Our proposed method combines input from several data sources that can reliably disprove malicious intent behind routing anomalies. First, we make use of a Internet Routing Registry to derive business relations between the parties involved in a suspicious event. Second, we use a topology-based reasoning algorithm to rule out events caused by legitimate network setups. Finally, we use Internet-wide network scans to identify SSL-enabled hosts in a large number of subnets. Where we observe that public/private key pairs do not change during an event, we can eliminate the possibility of an attack.

We can show that subprefix announcements with multiple origins are harmless for the largest part. This significantly reduces the search space in which we need to look for hijacking attacks. At the same time, our approach provides a rich set of data sources to consult for the analysis of remaining alarms. We will shortly derive a monitoring component to continuously assess routing anomalies in BGP.

J. Schlamp, R. Holz, O. Gasser, A. Korsten, Q. Jacquemart, G. Carle, and E. W. Biersack
"Investigating the Nature of Routing Anomalies: Closing in on Subprefix Hijacking Attacks"
Proceedings of the 7th International Workshop on Traffic Monitoring and Analysis (TMA), pp. 173-187.
Barcelona, Spain, April 21-24, 2015.
Publisher: Springer International Publishing
DOI: 10.1007/978-3-319-17172-2_12