Detecting BGP Interception Attacks using RTT Measurements

Abstract

Internet users run the risk of having their internet traffic surveilled potentially leading to leaked sensitive information or the loss of anonymity. Adversaries can manipulate the trust of the Border Gateway Protocol–the protocol which controls the routing decisions of the internet–to enable such surveillance by diverting victim traffic to their own servers. Existing methods of detecting such attacks are inefficient, too slow, or susceptible to being tricked by a clever adversary. We present here a novel method of detection based on the changes in latency of internet traffic. Efficient and fast methods for round trip time calculation in the data plane exist and because latency is bounded by topological distance it is difficult to spoof. We consider three latency-based detection algorithms for efficient online monitoring of traffic which can help real-time mitigation of ongoing attacks. We evaluate the algorithms’ performance in detecting real (ethically executed) interception attacks and also assess its performance in avoiding false positives in real anonymized Princeton University internet traffic.