Technical Report MSC-2018-05

Title: Detection of BGP Hijacking Using TTL Analysis
Authors: Tamir Carmeli
Supervisors: Reuven Cohen
PDFCurrently accessibly only within the Technion network
Abstract: The Border Gateway Protocol (BGP) plays an important role in the Internet infrastructure. However, it was developed in the 1980s with limited concern for security. In particular, it lacks authentication, which makes it vulnerable to the so-called prefix hijacking attack. In this attack, a malicious or compromised BGP router announces a route to an IP prefix it does not own. Consequently, packets destined to this prefix are actually forwarded to the attacker. A special case of this attack, known as interception attack, is when the attacker manages to forward the hijacked traffic to the intended destination. Interception attacks have been publicly documented since 2013, when a Belarusian ISP successfully intercepted traffic whose original route should have never left North America. In this thesis we study the effect of prefix interception on the TTL (Time To Live) value of hijacked IP packets as observed by their real destinations, with the aim of detecting whether a sudden TTL increase can be attributed to prefix interception or to a legitimate link failure.
CopyrightThe above paper is copyright by the Technion, Author(s), or others. Please contact the author(s) for more information

Remark: Any link to this technical report should be to this page (, rather than to the URL of the PDF files directly. The latter URLs may change without notice.

To the list of the MSC technical reports of 2018
To the main CS technical reports page

Computer science department, Technion