Detection of BGP routing misbehavior against cyber-terrorism

Attacks at the control and routing plane may be the next generation of threats for the Internet. Manipulation of the routing layer could originate from profiteering, malice, or simply human error. The community has recognized this danger and several promising approaches have been proposed to capture and block routing anomalies. In practice, the difficulty of deploying such approaches limits their usefulness. Our goal is to develop a scheme that can have immediate impact today. In this light, we propose a reactive approach that can help reduce the extent and impact of routing misbehaviors. We develop an approach and a tool to act as an expert advisor that will flag suspicious updates. Our main motivation is that problems spread quickly, so quick reaction is imperative. Additionally, the volume of routing updates makes it impossible for humans operators to manually identify malicious updates. Our approach uses the policies that autonomous systems register in the Internet routing registries. We use the policy of an AS as found in these registries to detect deviations between the intended policy and the actual policy seen in BGP. As a proof of concept, we use the RIPE registry to monitor the European Internet routing for ten days. With our approach, we are able to confirm the validity of the origin AS of 97% of the updates, while suggesting the need for further analysis of the remaining 3% of the updates