Join Us

Visit Us

Contact Us

Buddyguard: Reliable Detection of IP Prefix Hijacking (and Other Prefix-Level Anomalies).

Due to operational malpractice or security attacks, an IP prefix (i.e., a block of IP addresses) can undergo many types of routing anomalies. Perhaps the most well-known of such anomalies is prefix hijacking, where an attacker hijacks traffic meant to reach the legitimate user of a prefix. Anomalies can also easily occur through misconfiguration, such as route leaks which affect large portions of the address space. While various solutions have been proposed to detect such attacks, these solutions are limited and susceptible to attacker countermeasures.

Our work is called Buddyguard, a new approach to detecting prefix anomalies and prefix hijacking in particular. Buddyguard compares the routes to a monitored prefix with the routes to numerous buddy prefixes that behave similarly to the monitored prefix, and detects anomalies when the routes to the monitored prefix differ significantly from the routes to the buddy prefixes. Our evaluation results show that Buddyguard provides fast and accurate monitoring of IP prefix anomalies, and its introduction and use of buddy prefixes enables it to be resilient against resourceful attackers.

Our publications and relevant documents include the following:

This research is supported by the National Science Foundation under Award No. CNS-1118101. Any opinions, findings, and conclusions or recommendations expressed in this research are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.