Using Bursty Announcements for Early Detection of BGP Routing Anomalies

by   Pablo Moriano, et al.
Indiana University Bloomington

Despite the robust structure of the Internet, it is still susceptible to disruptive routing updates that prevent network traffic from reaching its destination. In this work, we propose a method for early detection of large-scale disruptions based on the analysis of bursty BGP announcements. We hypothesize that the occurrence of large-scale disruptions is preceded by bursty announcements. Our method is grounded in analysis of changes in the inter-arrival times of announcements. BGP announcements that are associated with disruptive updates tend to occur in groups of relatively high frequency, followed by periods of infrequent activity. To test our hypothesis, we quantify the burstiness of inter-arrival times around the date and times of three large-scale incidents: the Indosat hijacking event in April 2014, the Telecom Malaysia leak in June 2015, and the Bharti Airtel Ltd. hijack in November 2015. We show that we can detect these events several hours prior to when they were originally detected. We propose an algorithm that leverages the burstiness of disruptive updates to provide early detection of large-scale malicious incidents using local collector data. We describe limitations, open challenges, and how this method can be used for large-scale routing anomaly detection.



There are no comments yet.


page 7


Internet Anomaly Detection based on Complex Network Path

Detecting the anomaly behaviors such as network failure or Internet inte...

Graph Convolutional Networks for traffic anomaly

Event detection has been an important task in transportation, whose task...

A Fast-Convergence Routing of the Hot-Potato

Interactions between the intra- and inter-domain routing protocols recei...

Anomaly Detection for an E-commerce Pricing System

Online retailers execute a very large number of price updates when compa...

CommunityWatch: The Swiss-Army Knife of BGP Anomaly Detection

We present CommunityWatch, an open-source system that enables timely and...

Detecting anomalies in heterogeneous population-scale VAT networks

Anomaly detection in network science is the method to determine aberrant...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

The Internet, although extremely robust (Doyle et al., 2005), is notoriously vulnerable to attack by means of the Border Gateway Protocol (BGP) (Butler et al., 2010). BGP exchange messages are assumed to be trustworthy. In other words, the reachability information shared between autonomous systems (ASes) is assumed to be correct without any verification. Despite the fact that the latest version of the BGP protocol was released in 2006 (Rekhter et al., 2006), there are no inherent protection mechanisms against participants advertising false routes.

In practice, BGP lacks authentication mechanisms not only for the announcement of the origin of IP prefixes but also the paths to that prefix. This leaves BGP vulnerable to unintended misconfiguration and malicious attacks (Goldberg, 2014). The results of these disruptions include traffic blackholing and interception. In traffic blackholing, the network traffic is dropped, never reaching its destination (Dyn Guest Blogs, 2008). In traffic interception, the announcing AS reroutes traffic for the victim IP prefix and redirects it to the original origin AS after interception (Dyn Guest Blogs, 2013). On this misdirected route, the traffic may be subject to eavesdropping (Arnbak and Goldberg, 2015), traffic analysis (Sun et al., 2015), or tampering (Shaw, 2013).

Well-known examples of BGP anomalies include the China Telecom hijack in 2010 (Hiran et al., 2013), the targeted interception of U.S. Internet traffic through Iceland and Belarus in 2013 (Peterson, 2013), and the large Indonesia ISP hijack in 2014 (Toonk, 2014; Zmijewski, 2014). During the China incident, a routing update caused a large fraction of the world’s Internet traffic (approximately 50,000 IP prefixes) to be redirected to China Telecom. This constitutes a very well-known example of a blackhole. A more recent incident was initiated by Indonesia’s largest communication provider, Indosat. This incident was even larger than the China Telecom incident. The Indonesian ISP hijacked more than 320,000 routes. This means that Indosat laid claim to roughly two-thirds of the Internet for almost three hours. These were all identified only the after widespread diffusion of the incorrect routing information.

The current approaches to the challenges of routing anomalies rely on cryptographic authentication or anomaly detection. Cryptographic protocols include the Resource Public Key Infrastructure (RPKI) (Lepinski and Kent, 2012) for origin authentication, and BGPSec (Lepinski and Sriram, 2017) which offers the ability to authenticate an entire path. These approaches are powerful, but there has not been widespread adoption (Gill et al., 2011). This may be because of processor requirements, memory requirements, or a lack of incentive alignment (Hall et al., 2014). Cryptographic solutions are also expensive. Perhaps more importantly, it has been shown that even with their widespread adoption, it will be not possible to avoid the occurrence of route leaks, such as the Malaysian incident in 2015 (Toonk, 2015b; Madory, 2015).

Anomaly detection approaches rely on measuring the control-plane (using BGP feeds) or the data-plane (exploring reachability of IP addresses in suspicious announced routes), or a combination of both. Anomaly detection does not require changes in the protocol itself. They primarily are used in detecting anomalies based on passive or active measurements in order to alert operators for mitigation and response  (Khare et al., 2012; Zhang et al., 2010; Shi et al., 2012; Toonk, [n. d.]). Anomaly detection approaches are reactive because they identify harm after disruptive updates have polluted some detectable threshold of ASes with fake announcements.

Here we propose a detection method that aims to identify incipient incidents before diffusion and harm, by identifying a routing event as it emerges. Our goal is to identify events several hours prior to the state-of-the-art detection method, BGPmon (Toonk, [n. d.]). To do this, we use control-plane data collected by the RouteViews (Meyer, 2004) and served by BGPStream (Orsini et al., 2016). The key observation in our anomaly detection method is that there are bursty BGP announcements before new routes are adopted by neighbor ASes. We characterize bursty announcements through statistical analysis of inter-arrival times. We conduct a case-based systematic analysis of the changes of inter-arrival times that are associated with three well-known anomalous events. This paper provides the following contributions:

(1) We validate our conjecture that inter-arrival time patterns of BGP announcements are a useful signature for early identification of large-scale routing incidents. (Section 4.2) We show that bursty patterns of announcements are noticeable before the detection of the incidents by the current state-of-the-art detection system (Toonk, [n. d.]). To do so, we quantify the burstiness of BGP announcements by observing that when there are large-scale incidents, there are groups of announcements with short inter-arrival times followed with larger ones. We report that this observation is independent of the volume of announcements.

(2) We describe the design of a proof-of-concept BGP anomaly detection method that uses data only from current route collectors. (Section 4.3) We use RouteViews route collectors to compute a detection signature of large-scale incidents based on the impact of short inter-arrival times. We discuss how it is possible to anticipate more clearly when an incident is imminent depending on the view of a specific collector (quantified by the number of router feeders).

(3) We report results of a longitudinal analysis of large-scale routing incidents. (Section 4.4) We evaluated the proposed method by studying three different large-scale routing incidents, i.e., Indosat in April 2014, Telecom Malaysia in June 2015, and Bharti Airtel Ltd. in November 2015. Our approach allows for statistically significant differentiation between normal behavior and disruption or anomalous changes during the incidents. The three cases we address were easily identified following the large-scale disruptions but not before. Description of the incidents and reasons for selecting them are in Section 3.1.2.

We will provide access to the data collection and analysis scripts for reproducibility purposes.

2. Related work

The detection method presented in this paper is informed by past research in detection and mitigation of BGP anomalies. Here we provide an overview of related works in these two areas.

2.1. Detection of BGP anomalies

BGP anomaly detection approaches are usually classified based on the type of data that is used for the task. In that respect, there are:

control-plane, data-plane, and hybrid approaches. Control-plane approaches passively monitor BGP updates or routing tables from a distributed set of BGP monitors (Lad et al., 2006; Khare et al., 2012; Sermpezis et al., 2018b). These approaches look for inconsistencies in the origin of prefixes announced by ASes or unexpected path changes. In particular, the work in (Lad et al., 2006) proposes a Prefix Hijack Alert System (PHAS). PHAS relies on the idea of finding unique prefixes simultaneously originating from multiple ASes—also referred as Multiple Origin AS conflicts. Once these conflicts are detected, this method filters false positives using additional information from the network operators, e.g., checking announcements of similar prefixes from different ASes that belong to the same organization. In contrast, the work in (Khare et al., 2012) focuses on correlating suspicious route announcements with past network announcements. This method can detect anomalies that have a huge impact, i.e., announcements that pollute a considerable number of paths. Control-plane methods are usually designed to be implemented as a third-party services such as BGPmon (Toonk, [n. d.]). They have been effective in detecting large-scale events but tend to report a large number of false positives (Zhao et al., 2001; Sermpezis et al., 2018a). To deal with these shortcomings, the work in (Sermpezis et al., 2018b) proposes ARTEMIS. ARTEMIS is an AS self-operated detection system that exploits local configuration and real-time BGP data from public monitoring services. In contrast with previous control-plane approaches, ARTEMIS provides protection among different types of attacks, including man-in-the-middle traffic manipulation, within a minute of detection delay. All the previously mentioned methods are reactive and notify routing anomalies after the incident occurred. The proposed method belongs to the control-plane category. In contrast with previous methods, it relies on analyzing real-time BGP updates from the route collector perspective and is able to anticipate when a large-scale event is going to occur with several hours of anticipation. Our method is able to detect in advance a wide variety of attacks including traffic interception and route leaks.

Data-plane approaches use ping/traceroute to detect anomalies in the route of data (Zheng et al., 2007; Zhang et al., 2010). These approaches rely on monitoring the reachability of routes from the victim to detect anomalies. The work in (Zheng et al., 2007) proposed a distributed scheme for detecting BGP anomalies based on departures of hop count stability and AS path similarity. Following this methodology, the work in (Zhang et al., 2010) proposed iSPY. iSPY generates an alarm every time the reachability of a predefined prefix is not observable from multiple vantage points. Data-plane approaches are able to pinpoint suspicious path changes in the traffic which results in higher detection accuracy. However, they do not scale well since they require a considerable number of active measurements for characterizing regular paths and have large latency (Xiang et al., 2011). Data-plane approaches are complementary to the proposed method, but they are reactive in terms of being able to detect anomalies once they are widely spread and do not allow the ability to anticipate when an event is incipient.

Hybrid approaches have been developed to address the limitations of exclusively control- and data-plane methods (Hu and Mao, 2007; Shi et al., 2012). The main idea behind hybrid approaches is to use control-plane inconsistencies to inform data-plane measurements, i.e., by exploring the reachability of packets in a particular network. The work in (Hu and Mao, 2007) explored this idea by proposing a framework that launches data-plane probes only when anomalous update messages are received. This system was intended to be used as customized software installed in the routers. Following this idea, the work in (Shi et al., 2012) introduced Argus. Argus is an automated system that detects prefix hijacking and deduces the origin of the anomaly. Argus is based on pervasively correlating control- and data-plane data during a given time period to detect anomalies including sub-prefix hijacks. The proposed method is able to identify sophisticated attacks as those that are able to be identified by hybrid approaches without using data-plane information. It allows predictive occurrence of anomalies relying only on control-plane information.

2.2. Mitigation of BGP anomalies

Several proposals to secure BGP are based on the use of public-key cryptography for the authentication of route announcements (Kent et al., 2000; Ng, 2004; Lepinski and Sriram, 2017). Cryptographic-signed messages allow the verification of the identity of ASes that claim a certain route. They are based on the RPKI for assignment and distribution of public keys (Lepinski and Kent, 2012). The RPKI designates a hierarchy of authorities based on RIRs (regional Internet registries) to allocate and authorize IP space in BGP through the use of digital signatures and public key certificates. RPKI allows secure origin authentication.

The use of the RPKI alone does not require changes in the BGP protocol. The RPKI is an out-of-band mechanism in which routers download information for decision making and does not require the use of online cryptography. However, there are reasons that limit the scope of the RPKI for securing BGP. Researchers have debated the agreement of a trusted Certificate Authority (Cooper et al., 2013), difficulties to correctly configure the RPKI (Wählisch et al., 2012), a general lack of commitment and incentives to lead their implementation (Gill et al., 2011), and its permissiveness to certain types of attacks, e.g., path shortening attacks (Goldberg, 2014).

To remedy limitations with respect to the type of attacks that can be undetectable with only origin validation, path validation proposals have been discussed. As opposed to origin validation, path validation proposals authenticate every AS in the path of a corresponding announcement. The work in (Kent et al., 2000) proposed secure BGP (S-BGP) to validate path attributes in BGP updates messages. Information in S-BGP is validated in the RPKI. This is done through the use of attestations, i.e., signed messages that verify the authenticity of route announcements. Address attestations are statements signed by known authorities that map Autonomous System Numbers (ASNs) to prefixes to verify that the ASes originating the route were eligible to do so. Route attestations are statements signed by ASes and operationalized in the AS-PATH attribute. They are used for each AS in the path attribute to confirm that the next AS in the path has received the announcement and was the right to forward it. S-BGP provides full authentication of origin and path through attestations. Along the same lines, another proposal is secure origin BGP (soBGP) (Ng, 2004). soBGP relies on the RPKI for handling public keys to soBGP speaking routers, maintaining certificates of routing policies, and authentication of IP space and ASes. soBGP relies on a graph topology database to validate policy interactions between ASes. Update messages violating AS topology policies are dropped. Note that the graph topology database used in soBGP is relatively static given that the topology will only change when there is a change in the policy agreements. By contrast, S-BGP performs attestations every time there is a new update.

Another proposed standard is BGPSec (Lepinski and Sriram, 2017). BGPSec builds on RPKI to distribute and manage cryptographic keys that are used to sign and authenticate every AS on the path of a corresponding announcement. In contrast to S-BGP and soBGP, BGPSec is an integral part of the BGP protocol requiring online cryptography in which routers sign and verify every message that they sent. This creates computational overheads and requires routers hardware upgrades. This economic incentive, for network operators, makes it difficult to think of in its fully implementation (Goldberg, 2014). In the context of partial deployment, the work in (Lychev et al., 2013) shows that BGPSec alone does not offer a significant security improvement when compared with only RPKI usage under certain routing policy scenarios.

Although RPKI and path validation proposals are able to offer BGP protection against a wide variety of attacks, they fail when trying to avoid the adoption of leaked routes. A route leak occurs when an AS announces valid routes beyond their intended scope, i.e., the AS announces a route that is in violation of the receiver, the sender and/or one of the ASes along the preceding AS path (Sriram et al., 2016). These types of anomalies still can generate blackholes and are even prone to traffic interception (Goldberg et al., 2010). Our proposed method is lightweight and able to detect in advance malicious route manipulation and route leaks.

For a comprehensive surveys on BGP anomaly detection and mitigation methods, we refer the reader to the works in (Butler et al., 2010; Al-Musawi et al., 2017; Mitseva et al., 2018).

3. Methods

To provide early indicators of large-scale disruptions, we leverage the statistic-based anomaly detection method SRI NIDES used in the intrusion detection context (Javitz and Valdes, 1993). Essentially, our method considers route announcements as signals with expected patterns of behavior and detects deviations from the expected patterns. Our focus is on inter-arrival times rather than the specific content of the announcements themselves. Claiming illegitimate ownership of a significant fraction of the Internet requires transmitting correspondingly bursty announcements causing large perturbations in the patterns of route announcements.

Using this approach requires accurate, time-stamped historical BGP announcements. Section 3.1 provides details on the data source. The source of the data for the construction of the database of the large-scale routing anomalous events (to establish the ground truth) is BGPSteam and is described in Section 3.1.1. The focus is on the study of well-known incidents identified in Section 3.1.2. The measure of burstiness that was used to characterize the occurrence of the incidents is described in Section 3.2; and the resulting detection method is detailed in Section 3.3. This work does not include human subjects and as such is exempt from IRB oversight.

3.1. Data sources

3.1.1. BGP data

We collected BGP updates (announcements and withdrawals) using BGPStream111Available at Update timestamp accuracy is one second. BGPStream provides an open-source software framework for the analysis of historical and real-time BGP data (Orsini et al., 2016). To do so, BGPStream extracts data directly from route collectors. A route collector (collector, hereafter) is a host running a collector process. The collector emulates a router that establishes BGP peering sessions with BGP routers. These collection points are real routers known as feeders. There are two popular projects running route collector processes, RouteViews (Meyer, 2004) and RIPE RIS (RIPE NCC, 2011).

At the time of this writing, RouteViews and RIPE RIS operate and collectors which peer with hundreds of feeders (Gregori et al., 2012). We acknowledge that there are other sources of BGP data, including network operators, other route collector projects such as BGPmon (Yan et al., 2009) (from Colorado State University222This refer to the free BGP monitoring service available at, and Packet Clearing House (House, [n. d.]). However, previous research has shown that there is a considerable overlap between the measurements from RouteViews and RIPE RIS projects (Chen et al., 2009). In addition, as pointed out in (Gregori et al., 2015), RouteViews provides the more complete view of the Internet in terms of IP prefix coverage. Therefore, we only collected BGP updates from RouteViews.

3.1.2. Routing anomalous events

Our data collection is based on a subset of BGP updates that cover the time before, during, and after selected incidents. We collected approximately seven days of observations around the start date of each of them. The purpose of collecting data over this time period is to be able to distinguish between regular and anomalous behavior. We consider these exceptional routing incidents because of their impact to the Internet, the sheer number of prefixes, and the fact that these incidents have not previously received detailed academic analysis so that we could not know their patterns of diffusion in advance. Details about the incidents and their respective dates and times are listed below. Events are listed in chronological order. Note that these anomalous events have been studied and corroborated from different sources. To summarize:

An Indonesian ISP hijacks the world. On April 2, 2014, starting at 18:26 UTC, Indosat (one of the largest telecommunications providers in Indonesia) announced more than IP prefixes belonging to other networks. Indosat announced roughly two-thirds of the entire Internet address space (Toonk, 2014; Zmijewski, 2014). A large fraction of the hijacked prefixes belonged to Akamai, which is one of the larger Content Delivery Networks. This incident lasted approximately for hours until 21:15 UTC. Traffic continued to be delivered; however, the path of the traffic was significantly altered.

Global collateral damage of the Telecom Malaysia leak. On June 12, 2015, starting at 08:43 UTC, Telecom Malaysia announced about IP prefixes to Level 3 (the largest crossing AS) (Toonk, 2015b; Madory, 2015). Level 3 accepted these announcements and then propagated the routes to their peers and customers around the word. Because Telecom Malaysia is a customer of Level 3, the routes announced by Telecom Malaysia were identified as a preferred delivery route for Level 3. This event caused a significant packet loss and Internet service degradation around the world. Level 3 suffered a significant blackout from the Asia pacific region and the rest of the world. Note this was a leak, so the data were not delivered after being transmitted to Telecom Malaysia. This incident lasted approximately hours. At around 10:40 UTC there were slowly observed improvements, and by 11:15 UTC the errors in the Routing Information Base (RIB) (Rekhter et al., 2006) began to be resolved.

Large scale BGP hijack in India. On November 6, 2015, starting at 05:52 UTC, Bharti Airtel Ltd., claimed the ownership of about IP prefixes. These addresses corresponded to more than two thousand unique ASes (Toonk, 2015a; Murphy, 2015). This event became widespread because two large ASes (e.g., Cogent Communications and GlobeNet Cabos Submarinos S.A.) accepted and propagated these routes to their peers and customers. Legitimate owners of the prefixes included Akamai, Tata Communications, and Apple Inc. This incident lasted approximately hours until 14:40 UTC.

3.2. Burstiness of announcements

Let be a time series of time-stamped announcements sent by AS and received by collector . Let

be a random variable that represents the time interval between consecutive announcements so that

takes values in . Burstiness refers to the tendency of certain events to occur in groups of relatively high frequency, i.e., short inter-arrival time intervals, followed by periods of relatively infrequent events (Harang and Kott, 2017). Mathematically, it can be characterized by analyzing the inter-arrival time distribution . As was proposed in (Goh and Barabási, 2008), the inter-arrival distribution can be characterized by a burstiness factor defined by . Here and

denote the standard deviation and mean of the inter-arrival time distribution. Note that the burstiness has a value of

for , which means regular time intervals. It has a value of for in the case of random time intervals. Finally, it has a value of for and a finite in the case of a highly bursty time series of announcements.

3.3. Detection method

We leverage the measure of inter-arrival times as received by the collectors to compute a measure of intensity based on the burstiness of announcements. This measure was originally used in the context of intrusion detection in (Javitz and Valdes, 1993). Let be the number of announcements sent by AS and received by collector exponentially weighted. This means that more current announcements have a greater impact in its computation, i.e., short inter-arrival times. The value of is computed using the recursive formula


Here is the decay factor and is the inter-arrival time between consecutive announcements. The decay factor determines the half-life of . Large values of imply that the value of is more influenced by more recent announcements. Smaller values of imply that the value of will be more heavily influenced by announcements in the distant past. Detection focuses on identifying observations in the time series of

, for which its value exceeds a threshold that is a function of the mean and standard deviation. We use the moving average and moving standard deviation as the mean and standard deviation estimators respectively. The parameter

is the window length in the moving average model. The parameter controls how many standard deviations are considered to report an event. The complete pseudocode for the detection algorithm can be found in Appendix A.

4. Results

In this section, we analyze the previously described BGP incidents. We analyzed the views from several data collectors at various locations around the world. Table 1 in Appendix B shows the geographical location and the date of the first dump of the collectors used in this study333Collectors’ location and date of the first dump were obtained from RouteViews and BGPStream respectively.. We analyzed BGP announcements and withdrawals, but the withdrawals did not effect our results, perhaps in part because the volume of withdrawals is significantly less (Wang et al., 2002; Lad et al., 2003; Deshpande et al., 2004). Our results presented here include only announcements.

We conduct four different but complementary analyses. First, we monitor the dynamic behavior of the number of feeders peering with each collector (Section 4.1). To this end, we perform a longitudinal analysis that spans over years to quantify the trends in contribution of feeders to the collectors. This analysis shows the time when some collectors started attracting or being disconnected from some feeders—we relied on the number of routers for this. A large number of feeders produces a robust view of Internet activity. This indicates the time-frame when collectors could construct a representative view of Internet activity. This analysis is complementary to the works in (Gregori et al., 2012, 2015) that focused on a single month of observations and other works (Wang et al., 2002; Zhang et al., 2004; Deshpande et al., 2004; Li et al., 2007) that analyze a stream of BGP updates as seen from a single collector.

Second, we show how each of the large-scale incidents is perceived from the point of view of the different collectors (Section 4.2). To do so, we measure the number of announcements received by the collectors before, during, and after the incident. We study how announcements vary based on the number of feeders into a particular collector. We found that the incident can be viewed more clearly from those collectors with more feeders. This is particularly true for collectors in North America and Europe. Some collectors are unable to detect the incident because, with a small number of feeders, the collector is unable to construct a robust view of the Internet. This is a result of the low number of feeders peering with the collectors, as exemplified in the case of several African countries  (Gregori et al., 2017).

Third, we analyze the inter-arrival times of announcements at the collectors (Section 4.3). We characterize these with a measure of burstniess used previously for studying human dynamics in (Barabási, 2005; Goh and Barabási, 2008). This allows us to quantify the burstiness of announcements before, during, and after the incidents. We show that ASes involved in the reported incidents exhibit a statistically significant change in the inter-arrival pattern of their BGP announcements at the collectors. We show that for early detection of BGP incidents, the volume of messages is not enough for incident detection. In contrast, the burstiness of the announcements sent by ASes and seen for a specific collector is a complementary discriminator to the volume of announcements and helps identify anomalous behavior. More importantly, we show that changes in burstiness occur several hours before the incidents were reported in practice.

Fourth, we propose a method for detecting anomalous announcements based on quantifying the burstiness of announcements that are received by the collectors (Section 4.4). This allows us to characterize the distinguishing features that occur before the incidents. Given these distinguishing features, we introduce a detection algorithm and evaluate its effectiveness using real-stream data obtained from collectors during the incidents.

4.1. Feeder contribution analysis

To quantify the number of feeders peering with each collector, we parse RIB dumps of each collector and count the number of unique peering routers. We counted the number of unique routers on the first day of each month at noon for 195 consecutive months from October 2001 to December 2017. This allowed us to study the evolution of the number of feeders per collector.

Figure 1 shows the time series of the number of feeders based on the number of routers. We see that, in general, that there is an increase in feeders over time. In particular, route-views.linx, route-views.saopaulo, and route-views4 report the highest number of feeders by the end of the observation period. Conversely, route-views.kixp, route-views.soxrs, and route-views.wide show a significantly lower number of feeders, confirming the recent findings by Gregori et al. in (Gregori et al., 2017).

There are also some collectors with fluctuations in this time period. In particular, the number of peering routers seems to decrease by mid 2016 for route-views.saopaulo and route-views4. Despite this, even more importantly, route-views4 has the highest feeder count. This is important to our work because the capacity to detect the incidents depends on collectors having a robust view of the Internet so that they may construct an accurate baseline. Therefore, collectors need to have a minimum number of feeders to be able to see the incident.

Figure 1. Time series of the number of routers peering with collectors. Collectors are ordered in alphabetical order. Major ticks correspond to nine-month intervals while minor ticks correspond to one-month intervals.

4.2. Collectors’ disruption perception

We show observations during a seven-day period around the occurrence of the incidents. These are highlighted in the plot between the two vertical dashed lines as reported by the state-of-the-art BGP anomaly detection system BGPmon (Toonk, [n. d.]). We ranked the collectors in decreasing order by the number of feeders. We show the view from the four collectors with the highest number of feeders and offer complete details (as well as data and Python scripts upon request) for the remaining collectors. Note that the events are observable by analyzing the view of the four collectors before the incidents were reported by leading third-party services including as Oracle Dyn and BGPmon respectively (Zmijewski, 2014; Toonk, 2014).

Indosat incident. Figure 2 shows the number of announcements received from the AS responsible for the incident, i.e., AS 4761. This incident is perceived differently at each collector. The incident is almost unnoticeable for collectors with a low number of feeders (route-views.soxrs, route-views.perth, and route-views.kixp with , and feeders respectively). For the other collectors, two things happen. First, there is a significant increase in the number of received announcements. This increase is almost four orders of magnitude in the majority of the cases. Second, the frequency at which the announcements are received is higher than other announcements that are not close to the occurrence of the incident, i.e., around the highlighted region. This last observation implies shorter inter-arrival times in the proximity of the incident. It is worth noting that for the collectors which received announcements, this striking behavior is perceived almost four hours before the incident.

Figure 2. Time series of the number of announcements from AS 4761 that collectors received before, during, and after the Indosat incident in 2014 for the top four collectors. Major ticks correspond to six-hour intervals while minor ticks correspond to two-hour intervals.

Telecom Malaysia incident. Figure 3 shows the number of announcements received by every collector, recall the originator is AS 4788. Some collectors observe an increase in burstiness in announcements received prior to the incident. The number of announcements increases up to four orders of magnitude. Even more importantly, these announcements occur highly intermittently and frequently. As in the case of the Indonesia incident, some collectors did not see the behavior that we are describing, e.g., route-views.sorxs and route-views.kixp, with two and four feeders respectively. Note that this pattern of behavior occurs almost three hours before the incident was detected.

Figure 3. Time series of the number of announcements from AS 4788 that collectors received before, during, and after the Telecom Malaysia incident in 2015.

Bharti Airtel Ltd. incident. Figure 4 shows the number of AS 9498 announcements received by the collectors. As with Indonesia and Malaysia, the incident is seen more clearly from some collectors than from others, and from some not at all. For collectors where the incident would have been detectable, the number of announcements increases up to five orders of magnitude. Note that the the bursty behavior of the announcements right before the incident is less intense than in the previous cases. Again, this burstiness is clearly noticeable several minutes before the incident was detected on the network.

Figure 4. Time series of the number of announcements from AS 9498 that collectors received before, during, and after the Bharti Airtel Ltd. incident in 2015.

4.3. Inter-arrival time analysis

There is both a significant increase in the number of arrivals of announcements before the incident (see Section 4.2

) and a dramatic increase in the frequency at which these announcements are received by the collectors. The following analysis reveals that the inter-arrival time of announcements as seen by the collectors exhibits a significant degree of burstiness. To ground the results, we first analyze the joint distribution of activity of each AS based on the burstiness (horizontal axis) and the number of announcements (vertical axis) during one full day of measurements around the incident. Collectors are ranked in decreasing order by number of feeders. We provide details for the top four collectors in this work. To assure an accurate assessment of burstiness, we only consider ASes that sent more than

announcements during this time interval (Kim and Jo, 2016). We marked with “squares” the ASNs of the top five ASes based on CAIDA’s customer cone size ranking (cai, 2018), i.e., AS 3356, AS 1299, AS 174, AS 2914, AS 3257. They provide a baseline for comparison. We mark with a “star” the ASN that was responsible for the incident. The dark cells indicate a high concentration of ASes with a characteristic burstiness and number of announcements.

Second, we test if the apparent effect is real or is it due to chance. In particular, we apply a Monte Carlo test in which the null hypothesis is that ASes send announcements in a bursty manner even during times where there is no evidence of a BGP incidents. For this analysis, we collected time series of announcements over a full day of observations where no BGP incidents have been detected. One hundred of these random time series were compiled for each collector for the top five ASes (again based on CAIDA’s customer cone size ranking) and the AS involved in each incident. In each of these 100 time series, we compute the ASes associated burstiness. Here we provide the results for the top four collectors based on the number of feeders, again with data and details for the other collectors available upon request.

Indosat incident. Figure 5 shows that during the incident, most of the ASes have a burstiness that is below (the th percentile) and produce fewer than announcements (the th percentile). There are dashed lines on these percentiles. Note that the AS represented by the star (i.e., Indosat) has the highest burstiness. Note also that those ASes in the second quadrant (with more than announcements) have a considerable number of announcements but lower burstiness (i.e., AS 27738, AS 9829, AS 53062, AS 36998, AS 29571). These ASes appear consistently among the different collectors but were not reported to be involved in the incident. Conversely, those ASes in the fourth quadrant show high burstiness, but the number of announcements is not significant (i.e., AS 7629, AS 61125, AS 9497, AS 132045). We found that those ASes are not neighbors of Indosat (corroborated through (cai, 2018)) nor involved in the incident. This empirical finding reveals that although the volume of announcements increases for different ASes during the incident, the actual AS involved in the incident has a distinct burstiness pattern that starts several hours before the incident was reported. This observation is complementary to the works in (Lad et al., 2003; Deshpande et al., 2004) in which a significant increase in the volume of announcements is used as a detection signature, as well as illustrating the benefit of including a measure of burstiness.

Figure 5. Joint distribution based on the the burstiness (horizontal axis) and number of announcements (vertical axis) during one day interval around the Indosat incident.

Figure 6

shows notched box plots comparing the burstiness calculated from different collectors for the baseline ASes and the AS involved in the incident (the last one) under the null hypothesis. Notched box plots have a contraction around the median whose height is statistically important. When notches of the boxes overlap, there is not a statistically significant difference between the medians. In this case, these plots illustrate that the burstiness of each of the ASes under study are not significantly different when there is no incident. However, the observation highlighted with the cross corresponds to the test statistic for the observations derived during the interval of the incident. As can be seen, for collectors receiving announcements from the AS involved in the incident, this observation lays outside the region of statistical indistinguishably. This suggests that the burstiness during the incident is statistically significant different, and it is unlikely that such values would be observed under random conditions. This argument reinforces the argument that the volume of announcements is a necessary but not sufficient feature for early detection of large-scale BGP incidents (see Fig. 

5). High burstiness is a distinctive feature in these incidents.

Figure 6. Monte Carlo test for burstiness. Last column corresponds to the observations of the AS responsible for the incident, AS 4761. The test statistic, the burstiness observed during the interval of the attack, is marked with a cross.

Telecom Malaysia incident. Figure 7 shows that the AS involved in the incident has a distinct characterization in the distribution, i.e., AS 4788. It has both high burstiness and number of announcements. Most of the ASes have a burstiness that is below (the th percentile) and produce less than announcements (the th percentile). Note that there are ASes that sent a high number of announcements and do not have high burstiness compared to Telecom Malasya (those in the second quadrant), e.g., AS 9892, AS 9829, AS 9583. These ASes were not involved with the incident nor are they neighbors of Telecom Malaysia. Conversely, the ASes in the fourth quadrant have higher burstiness but fewer announcements compared to Telecom Malaysia, e.g., AS 28681, AS 10208, AS 8402, AS 45209. These are not neighbors of Telecom Malaysia but there is no evidence of malicious updates coming from them.

Figure 7. Joint distribution based on the total number of announcements and their burstiness during one day interval around the Telecom Malaysia incident.

Figure 8 shows the distribution of burstiness computed over samples of random one day intervals. The burstiness of Telecom Malaysia is highlighted with the cross. This figure shows that the burstiness of the AS that was involved in the incident is statistically significantly larger when compared to its own normal behavior (e.g., baseline and null comparisons).

Figure 8. Monte Carlo test for burstiness. The last column corresponds to the observations of the AS responsible for the incident, AS 4788.

Bharti Airtel Ltd. incident. Figure 9 shows that the burstiness of AS 9498 is not as high as the burstiness of the perpetrators of the incidents in Indonesia and Malaysia. Here most of the ASes have a burstiness that is below 0.90 (the 99th percentile) and produce fewer than announcements (the 99th percentile). However, for the majority of the collectors, Bharti Airtel sent a large number of announcements that placed it in the second quadrant. However, there are other ASes in the second quadrant, e.g., AS 262949, AS 9829, AS 36408, AS 28573, AS 21669. From these, AS 9829 and AS 36408 are customers of AS 9498. Conversely, we find that AS 394104, AS 11139, AS 133722, and AS 42040 have high burstiness and relatively fewer announcements, but they are not neighbors of AS 9498 nor involved with the incident.

Figure 9. Joint distribution based on the total number of announcements and their burstiness during the one day interval around the Bharti Airtel Ltd. incident.

Figure 10 shows the Monte Carlo test for AS 9498 and the top ranked five ASes. We observe that the burstiness of AS 9498 is at the boundary of the distribution but not as significant as in the Indonesia and Malaysia cases. This reflects the fact that for this incident, announcements were less bursty. They are significant when compared with the normal behavior of AS 9498.

Figure 10. Monte Carlo test for burstiness. The last column corresponds to the observations of the AS responsible for the incident, i.e., AS 9498.

4.4. Anomaly detection

The main idea of our anomaly detection method relies on profiling the expected behavior of a signal and then detecting deviations from the expected pattern. To do so, we rely on the measure of burstiness of announcements as perceived by the collectors. Analyzing the volume of announcements can be misleading, and adding the measure of burstiness has two advantages. A high volume of announcements may be caused by BGP session resets and other vendor specific behaviors (Wang et al., 2002). It enables earlier detection of anomalies and decreases the number of candidates to be examined as potential anomalies (e.g., quadrant two in Figs. 5, 7, 9).

To evaluate burstiness, we compute the time series for each incident, based on equation (1). The solid line represents the value of for each arriving unique announcement message at time . In accordance with previous studies in (Labovitz et al., 2000; Zhang et al., 2004), we verify that most of inter-arrival times of announcements are less than seconds (the th percentile for most of the collectors). We then use seconds as the half-life value to capture most of routing dynamics. Then the decay factor is set to be . Each horizontal gray band represents one standard deviation from the moving average using the same window length. We use as the estimator for the window length because it is the lowest value that reduces the mean square error between the empirical observations and the moving average. The darkness of the bands indicates the distance from the means based on Algorithm 1. Observations that lay more than two standard deviations away from the moving average are marked with stars, i.e., we use . Note that the values of , , and may be tuned for detection purposes.

Indosat incident. Figure 11 shows that almost four hours before the event was reported, is more than two standard deviations away from the moving average. Interestingly, the data from route-views.linx— the collector with the highest number of feeders— is the first to deviate from the mean, specifically h min and

seconds before the earliest detection of the incident. The deviations of the other collectors are later but still hours before the incident was actually detected. Note these outliers do not show up at other dates or times of the time series.

Figure 11. time series for the Indosat incident.

Telecom Malaysia incident. Figure 12 shows the time series of for four collectors. The value of is more than two standard deviations almost four hours before the incident was reported by BGPmon. Here the collector with the more anticipated observation is route-views4, with anomalous readings clear h min and seconds before detection. Note also that route-views.saopaulo reports no outliers, meaning that the perceived burstiness is not as high as for the other collectors (see Fig. 7).

Figure 12. time series for the Telecom Malaysia incident.

Bharti Airtel Ltd. incident. Figure 13 shows that collectors observe anomalies in advance of the detection of the incident. However, route-views2—the collector that received the burstiest signal according to Fig. 9—observes these outliers only min before. The lower impact may be correlated with lessor potential for advance notice, but there is no data to assert this as a conclusion.

Figure 13. time series for the Bharti Airtel Ltd. incident.

5. Discussion

Routing anomalies caused by both misconfigurations and malicious intent have tested the resilience of Internet core protocols (Moriano et al., 2017). Here, we propose an anomaly detection method and show that it would identify three large scale anomalies significantly in advance when compared with the state-of-the-art method (Toonk, [n. d.]). To do so, we analyze inter-arrival times of BGP announcements leveraging the RouteViews collector infrastructure. We found that the burstiness, along with the volume of announcements, has the potential to provide early warnings of routing anomalies before they are evident using traditional control-plane and data-plane approaches. We believe that the proposed method is a complement to current anomaly detection approaches.

To validate the effectiveness of the proposed method, we conducted analysis for three cases of large-scale routing anomalies (see Section 3.1.2 for more details). We have evaluated the statistical significance of announcement burstiness, before, during, and after the events. We found that the perpetrators of the incidents have statistically significant bursty patterns that are visible from the collectors several hours before the incidents were reported by others. We analyze the same features under the null case (of no incidents) and corroborate that the bursty behavior is characteristic of announcements sent prior the detection of the incidents. By relying on this key observation, we propose an algorithm to identify when there is an incipient anomalous incident. The data and scripts used in this research will be made available for reproducibility purposes.

The proposed method would be effective against hijacks, route leaks, and other misconfigurations. Having noted the potential for our approach, we are also aware of some limitations of our proposed work.

Real-time data availability: Our analysis is based on BGP announcements received by RouteViews collectors. Only a subset of these collectors support real-time monitoring through BGPmon444Here BGPmon refers to the free monitoring service develop by Colorado State University available at The RouteViews data used in our analysis relies on BGPStream, which has an access delay of approximately 20 min (Sermpezis et al., 2018b). One option for further research is to run these experiments with a reduced number of current real-time RouteViews collectors through BGPmon. In addition, RIPE RIS provides an API to access real-time BGP updates for a limited number of collectors. Through sharing our scripts, we hope that individual collectors could implement this approach and report the results in the future.

Feeder contribution: Our method treats each router contribution as equivalent. In fact, they vary significantly in terms of IP space coverage as shown in previous research (Gregori et al., 2012, 2015).

Unknown efficacy for subtle attacks: We evaluated our method for large-scale high-impact routing incidents, both hijacks and route leaks. However, we do not investigate other attack configurations that are used for more subtle attacks. This analysis excludes incidents such as when U.S. Internet traffic was rerouted through Iceland and Belarus in 2013 (Peterson, 2013) and routing attacks on cryptocurrencies (Apostolaki et al., 2017).

Focus on early detection but not mitigation: We propose an anomaly detection method that allows early identification of BGP large-scale incidents. To do so, the effectiveness of our proof-of-concept is evaluated based on its ability to detect incidents before state-of-the-art detection methods. Yet we do not discuss mitigation strategies once the events are detected, e.g., prefix deaggregation (Lutu et al., 2012). Of course, these mitigation strategies can be implemented on top of our proposed method to avoid wide diffusion of route misinformation.

Burstiness is a complement to volume measurements: Burstiness needs to be measured simultaneously with the volume of announcements. As confirmed by the results for the Indosat incident (see Section 4.4), burstiness and volume of announcements must be combined to reduce false positives and to provide early detection of the incidents.

Overhead in route collectors: Route collectors are instruments used for measurement in our proof-of-concept. For implementation purposes, the detection method might most effectively be implemented at the collectors. We do not expect these processes to impose significant overhead on the collectors, but we have no actual performance measurements.

6. Conclusion

When BGP was originally implemented, the operators of the control plane were part of a small community with high levels of trust and technical expertise. The vulnerability of the BGP trust model has since been proven by mistake and malfeasance. The proposed solutions to this have included cryptographic protocols for ensuring trustworthy information from trustworthy sources as well as methods for identification and remediation of incidents when they occur.

As a complement to current anomaly identification approaches, we have demonstrated a proof-of-concept that identifies real hijack incidents several hours before these were detected in practice by leveraging the current RouteViews collectors’ infrastructure. We have characterized three high-impact large-scale BGP anomalies from a different perspective, one derived by analyzing the patterns of burstiness of BGP announcements. The proposed method relies on the fact that large-scale disruption events produces groups of BGP announcements of relatively high frequency followed by periods of relatively infrequent events, which can be measured as burstiness. Relying on this observation, we describe a detection method that is able to indicate in advance, from a collector point of view, when an incident is incipient.

A natural extension of the proposed characterization is the study of bursty patterns around other malicious BGP anomalous events, ones at smaller scale. It is possible that the burstiness measure can be more robust against less severe attacks, i.e., when a lower number of networks are hijacked. In this work, we have explored our hypothesis under the conditions of large service disruptions (including an event that compromised roughly two-thirds of the Internet). Future work includes examining how these frequency patterns change with smaller events. Such future analysis relies on the proper identification and labeling of past events.

Additional future work includes examining the effectiveness of the proposed method with real-time BGP updates from different collector projects. BGPmon provides real-time BGP feeds from several feeders as well as some collectors in the RIPE RIS project. The approach in this paper can be also tested with a protocol specifically designed for monitoring purposes, such as the OpenBMP protocol (Scudder et al., 2016). An implementation of a prototype for anomaly detection based on the principles of this paper seems feasible with the availability of real-time data from different projects available in BGPStream. We also offer our scripts and collaboration to collectors that seek to use this locally.


  • (1)
  • cai (2018) 2018. CAIDA AS Rank. (Juy 2018). Date last accessed November, 30 2018.
  • Al-Musawi et al. (2017) B. Al-Musawi, P. Branch, and G. Armitage. 2017. BGP Anomaly Detection Techniques: A Survey. IEEE Commun. Surv. Tutor. 19, 1 (2017), 377–396.
  • Apostolaki et al. (2017) M. Apostolaki, A. Zohar, and L. Vanbever. 2017. Hijacking Bitcoin: Routing Attacks on Cryptocurrencies. In IEEE Symposium on Security and Privacy. San Jose, CA, USA, 375–392.
  • Arnbak and Goldberg (2015) A. Arnbak and S. Goldberg. 2015. Loopholes for Circumventing the Constitution: Unrestrained Bulk Surveillance on Americans by Collecting Network Traffic Abroad. Mich. Telecomm. Tech. L. Rev. 21, 2 (2015), 317–361.
  • Barabási (2005) A.-L. Barabási. 2005. The origin of bursts and heavy tails in human dynamics. Nature 435, 7039 (2005), 207.
  • Butler et al. (2010) K. Butler, T. R. Farley, P. McDaniel, and J. Rexford. 2010. A Survey of BGP Security Issues and Solutions. Proc. IEEE 98, 1 (2010), 100–122.
  • Chen et al. (2009) K. Chen, C. Hu, W. Zhang, Y. Chen, and B. Liu. 2009. On the Eyeshots of BGP Vantage Points. In Proceedings of the IEEE Conference on Global Telecommunications. Honolulu, Hawaii, USA, 3558–3563.
  • Cooper et al. (2013) D. Cooper, E. Heilman, K. Brogle, L. Reyzin, and S. Goldberg. 2013. On the Risk of Misbehaving RPKI Authorities. In Proceedings of the 12th ACM Workshop on Hot Topics in Networks. College Park, MD, USA, 16:1–16:7.
  • Deshpande et al. (2004) S. Deshpande, M. Thottan, and B. Sikdar. 2004. Early Detection of BGP Instabilities Resulting from Internet Worm Attacks. In Proceedings of the IEEE Global Telecommunications Conference, Vol. 4. Dallas, TX, USA, 2266–2270.
  • Doyle et al. (2005) J. C. Doyle, D. L. Alderson, L. Li, S. Low, M. Roughan, S. Shalunov, R. Tanaka, and W. Willinger. 2005. The “robust yet fragile” nature of the Internet. Proc. Natl. Acad. Sci. U.S.A. 102, 41 (2005), 14497–14502.
  • Dyn Guest Blogs (2008) Dyn Guest Blogs. 2008. Pakistan hijacks YouTube. (February 2008). Date last accessed August, 28 2017.
  • Dyn Guest Blogs (2013) Dyn Guest Blogs. 2013. The New Threat: Targeted Internet Traffic Misdirection. (November 2013). Date last accessed August, 28 2017.
  • Gill et al. (2011) P. Gill, M. Schapira, and S. Goldberg. 2011. Let the Market Drive Deployment: A Strategy for Transitioning to BGP Security. In Proceedings of the ACM SIGCOMM 2011 Conference. Toronto, Ontario, Canada, 14–25.
  • Goh and Barabási (2008) K.-I. Goh and A.-L. Barabási. 2008. Burstiness and memory in complex systems. EPL 81, 4 (2008), 48002.
  • Goldberg (2014) S. Goldberg. 2014. Why Is It Taking So Long to Secure Internet Routing? Commun. ACM 57, 10 (2014), 56–63.
  • Goldberg et al. (2010) S. Goldberg, M. Schapira, P. Hummon, and J. Rexford. 2010. How Secure Are Secure Interdomain Routing Protocols. In Proceedings of the ACM SIGCOMM 2010 Conference. New Delhi, India, 87–98.
  • Gregori et al. (2012) E. Gregori, A. Improta, L. Lenzini, L. Rossi, and L. Sani. 2012. On the Incompleteness of the AS-level Graph: A Novel Methodology for BGP Route Collector Placement. In Proceedings of the 2012 ACM Conference on Internet Measurement Conference. Boston, Massachusetts, USA, 253–264.
  • Gregori et al. (2015) E. Gregori, A. Improta, L. Lenzini, L. Rossi, and L. Sani. 2015. A Novel Methodology to Address the Internet AS-Level Data Incompleteness. IEEE/ACM Trans. Netw. 23, 4 (2015), 1314–1327.
  • Gregori et al. (2017) E. Gregori, A. Improta, and L. Sani. 2017. On the African peering connectivity revealable via BGP route collectors. In International Conference on e-Infrastructure and e-Services for Developing Countries. Springer, Lagos, Nigeria, 368–376.
  • Hall et al. (2014) C. Hall, D. Yu, Z. Zhang, J. Stout, A. Odlyzko, A. W. Moore, L. J. Camp, K. Benton, and R. Anderson. 2014. Collaborating with the enemy on network management. In Cambridge International Workshop on Security Protocols. Cambridge, United Kingdom, 154–162.
  • Harang and Kott (2017) R. Harang and A. Kott. 2017. Burstiness of Intrusion Detection Process: Empirical Evidence and a Modeling Approach. IEEE Trans. Inf. Forensic Secur. 12, 10 (2017), 2348–2359.
  • Hiran et al. (2013) R. Hiran, N. Carlsson, and P. Gill. 2013. Characterizing Large-scale Routing Anomalies: A Case Study of the China Telecom Incident. In Proceedings of the 14th International Conference on Passive and Active Measurement. Hong Kong, China, 229–238.
  • House ([n. d.]) Packet Clearing House. [n. d.]. Packet Clearing House. ([n. d.]). Date last accessed November, 30 2018.
  • Hu and Mao (2007) X. Hu and Z. M. Mao. 2007. Accurate Real-Time Identification of IP Prefix Hijacking. In IEEE Symposium on Security and Privacy. Berkeley, CA, USA, 3–17.
  • Javitz and Valdes (1993) H. S. Javitz and A. Valdes. 1993. The NIDES statistical component: Description and justification. Technical Report. Computer Science Laboratory, SRI International, Menlo Park, CA.
  • Kent et al. (2000) S. Kent, C. Lynn, and K. Seo. 2000. Secure Border Gateway Protocol (S-BGP). IEEE J. Sel. Areas Commun. 18, 4 (2000), 582–592.
  • Khare et al. (2012) V. Khare, Q. Ju, and B. Zhang. 2012. Concurrent prefix hijacks: Occurrence and impacts. In Proceedings of the 2012 Internet Measurement Conference. Boston, MA, USA, 29–35.
  • Kim and Jo (2016) E.-K. Kim and H.-H. Jo. 2016. Measuring burstiness for finite event sequences. Phys. Rev. E 94 (2016), 032311.
  • Labovitz et al. (2000) C. Labovitz, A. Ahuja, A. Bose, and F. Jahanian. 2000. Delayed Internet Routing Convergence. ACM SIGCOMM Comput. Commun. Rev. 30, 4 (2000), 175–187.
  • Lad et al. (2006) M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang. 2006. PHAS: A Prefix Hijack Alert System. In Proceedings of the 15th Conference on USENIX Security Symposium. Vancouver, BC, Canada, 153–166.
  • Lad et al. (2003) M. Lad, X. Zhao, B. Zhang, D. Massey, and L. Zhang. 2003. Analysis of BGP Update Surge During Slammer Worm Attack. In International Workshop on Distributed Computing. Springer, Kolkata, India, 66–79.
  • Lepinski and Kent (2012) M. Lepinski and M. Kent. 2012. An Infrastructure to Support Secure Internet Routing. RFC 6480. RFC Editor. 1–24 pages. Date last accessed August, 28 2017.
  • Lepinski and Sriram (2017) M. Lepinski and K. Sriram. 2017. BGPsec Protocol Specification. RFC 18. RFC Editor. 1–25 pages. Date last accessed August, 28 2017.
  • Li et al. (2007) J. Li, M. Guidero, Z. Wu, E. Purpus, and T. Ehrenkranz. 2007. BGP Routing Dynamics Revisited. ACM SIGCOMM Comput. Commun. Rev. 37, 2 (2007), 5–16.
  • Lutu et al. (2012) A. Lutu, M. Bagnulo, and R. Stanojevic. 2012. An economic side-effect for prefix deaggregation. In Proceedings IEEE INFOCOM Workshops. Orlando, FL, USA, 190–195.
  • Lychev et al. (2013) R. Lychev, S. Goldberg, and M. Schapira. 2013. BGP Security in Partial Deployment: Is the Juice Worth the Squeeze?. In ACM SIGCOMM Comput. Commun. Rev., Vol. 43. ACM, 171–182.
  • Madory (2015) D. Madory. 2015. Global Collateral Damage of TMnet leak. (June 2015). Date last accessed August, 28 2017.
  • Meyer (2004) D. Meyer. 2004. University of Oregon Route Views Archive Project. (June 2004). Date last accessed August, 28 2017.
  • Mitseva et al. (2018) A. Mitseva, A. Panchenko, and T. Engel. 2018. The state of affairs in BGP security: A survey of attacks and defenses. Comput. Commun. 124 (2018), 45–60.
  • Moriano et al. (2017) P. Moriano, S. Achar, and L. J. Camp. 2017. Incompetents, criminals, or spies: Macroeconomic analysis of routing anomalies. Comput. Secur. 70 (2017), 319–334.
  • Murphy (2015) S. Murphy. 2015. Routing Security and RPKI. (November 2015). Date last accessed August, 28 2017.
  • Ng (2004) J. Ng. 2004. Extensions to BGP to Support Secure Origin BGP (soBGP). Technical Report. RFC Editor. Date last accessed August, 28 2017.
  • Orsini et al. (2016) C. Orsini, A. King, D. Giordano, V. Giotsas, and A. Dainotti. 2016. BGPStream: A Software Framework for Live and Historical BGP Data Analysis. In Proceedings of the 2016 Internet Measurement Conference. Santa Monica, CA, USA, 429–444.
  • Peterson (2013) A. Peterson. 2013. Researchers say U.S. Internet traffic was re-routed through Belarus. That’s a problem. (November 2013). Date last accessed September 26, 2016.
  • Rekhter et al. (2006) Y. Rekhter, T. Li, and S. Hares. 2006. A Border Gateway Protocol 4 (BGP-4). RFC 4271. RFC Editor. Date last accessed August, 28 2017.
  • RIPE NCC (2011) RIPE NCC. 2011. RIS Raw Data. (February 3 2011). Date last accessed August, 28 2017.
  • Scudder et al. (2016) J. Scudder, R. Fernando, and S. Stuart. 2016. BGP Monitoring Protocol. RFC 7841. RFC Editor. 1–27 pages. Date last accessed August, 28 2017.
  • Sermpezis et al. (2018a) P. Sermpezis, V. Kotronis, A. Dainotti, and X. Dimitropoulos. 2018a. A Survey Among Network Operators on BGP Prefix Hijacking. ACM SIGCOMM Comput. Commun. Rev. 48, 1 (2018), 64–69.
  • Sermpezis et al. (2018b) P. Sermpezis, V. Kotronis, P. Gigis, X. Dimitropoulos, D. Cicalese, A. King, and A. Dainotti. 2018b. ARTEMIS: Neutralizing BGP Hijacking within a Minute. IEEE/ACM Trans. Netw. 26, 6 (2018), 2471–2486.
  • Shaw (2013) A. Shaw. 2013. Spam? Not Spam? Tracking a hijacked Spamhaus IP. (March 2013). Date last accessed August, 28 2017.
  • Shi et al. (2012) X. Shi, Y. Xiang, Z. Wang, X. Yin, and J. Wu. 2012. Detecting Prefix Hijackings in the Internet with Argus. In Proceedings of the 2012 ACM Conference on Internet Measurement Conference. Boston, MA, USA, 15–28.
  • Sriram et al. (2016) K. Sriram, D. Montgomery, D. McPherson, E. Osterweil, and B. Dickson. 2016. Problem Definition and Classification of BGP Route Leaks. RFC 7908. RFC Editor. 1–11 pages. Date last accessed December, 7 2018.
  • Sun et al. (2015) Y. Sun, A. Edmundson, L. Vanbever, O. Li, J. Rexford, M. Chiang, and P. Mittal. 2015. RAPTOR: Routing Attacks on Privacy in Tor. In Proceedings of the 25th Conference on USENIX Security Symposium. Washington, DC, USA, 271–286.
  • Toonk ([n. d.]) A. Toonk. [n. d.]. BGPmon (commercial). ([n. d.]). Date last accessed November, 30 2018.
  • Toonk (2014) A. Toonk. 2014. Hijack event today by Indosat. (April 2014). Date last accessed August, 28 2017.
  • Toonk (2015a) A. Toonk. 2015a. Large scale BGP hijack out of India. (November 2015). Date last accessed August, 28 2017.
  • Toonk (2015b) A. Toonk. 2015b. Massive route leak causes Internet slowdown. (June 2015). Date last accessed August, 28 2017.
  • Wählisch et al. (2012) M. Wählisch, O. Maennel, and T. C. Schmidt. 2012. Towards Detecting BGP Route Hijacking Using the RPKI. ACM SIGCOMM Comput. Commun. Rev. 42, 4 (2012), 103–104.
  • Wang et al. (2002) L. Wang, X. Zhao, D. Pei, R. Bush, D. Massey, A. Mankin, S. F. Wu, and L. Zhang. 2002. Observation and Analysis of BGP Behavior Under Stress. In Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurment. Marseille, France, 183–195.
  • Xiang et al. (2011) Y. Xiang, Z. Wang, X. Yin, and J. Wu. 2011. Argus: An accurate and agile system to detecting IP prefix hijacking. In Proceedings of the 19th IEEE International Conference on Network Protocols. Vancouver, BC, Canada, 43–48.
  • Yan et al. (2009) H. Yan, R. Oliveira, K. Burnett, D. Matthews, L. Zhang, and D. Massey. 2009. BGPmon: A Real-Time, Scalable, Extensible Monitoring System. In Cybersecurity Applications Technology Conference for Homeland Security. Washington, DC, USA, 212–223.
  • Zhang et al. (2004) K. Zhang, A. Yen, X. Zhao, D. Massey, S. F. Wu, and L. Zhang. 2004. On Detection of Anomalous Routing Dynamics in BGP. In International Conference on Research in Networking. Springer, Athens, Greece, 259–270.
  • Zhang et al. (2010) Z. Zhang, Y. Zhang, Y. C. Hu, Z. M. Mao, and R. Bush. 2010. iSPY: Detecting IP Prefix Hijacking on My Own. IEEE/ACM Trans. Netw. 18, 6 (2010), 1815–1828.
  • Zhao et al. (2001) X. Zhao, D. Pei, L. Wang, D. Massey, A. Mankin, S. F. Wu, and L. Zhang. 2001. An Analysis of BGP Multiple Origin AS (MOAS) Conflicts. In Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement. San Francisco, CA, USA, 31–35.
  • Zheng et al. (2007) C. Zheng, L. Ji, D. Pei, J. Wang, and P. Francis. 2007. A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-time. ACM SIGCOMM Comput. Commun. Rev. 37, 4 (2007), 277–288.
  • Zmijewski (2014) E. Zmijewski. 2014. Indonesia Hijacks the World. (April 2014). Date last accessed August, 28 2017.


Appendix A Algorithm

Below we include the pseudocode of the detection algorithm described in the paper in Section 3.3.

1: Number of announcements
2:for  in  do
3:        using eq. (1)
4:end for
5: moving average()
6: moving std()
8:for  in  do
9:       if then
11:       end if
12:end for
Algorithm 1 Event-Detection (, , , )

Appendix B Collectors’ details

Below we include details about the location and date of the first dump of the collectors described in the paper in Section 4.

Collector name Location First dump
route-views.chicago Chicago, IL, US 2016-06-28 12:00
route-views.eqix Ashburn, VA, US 2004-05-17 13:59
route-views.isc Palo Alto, CA, US 2003-11-27 02:00
route-views.jinx Johannesburg, ZA 2012-07-10 00:00
route-views.kixp Nairobi, KE 2005-10-07 15:44
route-views.linx London, GB 2004-03-16 13:45
route-views.nwax Portland, OR, US 2014-03-20 20:52
route-views.perth Perth, AU 2012-11-15 21:48
route-views.saopaulo Sao Paulo, BR 2011-03-17 16:19
route-views.sfmix San Francisco, CA, US 2015-04-14 20:00 Singapore, SG 2014-06-04 15:44
route-views.soxrs Belgrade, RS 2014-01-01 00:00 Sydney, AU 2010-08-14 02:00
route-views.telxatl Atlanta, GA, US 2012-02-02 22:46
route-views.wide Tokyo, JP 2003-07-01 21:29
route-views2 Eugene, OR, US 2001-10-26 16:48
route-views3 Eugene, OR, US 2013-11-25 10:00
route-views4 Eugene, OR, US 2008-11-28 09:53
route-views6 Eugene, OR, US 2003-05-03 12:29
Table 1. Geographical location and date of first dump of collectors. Collectors are ordered in alphabetical order.