Using Machine Learning to Detect IP Hijacking

This is interesting research:

In a BGP hijack, a malicious actor convinces nearby networks that the best path to reach a specific IP address is through their network. That’s unfortunately not very hard to do, since BGP itself doesn’t have any security procedures for validating that a message is actually coming from the place it says it’s coming from.


To better pinpoint serial attacks, the group first pulled data from several years’ worth of network operator mailing lists, as well as historical BGP data taken every five minutes from the global routing table. From that, they observed particular qualities of malicious actors and then trained a machine-learning model to automatically identify such behaviors.

The system flagged networks that had several key characteristics, particularly with respect to the nature of the specific blocks of IP addresses they use:

  • Volatile changes in activity: Hijackers’ address blocks seem to disappear much faster than those of legitimate networks. The average duration of a flagged network’s prefix was under 50 days, compared to almost two years for legitimate networks.
  • Multiple address blocks: Serial hijackers tend to advertise many more blocks of IP addresses, also known as “network prefixes.”
  • IP addresses in multiple countries: Most networks don’t have foreign IP addresses. In contrast, for the networks that serial hijackers advertised that they had, they were much more likely to be registered in different countries and continents.

Note that this is much more likely to detect criminal attacks than nation-state activities. But it’s still good work.

Academic paper.

Posted on October 17, 2019 at 6:08 AM16 Comments


Clive Robinson October 17, 2019 10:13 AM

However it does not answer the important question of,

    Who is sending out the bad information?

That is it is not enough to detect a crime, you need to find the guilty persons or atleast their trail.

Which a more technical solution to BGP would atleast resolve to a given point such as a PubKey certificate, chain etc.

But currently there can be various reasons to make BGB attacks.

1, To get at traffic that would not normally be available for surveillance.

2, To push traffic onto a network to in effect DoS it.

Both of these can be done for opposit reasons.

Take the case where a SigInt agency wants to look at traffic. In the case of foreign traffic they would have to “pull” the traffic to them. But if it’s dommestic traffic that legaly they are not alowed to gather, a “push” to make it foreign traffic gets the traffic under their eyes.

Which makes attribution atleast more difficult than it could be. So we can leave punishment discussions out. But even with technical solutions in place due to the fact that we have reason to believe PubKey certs can be misappropriated etc[1] it still makes attribution difficult.

However a technical solution does alow “bad actor certs” to be automatically down gradded on the various metrics, untill “human eyes” have looked things over. Thus making future attacks rather harder to do. Which whilst not solving the problem does reduce it to more managable levels.

[1] Think back to Stuxnet and one or two other attacks.

David Leppik October 17, 2019 1:47 PM

@Clive Robinson: That brings up an interesting possibility for a hard-to-attribute attack: convince another bad actor to DoS a network which you have access to in order to surveil the redirected data.

David Leppik October 17, 2019 1:58 PM

Like all such AI, this reveals patterns which are common and detectable today, but which might not be common in the future, or which might be common today but not detectable. That is, current methods for detecting IP hijacking, find other patterns which indicate IP hijacking.

Much like a spam filter, those heuristics are useful right now, but that’s about it. I’m with Clive that certificates are the way to go to make these sorts of attacks harder to pull off.

Come to think of it, what we really need is a more unified machine identity system for the Internet. We already have certificates for domain names with TLS, and we’re moving toward using those certificates to avoid IP addresses from being spoofed. Leveraging the same certificates (not just the same technology, but leveraging the same administrative procedures) for routing tables is the obvious next step.

SpaceLifeForm October 17, 2019 4:06 PM

@David Leppik

“We already have certificates for domain names with TLS, and we’re moving toward using those certificates to avoid IP addresses from being spoofed.”

Ah, no. Just no.

You just don’t get it.

RealFakeNews October 18, 2019 1:33 AM

Modifying BGP seems to be much more common than it first appears?

There is only one serious option: break it. New protocol, and insist everyone uses it.

Ismar October 18, 2019 5:35 AM

Yet another issue with the internet- how exactly are we able to use it for anything?
So, while not wanting to underestimate this vulnerability I think that obviously there are already ways of neutralising this shortcoming via encryption and usage of dedicated networks (dedicated hardware that is) used by bigger players out there.
And for those of us that are less important, we have learned to live with it like we have learned to use public transport as opposed to having private limousine or a plane.
Regarding the use of AI , as someone has already mentioned, it is at best a game of whack a mole at and a nice and convenient domain for doing your PhD in.

So just keep calm and enjoy your public transport ride embracing all the colourful characters you will meet along the way.

SpaceLifeForm October 18, 2019 3:35 PM


“usage of dedicated networks (dedicated hardware that is) used by bigger players out there.”

Do you not see the problem?

Those dedicated networks, owned and controlled by big players, is exactly where the BGP spoofing occurs!

lurker October 18, 2019 5:19 PM


Those dedicated networks, owned and controlled by big players, is *exactly* where the BGP spoofing occurs!

One of my daydreams is distributed DNS: everybody keeps their own routing tables, and only needs to update for unknown, or broken, destinations. It should be so widely distributed you might find something in the neighbourhood closer than your ISP, and would be more difficult for bad actors to track and squash all sources of DNS. Obviously there’s a major flaw I can’t see, or we’d be doing it…

SpaceLifeForm October 18, 2019 6:23 PM


“One of my daydreams is distributed DNS: everybody keeps their own routing tables, ”

You already blew it. Your daydream is actually a nightmare.

Distributed DNS is doable.

It’s the routing that is the problem.

BGP is not secure.

Having a net of distributed DNS servers is a lofty goal, but if an end-user can not control the ip path because BGP is not trustable, then how does the end-user trust what the distributed DNS returns?

Note: This is the situation today with current DNS.

You can not trust it.

lurker October 19, 2019 12:42 AM


This is the situation today with current DNS.
You can not trust it.

No, of course not. Then isn’t it past time we built a better one?

Weather October 19, 2019 4:58 PM

I though with BGP you need one router that was ‘negbours’ with another, you can just do it anywhere, they drop the packets, and you need to be close hop wise and fibre cables, exploit data centres and the like is probably the route.

RealFakeNews October 19, 2019 11:07 PM


Yes; the router updates its routing table based on BGP update information from the neighboring router, but the route contained in said update is broadcast by the router itself when it learns of a new/better route.

For example:

Router A – Router B – Router C – Router D

They can update each other directly only, but the way it works is thus:

Let’s say an Evil Actor connects an even more evil router to Router A. Call this new router E.

They then poison the routing table via BGP and send a BGP update packet from router E to router A, telling it that it can reach Router D in one hop.

Router A dutifully updates its routing table for Router D to go E-D instead of B-C-D.

It then says to router B “Hey! New route!”, and router B adds it as well.

Data passing through A to D now goes via E, and is intercepted.

Weather October 21, 2019 4:51 PM

The point I was making is if E is a Dial up connection the negiobours(in the BGP protocol) its not going to happen, you will have to hack a high bandwidth router,switch,server to be able to change the route.
Some connection on the other side of the world, can’t direct traffic to them, plus default setting is 30min refresh, E passes it to D and they hope D forwards it onto C.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.