UC San Diego

BGP prefix hijacking, which is illegitimate takeover of IP prefixes by announcing forged AS paths, is a major threat to the Internet. A number of hijacking events with severe consequences in the Internet routing system have been documented. Several studies have proposed techniques for network operators to detect hijacking autonomously to quickly react to attacks. In this thesis, we focus on autonomously detecting one of the impactful types of hijacks, a hijack event in which a forged AS is placed two AS-hops from the origin AS in AS paths. Thus, we develop an approach to discover second hop neighbors of an AS owner based on carefully crafted BGP announcements, and use this information as a baseline to evaluate anomalies in AS paths and detect hijacking events. Second hop neighbors of an AS are ASes two hops from the origin AS in a BGP-observed topology. An AS owner can quickly classify an announcement as legitimate if the ASN that is two AS-hops from the origin ASN in an AS path is in its set of second hop neighbors. Thus, the more second hop neighbors an AS owner discovers, the more AS paths it can correctly classify as legitimate announcement, resulting in less false-positive rate. Through simulation experiments, we show that our approach finds more than 80% of second hop neighbors for 80% of origin ASes that we study.