M.Sc Thesis

M.Sc StudentCarmeli Tamir
SubjectDetection of BGP Hijacking Using TTL Analysis
DepartmentDepartment of Computer Science
Supervisor PROF. Reuven Cohen
Full Thesis textFull thesis text - English Version


The Border Gateway Protocol (BGP) plays an important role in the Internet infrastructure. However, it was developed in the 1980s with limited concern for security. In particular, it lacks authentication, which makes it vulnerable to the so-called prefix hijacking attack. In this attack, a malicious or compromised BGP router announces a route to an IP prefix it does not own. Consequently, packets destined to this prefix are actually forwarded to the attacker. A special case of this attack, known as interception attack, is when the attacker manages to forward the hijacked traffic to the intended destination. Interception attacks have been publicly documented since 2013, when a Belarusian ISP successfully intercepted traffic whose original route should have never left North America.

In this thesis we study the effect of prefix interception on the TTL (Time To Live) value of hijacked IP packets as observed by their real destinations, with the aim of detecting whether a sudden TTL increase can be attributed to prefix interception or to a legitimate link failure.

We first analyze how interception attacks and link failures change the TTL from the perspective of the packet receiver, and then study additional TTL-related effects of the prefix interception attack. Using these observations, we propose a detection method for the attack and use simulations to evaluate its performance.