Reclaim Your Prefix: Mitigation of Prefix Hijacking Using IPsec Tunnels

Prefix hijacking is a serious threat in the Internet routing landscape. The Border Gateway Protocol has no origin authentication by design. Countermeasures, e.g. on-top authentication as implemented by R-PKI infrastructures, are not yet deployed on a very large scale. Being victim of prefix hijacking is a difficult situation with few options. Not only the owner of a prefix is victim but all the networks being deceived by the attacker. They are unable to communicate with the owner and corresponding traffic travels into the wrong direction. Current data from the Internet routing plane as collected by RIPE-NCC is examined to detect prefix hijacking. This paper discusses means to manipulate the partitions resulting from prefix hijacking with router inherent functionality. By this means, prefix owners become able to increase their impact and enlarge the corresponding partition, with just one assistant Autonomous System (AS). Selection strategies to find a well suited assistant AS are compared and the top three are verified in an emulation environment. Therefore, an emulation network is created on the dataset that is representative for prefix hijacking in the Internet. The presented approach can be the foundation of a (semi-)automated tool to mitigate prefix hijacking in the future.