iSPY: Detecting IP Prefix Hijacking on My Own


What is iSPY?

iSPY is a defense system against IP prefix hijacking.

IP prefix hijacking is an attack on the Border Gateway Protocol (BGP). BGP is the lifeblood of the Internet. It is responsible distributing reachability information over the Internet. Prefix hijacking would cause IP prefixes to be unreachable. In the past, there were several serious prefix hijacking incidents that were targeted to important prefixes such as root DNS server, Google and YouTube. However, there is no effective solution to prevent hijackings. Even detecting hijackings alone is challenging.

iSPY improves the state-of-art technique on prefix hijacking detection. The distinct feature of iSPY is that to protect a prefix, iSPY just needs to run on one machine in that prefix itself. iSPY does not require any external BGP feeds, or require running on external machines. Therefore, iSPY is easy to deploy.

iSPY demo

iSPY monitors the reachability from the protected prefix to many external Autonomous Systems (ASes). A metric "cuts" is derived from the topology pattern of unreachable ASes. Such a metric is used to detect hijackings.

1) iSPY running during a hijacking

In a prefix hijacking that we experimented, iSPY reported the following the statistics and raised detection alarm 2.1 mins after hijacking.
           Unreachable ASes


2) iSPY running during peace (live!)

iSPY running on a host on Purdue campus, monitoring the prefix

<Image not available because the monitoring machine is offline>

(Cuts figure to be filled here)

How does iSPY work?



Faculty: Y. Charlie Hu, Z. Morley Mao;
Students: Zheng Zhang, Ying Zhang;
and Randy Bush.


Zheng Zhang, Ying Zhang, Y. Charlie Hu, Z. Morley Mao, and Randy Bush. iSPY: Detecting IP Prefix Hijacking on My Own. To appear in Proceedings of ACM SIGCOMM'08, Seattle, WA, August 17-22, 2008.