BGP prefix hijacking is a serious security threat on the Internet. In this paper we propose a region-based BGP announcement filtering scheme (RBF) to improve the BGP security. In contrast to existing solutions that indifferently prevent or detect prefix hijacking attacks, RBF enables differentiated AS and prefix filtering treat ment and blends prefix hijacking prevention with deter rence. RBF is a light-weight BGP security scheme that provides strong incremental deployment incentive and better prefix hijacking deterrence. Experimental studies based on real Internet numbers allocation information and BGP traces show that RBF is a feasible and effec tive scheme in improving BGP security. For example, on the days without known BGP prefix hijacking at tacks, only a small number of BGP announcements will be flagged as attacks. Importantly, by applying RBF to known BGP prefix hijacking attacks, we show that RBF can detect and filter both large-scale and small scale BGP prefix hijacking attacks even if only a single prefix is hijacked.
展开▼
