Document Open Access Logo

Passive Data-Plane Telemetry to Mitigate Long-Distance BGP Hijacks

Authors Satadal Sengupta , Hyojoon Kim , Daniel Jubas , Maria Apostolaki , Jennifer Rexford

PDF

File

Thumbnail PDF
PDF
OASIcs.NINeS.2026.14.pdf
  • Filesize: 4.92 MB
  • 26 pages

Document Identifiers

Related Versions

Subject Classification

ACM Subject Classification
  • Networks → Network properties
  • Networks → Network protocols
  • Networks → Network services
  • Networks → Routing protocols
  • Networks → Network security
  • Networks → Programmable networks
  • Networks → Network monitoring
  • Networks → In-network processing
  • Security and privacy → Network security
Keywords
  • Network security
  • routing
  • Border Gateway Protocol
  • hijack
  • interception attack
  • programmable networks
  • in-network detection
  • in-network mitigation

Metrics

Abstract

Poor security of Internet routing enables adversaries to divert user data through unintended infrastructures in attacks known as hijacks. Of particular concern - and the focus of this paper - are cases where attackers reroute domestic traffic through foreign countries and still deliver it to the intended destination, exposing traffic to surveillance, bypassing legal privacy protections, and posing national security threats. Efforts to detect and mitigate such attacks have focused primarily on the control plane, while data-plane signals remain largely overlooked. In this paper, we argue that passively-monitored round-trip time (RTT) - and, in particular, changes in its propagation-delay component - offers a promising signal for detection: the increased propagation delay is unavoidable and directly observable from affected networks, enabling opportunities for faster detection and mitigation. We explore the practicality of using RTT variations for hijack detection, addressing two key questions: (1) What coverage can this provide, given its heavy dependence on the geolocations of the sender, receiver, and adversary? and (2) Can an always-on RTT-based detection system be deployed without disrupting normal network operations? Focusing on cross-country interception attacks, we find that coverage is high: 97% under ideal (i.e., data travels at the speed of light) conditions, and 91% and 86% with real traffic from two datasets. To demonstrate practicality, we design HiDe, which reliably detects delay surges from long-distance hijacks at line rate using commodity programmable hardware. We measure HiDe’s accuracy and false-positive rate on real-world data and validate it with ethically conducted hijacks.

Cite As Get BibTex

Satadal Sengupta, Hyojoon Kim, Daniel Jubas, Maria Apostolaki, and Jennifer Rexford. Passive Data-Plane Telemetry to Mitigate Long-Distance BGP Hijacks. In 1st New Ideas in Networked Systems (NINeS 2026). Open Access Series in Informatics (OASIcs), Volume 139, pp. 14:1-14:26, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2026) https://doi.org/10.4230/OASIcs.NINeS.2026.14

Author Details

Satadal Sengupta
  • Department of Computer Science, Princeton University, Princeton, NJ, USA
Hyojoon Kim
  • Department of Computer Science, University of Virginia, Charlottesville, VA, USA
Daniel Jubas
  • Department of Computer Science, Princeton University, Princeton, NJ, USA
Maria Apostolaki
  • Department of Electrical and Computer Engineering, Princeton University, Princeton, NJ, USA
Jennifer Rexford
  • Department of Computer Science, Princeton University, Princeton, NJ, USA

Funding

This work is supported by the DARPA grant HR0011-20-C-0107.

Acknowledgements

We thank our shepherd, John Heidemann, and the anonymous reviewers for their insightful feedback. We are also grateful to Henry Birge-Lee for helping us set up the PEERING experiments and for sharing insights into gaps in BGP hijack defenses. Finally, we thank Princeton University’s Office of Information Technology, Office of Institutional Research, and Institutional Review Board for enabling us to study campus traffic.

Supplementary Materials

References

  1. Aftab Siddiqui. Public DNS in Taiwan the latest victim to BGP hijack. URL: https://manrs.org/2019/05/public-dns-in-taiwan-the-latest-victim-to-bgp-hijack/.
  2. Anurag Agrawal and Changhoon Kim. Intel tofino2-a 12.9 tbps p4-programmable ethernet switch. In 2020 IEEE Hot Chips 32 Symposium (HCS), pages 1-32. IEEE Computer Society, 2020. URL: https://doi.org/10.1109/HCS49909.2020.9220636.
  3. Andree Toonk. How Hacking Team Helped Italian Special Operations Group with Routing Hijack. URL: https://bgpmon.net/how-hacking-team-helped-italian-special-operations-group-with-bgp-routing-hijack/.
  4. Axel Arnbak and Sharon Goldberg. Loopholes for circumventing the constitution: Unrestrained bulk surveillance on americans by collecting network traffic abroad. Michigan Telecommunications and Technology Law Review, January 2015. Google Scholar
  5. Rob Austein, Steven Bellovin, Russ Housley, Stephen Kent, Warren Kumari, Doug Montgomery, Chris Morrow, Sandy Murphy, Keyur Patel, John Scudder, Samuel Weiler, Matthew Lepinski, and Kotikalapudi Sriram. BGPsec Protocol Specification. RFC 8205, IETF, 2017. Google Scholar
  6. $83k in bitcoins ’stolen' through bgp hijack. URL: https://www.virusbulletin.com/blog/2014/08/83k-bitcoins-stolen-through-bgp-hijack/.
  7. Henry Birge-Lee, Maria Apostolaki, and Jennifer Rexford. Global bgp attacks that evade route monitoring. In International Conference on Passive and Active Network Measurement, pages 335-357. Springer, 2025. URL: https://doi.org/10.1007/978-3-031-85960-1_14.
  8. Henry Birge-Lee, Yixin Sun, Anne Edmundson, Jennifer Rexford, and Prateek Mittal. Bamboozling certificate authorities with BGP. In 27th USENIX Security Symposium (USENIX Security 18), pages 833-849, 2018. URL: https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee.
  9. Henry Birge-Lee, Liang Wang, Jennifer Rexford, and Prateek Mittal. Sico: Surgical interception attacks by manipulating BGP communities. In ACM SIGSAC Conference on Computer and Communications Security, pages 431-448, 2019. URL: https://doi.org/10.1145/3319535.3363197.
  10. Mihai Budiu and Chris Dodd. The p416 programming language. ACM SIGOPS Operating Systems Review, 51(1):5-14, 2017. URL: https://doi.org/10.1145/3139645.3139648.
  11. Tobias Bühler, Alexandros Milolidakis, Romain Jacob, Marco Chiesa, Stefano Vissicchio, and Laurent Vanbever. Oscilloscope: Detecting BGP Hijacks in the Data Plane. arXiv:2301.12843, 2023. Google Scholar
  12. R. Bush and R. Austein. The Resource Public Key Infrastructure (RPKI) to Router Protocol. RFC 6810, IETF, 2013. Google Scholar
  13. Celer bridge incident analysis. URL: https://www.coinbase.com/blog/celer-bridge-incident-analysis.
  14. Xiaoqi Chen, Hyojoon Kim, Javed M Aman, Willie Chang, Mack Lee, and Jennifer Rexford. Measuring TCP round-trip time in the data plane. In ACM SIGCOMM Workshop on Secure Programmable Network Infrastructure, pages 35-41, 2020. URL: https://doi.org/10.1145/3405669.3405823.
  15. Catalin Cimpanu. Klayswap crypto users lose funds after bgp hijack. URL: https://therecord.media/klayswap-crypto-users-lose-funds-after-bgp-hijack/.
  16. Natural Earth Data. Natural earth data-free vector and raster map data. http://www. naturalearthdata. com (accessed 10.12.2024), 2011. Google Scholar
  17. Xinhao Deng, Qi Li, and Ke Xu. Robust and reliable early-stage website fingerprinting attacks via spatial-temporal distribution analysis. In Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, pages 1997-2011, 2024. URL: https://doi.org/10.1145/3658644.3670272.
  18. Sharon Goldberg. Why is it taking so long to secure internet routing? Communications of the ACM, 57(10):56-63, 2014. URL: https://doi.org/10.1145/2659899.
  19. Dan Goodin. Russian-controlled telecom hijacks financial services’ internet traffic. URL: https://arstechnica.com/information-technology/2017/04/russian-controlled-telecom-hijacks-financial-services-internet-traffic/.
  20. Dan Goodin. Strange snafu misroutes domestic us internet traffic through china telecom. Ars Technica, 6, 2018. Google Scholar
  21. Rahul Hiran, Niklas Carlsson, and Nahid Shahmehri. Crowd-based detection of routing anomalies on the internet. In 2015 IEEE Conference on Communications and Network Security (CNS), pages 388-396. IEEE, 2015. URL: https://doi.org/10.1109/CNS.2015.7346850.
  22. Thomas Holterbach, Thomas Alfroy, Amreesh Phokeer, Alberto Dainotti, and Cristel Pelsser. A system to detect Forged-OriginBGP hijacks. In 21st USENIX Symposium on Networked Systems Design and Implementation (NSDI 24), pages 1751-1770, 2024. Google Scholar
  23. Dave Levin, Youndo Lee, Luke Valenta, Zhihao Li, Victoria Lai, Cristian Lumezanu, Neil Spring, and Bobby Bhattacharjee. Alibi routing. In ACM SIGCOMM, pages 611-624, August 2015. URL: https://doi.org/10.1145/2785956.2787509.
  24. LLC MaxMind. Geoip, 2006. Google Scholar
  25. Measurement Lab. The M-Lab NDT data set. https://measurementlab.net/tests/ndt, (2024-12-01 - 2024-12-05). Bigquery table measurement-lab.ndt.download.
  26. Alexandros Milolidakis, Tobias Bühler, Kunyu Wang, Marco Chiesa, Laurent Vanbever, and Stefano Vissicchio. On the effectiveness of bgp hijackers that evade public route collectors. IEEE Access, 11:31092-31124, 2023. URL: https://doi.org/10.1109/ACCESS.2023.3261128.
  27. Shaun Nichols. AWS DNS network hijack turns MyEtherWallet into ThievesEtherWallet. URL: https://www.theregister.com/2018/04/24/myetherwallet_dns_hijack/.
  28. Rasmus Pagh and Flemming Friche Rodler. Cuckoo hashing. Journal of Algorithms, 51(2):122-144, 2004. URL: https://doi.org/10.1016/J.JALGOR.2003.12.002.
  29. Adrian Perrig, Pawel Szalachowski, Raphael M. Reischuk, and Laurent Chuat. SCION: A Secure Internet Architecture. Springer Verlag, 2017. Google Scholar
  30. Louis Poinsignon. Bgp leaks and cryptocurrencies. The Cloudflare Blog, April, 2018. Google Scholar
  31. RIPE NCC. YouTube Hijacking: A RIPE NCC RIS case study. URL: https://www.ripe.net/publications/news/youtube-hijacking-a-ripe-ncc-ris-case-study/.
  32. Andrei Robachevsky. “routing security getting better, but no reason to rest!, 2019. Google Scholar
  33. Johann Schlamp, Ralph Holz, Quentin Jacquemart, Georg Carle, and Ernst W Biersack. Heap: reliable assessment of bgp hijacking attacks. IEEE Journal on Selected Areas in Communications, 34(6):1849-1861, 2016. URL: https://doi.org/10.1109/JSAC.2016.2558978.
  34. Brandon Schlinker, Todd Arnold, Italo Cunha, and Ethan Katz-Bassett. PEERING: Virtualizing BGP at the Edge for Research. In ACM CoNEXT, Orlando, FL, December 2019. Google Scholar
  35. Satadal Sengupta, Hyojoon Kim, Daniel Jubas, Maria Apostolaki, and Jennifer Rexford. Princeton-Cabernet/HiDe. Software, (visited on 2026-03-12). URL: https://github.com/Princeton-Cabernet/HiDe
    Software Heritage Logo archived version
    full metadata available at: https://doi.org/10.4230/artifacts.25664
  36. Satadal Sengupta, Hyojoon Kim, and Jennifer Rexford. Continuous in-network round-trip time monitoring. In Proceedings of the ACM SIGCOMM 2022 Conference, pages 473-485, 2022. URL: https://doi.org/10.1145/3544216.3544222.
  37. Pavlos Sermpezis, Vasileios Kotronis, Petros Gigis, Xenofontas Dimitropoulos, Danilo Cicalese, Alistair King, and Alberto Dainotti. Artemis: Neutralizing bgp hijacking within a minute. IEEE/ACM Transactions on Networking, 26(6):2471-2486, 2018. URL: https://doi.org/10.1109/TNET.2018.2869798.
  38. Meng Shen, Yiting Liu, Siqi Chen, Liehuang Zhu, and Yuchao Zhang. Webpage fingerprinting using only packet length information. In ICC 2019-2019 IEEE International Conference on Communications (ICC), pages 1-6. IEEE, 2019. URL: https://doi.org/10.1109/ICC.2019.8761167.
  39. Xingang Shi, Yang Xiang, Zhiliang Wang, Xia Yin, and Jianping Wu. Detecting prefix hijackings in the internet with argus. In Proceedings of the 2012 Internet Measurement Conference, pages 15-28, 2012. URL: https://doi.org/10.1145/2398776.2398779.
  40. Jean-Pierre Smith, Prateek Mittal, and Adrian Perrig. Website fingerprinting in the age of quic. Proceedings on Privacy Enhancing Technologies, 2021(2):48-69, 2021. URL: https://doi.org/10.2478/popets-2021-0017.
  41. IP Info Team. Ip info, 2017. Google Scholar
  42. Dan York. Bgp hijacking in iceland and belarus shows increased need for bgp security. https://www.internetsociety.org/blog/2014/02/bgp-hijacking-in-iceland-and-belarus-shows-increased-need-for-bgp-security/, February 2014.
  43. Zheng Zhang, Ying Zhang, Y Charlie Hu, Z Morley Mao, and Randy Bush. ispy: Detecting ip prefix hijacking on my own. In ACM SIGCOMM, pages 327-338, 2008. Google Scholar
Any Issues?
X

Feedback on the Current Page

CAPTCHA

Thanks for your feedback!

Feedback submitted to Dagstuhl Publishing

Could not send message

Please try again later or send an E-mail
© 2023-2025 Schloss Dagstuhl – LZI GmbH About DROPS Imprint Privacy Contact