Prefix hijacking, a misbehavior in which a misconfigured or malicious BGP router originates an IP prefix that the router does not own, is becoming an increasingly serious security problem on the Internet. In this paper, we conduct a first comprehensive study on incrementally deployable mitigation solutions against prefix hijacking. We first propose a novel reactive detection-assisted solution based on the idea of bogus route purging and valid route promotion. Our simulations based on realistic settings show that purging bogus routes at 20 highest-degree ASes reduces the polluted portion of the Internet by a random prefix hijack from 50% down to 24%, and adding promotion further reduces the remaining pollution by 33% ~ 57%, We prove that our proposed route purging and promotion scheme preserve the convergence properties of BGP regardless of the number of promoters. We are the first to demonstrate that detection systems based on a limited number of BGP feeds are subject to detection evasion by hijackers. Motivated the need for proactive defenses to complement reactive mitigation response, we evaluate customer route filtering, a best common practice among large ISPs today, and show its limited effectiveness. We also show the added benefits of combining route purging-promotion with customer route filtering.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	RIPE Network Coordination Centre. http://www.ripe.net/.
	2	Route Views Project. http://www.routeviews.org/.
	3	The RIPE NCC MyASN service. http://www.ris.ripe.net/myasn.html.
	4	The Tem Cymru Bogon Route Server Project. http://www.cymru.com/BGP/bogon-rs.html.
	5	A Border Gateway Protocol 4 (BGP-4), Jan. 2006. RFC 4271.
	6	BGP-4 Implementation Report, Jan. 2006. RFC 4276.
	7	David Andersen , Hari Balakrishnan , Frans Kaashoek , Robert Morris, Resilient overlay networks, Proceedings of the eighteenth ACM symposium on Operating systems principles, October 21-24, 2001, Banff, Alberta, Canada
	8	Hitesh Ballani , Paul Francis , Xinyang Zhang, A study of prefix hijacking and interception in the internet, Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications, August 27-31, 2007, Kyoto, Japan
	9	V. J. Bono. 7007 Explanation and Apology. NANOG email on Apr 26, 1997.
	10	Kevin Butler , Patrick McDaniel , William Aiello, Optimizing BGP security by exploiting path stability, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA  [doi>10.1145/1180405.1180442]
	11	Matthew Caesar , Donald Caldwell , Nick Feamster , Jennifer Rexford , Aman Shaikh , Jacobus van der Merwe, Design and implementation of a routing control platform, Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation, p.15-28, May 02-04, 2005
	12	Haowen Chan , Debabrata Dash , Adrian Perrig , Hui Zhang, Modeling adoptability of secure BGP protocol, Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, September 11-15, 2006, Pisa, Italy
	13	Xenofontas Dimitropoulos , Dmitri Krioukov , Marina Fomenkov , Bradley Huffaker , Young Hyun , kc claffy , George Riley, AS relationships: inference and validation, ACM SIGCOMM Computer Communication Review, v.37 n.1, January 2007  [doi>10.1145/1198255.1198259]
	14	Lixin Gao, On inferring autonomous system relationships in the internet, IEEE/ACM Transactions on Networking (TON), v.9 n.6, p.733-745, December 2001  [doi>10.1109/90.974527]
	15	Lixin Gao , Jennifer Rexford, Stable Internet routing without global coordination, Proceedings of the 2000 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, p.307-317, June 18-21, 2000, Santa Clara, California, United States
	16	Xin Hu , Z. Morley Mao, Accurate Real-time Identification of IP Prefix Hijacking, Proceedings of the 2007 IEEE Symposium on Security and Privacy, p.3-17, May 20-23, 2007  [doi>10.1109/SP.2007.7]
	17	Yih-Chun Hu , Adrian Perrig , Marvin Sirbu, SPV: secure path vector routing for securing BGP, Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, August 30-September 03, 2004, Portland, Oregon, USA
	18	Josh Karlin , Stephanie Forrest , Jennifer Rexford, Pretty Good BGP: Improving BGP by Cautiously Adopting Routes, Proceedings of the Proceedings of the 2006 IEEE International Conference on Network Protocols, p.290-299, November 12-15, 2006  [doi>10.1109/ICNP.2006.320179]
	19	S. Kent, C. Lynn, and K. Seo. Secure Border Gateway Protocol (Secure-BGP). IEEE Journal on Selected Areas in Communications (JSAC), 18(4):582--592, Apr. 2000.
	20	C. Kruegel, D. Mutz, W. Robertson, and F. Valeur. Topology-Based Detection of Anomalous BGP Messages. In Symposium on Recent Advances in Intrusion Detection (RAID), 2003.
	21	Craig Labovitz , Abha Ahuja , Abhijit Bose , Farnam Jahanian, Delayed Internet routing convergence, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.175-187, August 28-September 01, 2000, Stockholm, Sweden
	22	Mohit Lad , Dan Massey , Dan Pei , Yiguo Wu , Beichuan Zhang , Lixia Zhang, PHAS: a prefix hijack alert system, Proceedings of the 15th conference on USENIX Security Symposium, p.11-11, July 31-August 04, 2006, Vancouver, B.C., Canada
	23	Mohit Lad , Ricardo Oliveira , Beichuan Zhang , Lixia Zhang, Understanding Resiliency of Internet Topology against Prefix Hijack Attacks, Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, p.368-377, June 25-28, 2007  [doi>10.1109/DSN.2007.95]
	24	Wolfgang Mühlbauer , Anja Feldmann , Olaf Maennel , Matthew Roughan , Steve Uhlig, Building an AS-topology model that captures route diversity, Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, September 11-15, 2006, Pisa, Italy
	25	J. Ng. Extensions to BGP to Support Secure Origin BGP (soBGP), Oct. 2002. Internet Draft draft-ng-sobgp-bgp-extensions-00.
	26	Ricardo Oliveira , Beichuan Zhang , Dan Pei , Rafit Izhak-Ratzin , Lixia Zhang, Quantifying path exploration in the internet, Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil  [doi>10.1145/1177080.1177116]
	27	J. Qiu and L. Gao. Hi-BGP: A Lightweight Hijack-proof Inter-domain Routing Protocol. Technical report, Univ. of Massachusetts, 2006.
	28	J. Qiu, L. G. S. Ranjan, and A. Nucci. Detecting Bogus BGP Route Information: Going Beyond Prefix Hijacking. In Proc. SecureComm, 2007.
	29	Lakshminarayanan Subramanian , Volker Roth , Ion Stoica , Scott Shenker , Randy H. Katz, Listen and whisper: security mechanisms for BGP, Proceedings of the 1st conference on Symposium on Networked Systems Design and Implementation, p.10-10, March 29-31, 2004, San Francisco, California
	30	T. Wan, E. Kranakis, and P. van Oorschot. Pretty Secure BGP (psBGP). In Proc. Network and Distributed System Security Symposium (NDSS), 2005.
	31	Feng Wang , Lixin Gao, On inferring and characterizing internet routing policies, Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement, October 27-29, 2003, Miami Beach, FL, USA  [doi>10.1145/948205.948208]
	32	D. Wendlandt, I. Avramopoulos, D. Andersen, and J. Rexford. Don't Secure Routing Protocols, Secure Data Delivery. In Proc. ACM HotNets, 2006.
	33	Wen Xu , Jennifer Rexford, MIRO: multi-path interdomain routing, Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, September 11-15, 2006, Pisa, Italy
	34	Z. Zhang, Y. Zhang, Y. C. Hu, and Z. M. Mao. Practical Defenses Against BGP Prefix Hijacking. Technical report, Purdue University, 2007. http://www.ece.purdue.edu/~zhang97/pub/prom.pdf.
	35	Meiyuan Zhao , Sean W. Smith , David M. Nicol, Aggregated path authentication for efficient BGP security, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA  [doi>10.1145/1102120.1102139]
	36	Xiaoliang Zhao , Dan Pei , Lan Wang , Dan Massey , Allison Mankin , S. Felix Wu , Lixia Zhang, An analysis of BGP multiple origin AS (MOAS) conflicts, Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, November 01-02, 2001, San Francisco, California, USA  [doi>10.1145/505202.505207]
	37	Changxi Zheng , Lusheng Ji , Dan Pei , Jia Wang , Paul Francis, A light-weight distributed scheme for detecting ip prefix hijacks in real-time, Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications, August 27-31, 2007, Kyoto, Japan