Investigating the Nature of Routing Anomalies: Closing in on Subprefix Hijacking Attacks

Johann Schlamp, Ralph Holz, Oliver Gasser, Andreas Korsten, Quentin Jacquemart, Georg Carle, Ernst W. Biersack

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

3 Citations (Scopus)


The detection of BGP hijacking attacks has been at the focus of research for more than a decade. However, state-of-the-art techniques fall short of detecting subprefix hijacking, where smaller parts of a victim’s networks are targeted by an attacker. The analysis of corresponding routing anomalies, so-called subMOAS events, is tedious since these anomalies are numerous and mostly have legitimate reasons.

In this paper, we propose, implement and test a new approach to investigate subMOAS events. Our method combines input from several data sources that can reliably disprove malicious intent. First, we make use of the database of a Internet Routing Registry (IRR) to derive business relations between the parties involved in a subMOAS event. Second, we use a topology-based reasoning algorithm to rule out subMOAS events caused by legitimate network setups. Finally, we use Internet-wide network scans to identify SSL-enabled hosts in a large number of subnets. Where we observe that public/private key pairs do not change during an event, we can eliminate the possibility of an attack. We can show that subprefix announcements with multiple origins are harmless for the largest part. This significantly reduces the search space in which we need to look for hijacking attacks.
Original languageEnglish
Title of host publicationTraffic Monitoring and Analysis
Subtitle of host publication7th International Workshop, TMA 2015, Barcelona, Spain, April 21-24, 2015. Proceedings
EditorsMoritz Steiner, Pere Barlet-Ros, Olivier Bonaventure
Place of PublicationCham
ISBN (Electronic)978-3-319-17172-2
ISBN (Print)978-3-319-17171-5
Publication statusPublished - 2015
Externally publishedYes
Event7th International Workshop on Traffic Monitoring and Analysis, TMA 2015 - Barcelona, Spain
Duration: 21 Apr 201524 Apr 2015
Conference number: 7

Publication series

NameLecture Notes in Computer Science
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349
NameComputer Communication Networks and Telecommunications


Conference7th International Workshop on Traffic Monitoring and Analysis, TMA 2015
Abbreviated titleTMA


  • Ground truth
  • Business relationships
  • Graph database
  • Border gateway protocol
  • Topology reasoning


Dive into the research topics of 'Investigating the Nature of Routing Anomalies: Closing in on Subprefix Hijacking Attacks'. Together they form a unique fingerprint.

Cite this