My Own.
Zheng Zhang, Ying Zhang, Y. Charlie Hu, Z. Morley Mao, and Randy Bush.
To appear in ACM/IEEE Transactions on Networking (ToN), 2010.

iSPY: Detecting IP Prefix Hijacking on My Own.
Zheng Zhang, Ying Zhang, Y. Charlie Hu, Z. Morley Mao, and Randy Bush.
Proceedings of ACM SIGCOMM, Seattle, WA, August 17-22, 2008.

Last updated: