Weak Internet routing security enables BGP hijacking, particularly cross-border rerouting, posing severe risks including privacy breaches, regulatory evasion, and national security threats. Existing detection methods focus predominantly on the control plane, overlooking latency anomalies in the data plane. This paper introduces HiDe, the first system to systematically assess and leverage abrupt propagation delay increases across global networks for detecting long-distance BGP hijacks—requiring no protocol modifications and supporting line-rate processing. HiDe establishes a continuous latency monitoring framework grounded in real-world RTT measurements and geography-aware modeling. Evaluation shows that HiDe detects ≥25% latency surges in 86% of victim–attacker country pairs, achieving low false-positive rates and high accuracy—validated via ethically compliant hijack experiments. Its core innovation lies in pioneering the use of data-plane delay variations as a highly robust, deployment-friendly hijack detection signal.

Poor security of Internet routing enables adversaries to divert user data through unintended infrastructures (hijack). Of particular concern -- and the focus of this paper -- are cases where attackers reroute domestic traffic through foreign countries, exposing it to surveillance, bypassing legal privacy protections, and posing national security threats. Efforts to detect and mitigate such attacks have focused primarily on the control plane while data-plane signals remain largely overlooked. In particular, change in propagation delay caused by rerouting offers a promising signal: the change is unavoidable and the increased propagation delay is directly observable from the affected networks. In this paper, we explore the practicality of using delay variations for hijack detection, addressing two key questions: (1) What coverage can this provide, given its heavy dependence on the geolocations of the sender, receiver, and adversary? and (2) Can an always-on latency-based detection system be deployed without disrupting normal network operations? We observe that for 86% of victim-attacker country pairs in the world, mid-attack delays exceed pre-attack delays by at least 25% in real deployments, making delay-based hijack detection promising. To demonstrate practicality, we design HiDe, which reliably detects delay surges from long-distance hijacks at line rate. We measure HiDe's accuracy and false-positive rate on real-world data and validate it with ethically conducted hijacks.