HOWLR: A Client-Driven Approach to BGP Hijack Detection

📅 2026-06-19
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This study addresses the critical vulnerability of BGP hijacking attacks, which divert traffic by advertising fraudulent IP prefixes, and highlights the limitations of existing detection mechanisms that rely on ISP cooperation and suffer from delayed response, leaving end hosts exposed for extended periods. To overcome this, the authors propose a lightweight, real-time client-side detection method that leverages multiple TLS services within the same IP prefix—each authenticated by distinct certificate authorities—as “witnesses.” By actively probing these services and analyzing asymmetries in certificate validation outcomes, the approach can autonomously infer potential hijacking events. Empirical evaluation demonstrates that the technique effectively covers 89% of Tor relay prefixes and 75% of Bitcoin mining pool gateway prefixes, underscoring its broad applicability and defensive potential in real-world network environments.
📝 Abstract
BGP hijacking enables impersonation attacks in which adversaries divert traffic at the prefix level and serve malicious content to unsuspecting clients. Detecting such attacks has traditionally been the responsibility of network operators, leaving end hosts exposed for hours. We argue that end hosts can detect prefix-level impersonation independently, exploiting a fundamental asymmetry: a BGP hijack diverts traffic for an entire IP prefix, but impersonating every co-hosted service within that prefix is prohibitively difficult at scale, especially if each service is authenticated by a different Certificate Authority. We propose HOWLR, a tool that operationalizes this insight by using co-hosted, TLS-authenticated services as witnesses: if a client can no longer authenticate them, it has evidence of an ongoing attack. This work evaluates the feasibility of this method by quantifying the existence and diversity of witnesses in the wild. We show that HOWLR can protect 89% of Tor relay prefixes, and 75% of Bitcoin pool gateway prefixes.
Problem

Research questions and friction points this paper is trying to address.

BGP hijack
prefix-level impersonation
end-host detection
TLS authentication
co-hosted services
Innovation

Methods, ideas, or system contributions that make the work stand out.

BGP hijack detection
client-driven security
TLS authentication
co-hosted witnesses
prefix-level impersonation
🔎 Similar Papers
No similar papers found.