🤖 AI Summary
This study addresses the risk of stealthy BGP hijacking enabled by partial deployment of Route Origin Validation (ROV), which allows attackers to divert traffic without triggering alerts. The work presents SHAMAN, a novel framework that systematically characterizes this threat by integrating multi-source ROV data and introducing an efficient matrix-based routing inference algorithm. This approach reduces global routing table generation time from three months to just 5.22 hours and establishes a “victim–target–hijacker” risk model. Evaluation on 8.3 billion inferred routes reveals an overall hijacking success rate of 14.1%, with targeted attacks achieving up to 99.5% success; validation against real-world incidents demonstrates 95.9% accuracy.
📝 Abstract
The partial deployment of Route Origin Validation (ROV) poses an unexpected security threat known as stealthy BGP hijacking, i.e., a particularly elusive form of BGP hijacking where malicious routes divert traffic without reaching (and thus alerting) the victims. This risk remains largely unexplored, with neither documented real-world incidents nor systematic characterization available. To bridge this gap, we formalize stealthy BGP hijacking and propose heuristics to discover potential instances through routing table discrepancies. We conduct the first empirical study to track and profile stealthy BGP hijacking in the wild, contributing a curated real-world incident dataset and a long-term monitoring service. Inspired by the empirical insights, we further conduct an analytical study to exhaustively assess the risk. This requires accurate ROV deployment data, complete Internet-wide routes, and tailored analytical models. To address these challenges, we develop SHAMAN, a BGP route inference framework dedicated to assessing stealthy BGP hijacking risk. SHAMAN consolidates multiple sources to construct an accurate view of ROV deployment, infers complete Internet-wide routes through a highly efficient matrix-based approach, and facilitates statistical risk analysis via a "victim-target-hijacker" 3-tuple model. By reducing the time for generating Internet-scale routes from over three months to just 5.22 hours, SHAMAN enables systematic risk assessment across 8.3 billion generated routes under real-world ROV deployment. Our findings reveal a 14.1% overall success probability for stealthy BGP hijacking, with targeted attacks reaching 99.5% success in specific cases. Validation against our real-world dataset shows up to 95.9% incident-level accuracy, demonstrating the fidelity of our analytical results.