IEEE NETWORK MAGAZINE - SPECIAL ISSUE ON COMPUTER NETWORK VISUALIZATION, NOV./DEC. 2012 ISSUE 1

Visual Analytics for BGP Monitoringand Prefix Hijacking Identification

Ernst Biersack1, Quentin Jacquemart1,Fabian Fischer3, Johannes Fuchs3, Olivier Thonnard2,

Georgios Theodoridis4, Dimitrios Tzovaras4, and Pierre-Antoine Vervier1,2

Abstract—The control plane of the Internet relies entirely on BGP as inter-domain routing protocol to maintain andexchange routing information between large network providers and their customers. However, an intrinsic vulnerability ofthe protocol is its inability to validate the integrity and correctness of routing information exchanged between peer routers.As a result, it is relatively easy for people with malicious intent to steal legitimate IP blocks through an attack known as prefixhijacking, which essentially consists in injecting bogus routing information into the system to redirect or subvert networktraffic.In this paper, we give a short survey of visualization methods that have been developed for BGP monitoring, in particularfor the identification of prefix hijacks. Our goal is to illustrate how network visualization has the potential to assist an analystin detecting abnormal routing patterns in massive amounts of BGP data. Finally, we present an analysis of a real validatedcase of prefix hijacking, which took place between April and August 2011. We use this hijack case study to illustratethe ongoing work carried out in VIS-SENSE, a European research project that leverages visual analytics to develop moreeffective tools for BGP monitoring and prefix hijack detection.

Index Terms—Network Visualization Methods, Prefix Hijacking, BGP Monitoring.

✦

1 INTRODUCTION

THE Internet is partitioned into tens of thou-sands of independently administered routing

domains called Autonomous Systems (ASes), belong-ing to different organisations. The Border GatewayProtocol (BGP) is the de facto inter-domain routingprotocol that maintains and exchanges routing in-formation between ASes.

BGP was designed based on the implicit trustbetween all participants. The protocol by itself doesnot provide any built-in mechanism to authenticateor validate the routes propagated through the sys-tem. Therefore, any AS can potentially announcebogus routes into the system, which can eventuallytrigger large-scale Internet anomalies, such as theYouTube Hijack incident [1]. This intrinsic weaknessof the protocol can lead to prefix hijacking incidents,

• 1 Eurecom, Sophia Antipolis, France• 2 Symantec Research Labs, Sophia Antipolis, France• 3 University of Konstanz, Germany• 4 Centre for Research and Technology Hellas,Information Technolo-

gies Institute (CERTH-ITI), Greece

Manuscript received ...

which consist in redirecting Internet traffic by tam-pering with the control plane itself.

This paper gives a brief survey of visualizationtools that were specifically designed for BGP moni-toring and prefix hijack detection (Section 2). Then,Section 3, presents the ongoing work done in VIS-SENSE, a European research project that aims atdeveloping visual analytics tools to improve theefficiency of BGP monitoring and prefix hijackingdetection. To this end, the analysis is focused on theLink Telecom hijack that took place between Apriland August 2011 and which comprises one of thevery few validated cases of prefix hijacking.

For the sake of completeness, a short overview ofBGP concepts and prefix hijacking is initially pro-vided in the remainder of this introductory Section.

1.1 BGP Overview

Interconnected ASes need to be able to ex-change network reachability information. Unlikeintra-domain routing protocols that route packetsthrough the shortest possible network path, BGPlets each AS define its routing policy, which is

then enforced on each BGP router by filtering onincoming and outgoing update messages [2].

BGP updates are exchanged between BGP-enabled routers to announce or withdraw networkaddresses reachable through them. A BGP updatemainly contains the destination network address,the AS path to the destination, and preference in-dicators. The AS path is a sequence of AS identifiersan−1, . . . , a1, a0 that includes all ASes between thesource AS (a0) of the prefix (called origin AS) andthe recipient AS (an) of the update message. TheAS path is built sequentially: when a router exportsa route to a neighbour, it prepends its unique ASnumber to the path it has received.

Due to the application of the routing policy, BGPuses a particular mechanism to select the preferredroute. When multiple prefixes overlap, BGP usesthe longest prefix match rule, i.e., the most specificannouncement matching the destination address isthe one to be used for forwarding. For same-lengthprefixes, BGP uses a route selection process of manyvariables. They include the length of the AS path,which can be influenced by factors external to therouter’s configuration.

1.2 Prefix Hijacking

Prefix hijacking is the act of absorbing (part of) thetraffic destined to another network through thepropagation of erroneous BGP routes.

By hijacking the traffic of another AS, an attackermay black-hole the victim’s network (DoS attack),impersonate the victim by stealing its networkidentity or eavesdrop on the victim’s traffic [3].

Prefix hijacking can be performed in severalways. The attacks are usually based on the fol-lowing key elements [4]. The hijacking AS claimsownership of a prefix and starts announcing it. Ifthe victim is also announcing the same prefix, aMultiple Origin AS (MOAS) conflict becomes theside effect of the attack because different ASesare announcing the same prefix. Some routers willprefer the hijacked route to forward the trafficbecause they are topologically closer (and thus, theAS path is shorter, which is favoured by BGP). Theattacker can avoid this MOAS conflict by tamperingwith the AS path. The victim’s AS remains as theorigin, and the attacker’s AS is further down inthe AS path. This effectively creates a fake link inthe network. Furthermore, a very efficient way ofhijacking a network is to announce subnets of thevictim’s prefix. Because of the longest prefix match

rule, the traffic is immediately forwarded to theattacker. Alternatively, by announcing a less specificprefix, the attacker can take ownership of IPs thatare left unannounced by the AS that they have beenassigned to. Finally, private or unassigned prefixescan be also announced.

1.3 The Link Telecom Hijack Case

On August 20th, 2011, the network administrator ofRussian telecommunication company Link Telecomcomplained to the North American Network Op-erators’ Group (NANOG) mailing list [5] that hisnetwork had been hijacked by a spammer. Afterinvestigation, it turned out that a spammer hadindeed been hijacking AS31733 (Linktel) for fivemonths from April to August 2011. While thisnetwork was hijacked, the stolen IP addresses wereapparently used to send spam emails, as observedby spamtraps maintained by Symantec.cloud whichprovides email, web and instant messaging securityservices. The spammer carried out the hijack byproviding the US ISP Internap (AS12182) with afake proof of ownership of the Linktel network,which then allowed them to advertise the victim’sprefixes using the same origin ASN. It is note-worthy that by the time the network was stolen,the victim company had suspended its activity,thus leaving its blocks of IP addresses unused andmaking them a target of choice for the hijacker.

A more detailed analysis of this hijack case isprovided in Section 3.

1.4 Detecting Prefix Hijacking

Techniques for detecting prefix hijacking can bedivided into two distinct categories: those basedon the control plane, i.e., the detection signaturedepends on information found in a router’s routingtable and/or messages exchanged with this router;and those based on the data plane, i.e., the detectionsignature is based on the way packets actuallyflow between an observer and the source. RIPERIS1, among others, offers binary dumps of BGPmessages exchanged by their routers, as well assnapshots of their routing tables to perform controlplane analysis.

Detection techniques from the control plane in-volve the creation of a model that represents thenormal, expected behaviour of a network. When-ever the current view of the network differs from

1. http://www.ripe.net/ris

2

the model, an alert is raised. The complexity andaccuracy of the model is then the key element to agood detection scheme.

Detection techniques from the data plane involveactive probing of the network topology and/oravailable live hosts in the monitored network. Thecore idea is that when a hijacking takes place,significant topology changes should be observed,while the victim network is different from thehijacking network. The way these elements aremeasured, as well as their diversity, ensures a gooddetection.

For an external observer (i.e., who does not ownthe monitored network), the main problem in de-tecting prefix hijacking is to validate the attack.Indeed, while very peculiar activity can sometimesbe observed, only the network’s owner knows theground-truth. As a result, it can be tricky to dif-ferentiate a hijack from a legitimate traffic engi-neering practice. Moreover, the number of differentnetworks on the Internet, as well as the time andnetwork resources necessary to analyze them, pro-hibits systematic use of detection techniques basedon the control plane.

2 VISUALIZATION OF BGP DATA

Visualization helps in many fields related to net-work security to get more and better insights. Forexample, much research has been successfully con-ducted in the area of visualizing network traffic.Surprisingly, only few prototypes were developedfor the analysis of BGP related data or prefix hi-jacking events. However, visual analysis tools cansupport an analyst in finding, understanding, andconfirming BGP hijacks and other anomalies inrouting data, which cannot always be identified orconfirmed by fully-automated algorithms.

In Table 1 an overview of popular visualiza-tion systems for BGP-related analysis tasks is pre-sented, including mainly two different groups ofsystems. BGPlay [6], [7], [8], BGPviz2, Link-Rank [9],VAST [11], TAMP [10] and Event Shrub [12] focuson a high-level AS view, while ELISHA [13] andPGPeep [14] provide low-level IP views. Some othertools, like BGP Eye [15] and RIPEstat3 have multipleviews to address specific aspects of the data.

2. http://www.ris.ripe.net/bgpviz/3. https://stat.ripe.net/

2.1 Systems with High-Level AS Overviews

BGPlay and RIPE’s BGPviz use a node link diagramto present an intuitive high-level AS view to showthe autonomous systems and their connections witheach other. BGPlay was improved by integrating atopological map [7] to represent hierarchies. Bothtools provide timelines, which can be used to fo-cus on interesting time intervals. Animation helpsto present routing changes and route flappings.Fig. 1 shows the situation for one of the hijackedprefixes from Link Telecom before and during thehijack using BGPlay. Several colored lines describethe advertised routes to the selected prefix, whichoriginated in the red-colored circle representingAS31733. This shows that all the routes to AS31733go through AS12182 during the hijack.

While this interactive animated visualization isquite intuitive for the visual exploration of historicevents in BGP data, the analyst must have a clearidea of which time span and which prefix is rel-evant for the analysis. Compared to static repre-sentations, animation is time-consuming and theanalyst needs to focus on many changing aspectsof the graph. The main benefit of such an animatedview is to present a known case, but not necessarilyto identify a suspicious event.

Link-Rank is a similar system, because it alsouses a graph based representation of the ASes.Additionally, the edges are weighted according tothe number of routes and changes between thedifferent AS links. With this supplementary infor-mation the analyst can observe routing changes andlink instabilities. Activity plots further help to focuson the most suspicious update bursts, which mightindicate prefix hijacking resulting in major routechanges.

Another tool, focusing on animated node linkdiagrams, is TAMP. It displays a pruned graphfor the network topology, an animated clock withcontrols to show and manipulate the time of thecurrent state of the graph and another detailedchart to present the events belonging to a selectededge. Compared to other tools, strong statisticsare included to detect correlations between BGPevents at any time scale. The algorithms can beenriched with additional data sources like trafficflows or router configuration files to improve thediagnosis of BGP anomalies. The combination ofstatistical methods, data enrichment and visualiza-tions helps to detect prefix hijacking, route flappingand anomalies in long time periods.

3

Tool Level of Detail Visualization Techniques Additional Features Use Cases

BGPlay[6] [7] [8]

high-level AS view node link diagram animation, timeline, open forpublic usage

route flapping, routing changes,presenting suspicious events

Link-Rank[9]

high-level AS view rank-change graph activity bar observing routing changes, linkinstabilities, prefix hijacking

TAMP[10]

high-level AS view node link diagram, animatedclock, timeline, charts

animation, novel correlationtechnique, combination withstatistics

anomalies in long time periods,route flappings

VAST[11]

high-level AS view 3D display, quad-tree, octo-treetopology visualizations

filtering techniques explore AS connectivity, iden-tify critical infrastructures, pre-fix hijacking

Event Shrub[12]

high-level AS view timelines with glyphs integrated combination of auto-mated data analysis

anomaly detection based on his-toric data

ELISHA[13]

low-level IP view 2D quad-tree prefix visualiza-tion, 3D view for details

animation, event classification BGP Origin AS changes, MOASconflicts

PGPeep[14]

low-level IP view prefix visualizer using line-based visualization

timeline, tag cloud reveal potential router miscon-figuration, route flapping, pre-fix hijacking

BGP Eye[15]

multiple views node link diagram, 3D display,matrix, charts

event classification, clustering,alternative graph layouts

routing change detection, prefixhijacking

RIPEstat multiple views charts, timelines, maps web-based, open for public us-age

getting historic details for AS orspecific IP prefixes

TABLE 1: Overview of popular visualization systems for BGP-related analysis tasks.

VAST uses 3D visualizations to show topologi-cal connectivity between different ASes. Interactionpossibilities like rotating, zooming or panning helpto explore the 3D space. Furthermore, differentfilter techniques provide the possibility to focus oncertain aspects of the data. The tool allows mainlyto visually explore AS connectivity and to identifycritical infrastructures. Within the visualization up-date bursts of specific ASes become visible, whichcan be an indicator for occurred prefix hijacking.

The last tool for high-level analysis is EventShrub. An automatic anomaly detection algorithmis combined with a tightly coupled visual timeline.Pie charts used as small glyphs are plotted to thistimeline to represent the different instability events.This representation helps to identify deviationsfrom normal behavior.

2.2 Systems with Low-Level IP Views

ELISHA makes use of a pixel-based approach. Thescreen is filled with colored pixels, each represent-ing single IP addresses. They are laid out accordingto their corresponding IP range. The BGP messagesare classified in different event types. Visually map-ping this information to color provides a scalableand space-filling overview visualization as seen inFig. 2. With this animated visualization, analystsare able to detect, explore and visually presentrouting anomalies and MOASes. Overall, ELISHA

provides an IP prefix centered approach withoutrepresenting the overall AS routing paths.

An overview visualization focusing on textualcontent instead of temporal aspects is tag clouds,which is a key component in BGPeep. The differenttags represent the names of autonomous systems.The size of the tags depends on the number ofupdate messages for the specific AS. To make useof the hierarchical structure of IP addresses and toprovide a more IP-space centered view, horizontalparallel axes are used by BGPeep. The first axisrepresents the AS number; the other four, one byteof an IP address. An update message is representedby a line intersecting the axis at the appropriatepositions. Using this visualization technique, it ispossible to reveal potential router misconfiguration,route flapping or multiple advertised prefixes.

2.3 Systems with Multiple Views

BGPEye combines data mining techniques and visu-alizations using multiple views. Update messagesare classified and clustered. An overview visual-ization displays the activity among different ASesin a graph layout. Additionally, a 3D matrix withconnecting lines, reveals more detailed informationabout a single AS. Therefore, prefix hijacking orchanges in the overall routing behavior can bedetected.

4

(a) AS-level paths before the hijack, on March 25, 2011.

(b) AS-level paths during the hijack, on May 28, 2011.

Fig. 1: Visual exploration of the Link Telecom hijack event with BGPlay. Colored lines show the different routeadvertisements. Animation is used to interactively show the path changes.

RIPEstat is a web interface, which is continuouslyimproved, with a variety of different charts to showhistoric activities or different distributions relatedto the selected AS or IP prefix (see Fig. 3). Thesevisualizations do not present a general overview todetect anomalies, but help to investigate individualcases.

Overall most visualization tools show the routingchanges mainly as animation, which is appropriatefor visually presenting a particular known event.For exploratory analysis, animation is not entirelysatisfying. Therefore, other techniques have to beinvestigated in order to improve the temporal anal-

ysis of MOASes and path changes. To combine thestrengths of scalable and informative approachesfor long-term analysis, the tight coupling of dif-ferent techniques seems to be promising. This is adirection being explored in the VIS-SENSE project.

3 CASE STUDY: VISUAL ANALYSIS OFTHE LINK TELECOM HIJACK

In recent years, some reports have described anemerging threat referred to as the fly-by spammersphenomenon. In this attack scenario, spammers hi-jack blocks of IP addresses to send spam from non-blacklisted IP space in an effort to avoid currentspam filters. This Section shows how visualization

5

Fig. 2: Elisha: The main visualization consists of a scalable pixel-based approach to display BGP data. Each pixelrepresents an IP address with a color encoding according to the corresponding BGP event. The three detailed windowsat the top enlarge areas of interest to better analyze single IP addresses.

(a) One widget uses a line chart to visualize the number ofprefixes or amount of address space announced by a prede-fined AS (e.g., the AS31733) over time. Peaks represent a highamount of announced address space like e.g., at the end ofAugust.

(b) Another widget shows the routing history of a given IPprefix or AS, i.e., the history of the exact IP prefixes advertised,the origin ASes as well as the direct upstream providers. Thisexample shows the routing state of prefix 83.223.224.0/19 fromLink Telecom before (row 1), during (row 2) and after (row 3) thehijack event.

Fig. 3: Visual routing analysis of an hijack event of AS31733 using Prefix Count and Routing History widgets fromRIPEstat.

6

can be leveraged in the analysis of routing data fora recent validated fly-by spammer case study. Weanalyze this hijack case from a dual perspective– from both the data and control planes – andwe illustrate how such an attack can be detectedby combining various visualization techniques thatleverage data collected from the two planes. Thisongoing work illustrates the research carried outin VIS-SENSE, a European research project that usesvisual analytics to develop more effective tools forBGP monitoring and prefix hijack detection.

3.1 Hijack Detection from the Data Plane

Hijacking an IP prefix automatically modifies theroute taken by data packets so that they reachthe physical network of the attacker. Based onthis assumption a tool called Spamtracer has beendeveloped to monitor the routes towards malicioushosts by performing traceroute measurementsrepeatedly for a certain period of time. IP-levelroutes are also translated into AS-level routes usinglive BGP feeds. Routing anomalies can then beextracted from the routes and analyzed using thedifferent features available, e.g., the ASes owner, theIP hops country, the length of the traced routes, etc.

Spamtracer monitored several IP prefixes belong-ing to Link Telecom while they were hijacked bythe spammer as well as after the legitimate ownerregained control over them. Actually, visualizing aseries of traceroutes towards a single network asa graph, possibly on top of a map, e.g., a worldmap or treemap, is particularly suited for the de-tection of significant changes in the routes. Fig. 4illustrates the BGP routes to the victim networkfrom a vantage point in France and highlights theAS originating the prefixes and the direct upstreamprovider during and after the hijack.

In this case study, we observe that during thehijack traffic from the vantage point in Franceand destined to AS31733 Link Telecom goes tothe hijacker network (Fig. 4: route V P

A−→ 1B−→

2) through the direct provider AS12182 Internap(Fig. 4: node 1). By providing a fake proof of owner-ship of AS31733 prefixes to Internap, a tier-2 US ISP,the spammer managed to peer with this ISP, henceestablishing a customer-provider relationship. Thelast IP hop of the traceroutes, which in this casecorresponds to the destination host, is also likelylocated in the USA (Fig. 4: node 2).

After the hijack traffic goes towards Russia(Fig. 4: route V P

D−→ 3E−→ 4) where the legitimate

owner of AS31733 resides (Fig. 4: node 4). The pathsof IP hops and ASes traversed by the traceroutes arecompletely different from those during the hijackwhich suggests a major modification in the routesto AS31733 advertised in BGP. We also observedthat just after the hijack, we did not receive anyreply for traceroute probe packets sent to the des-tination network, neither for ASes located a fewhops before the destination network, probably dueto strong ICMP filtering or rate limiting rules inthose networks. On the contrary, traceroute pathscollected during the hijack regularly reached thedestination hosts successfully. This sudden changein the network and host reachability also suggeststhat a major routing change occurred in BGP, whichsignificantly changed the networks paths for reach-ing the destination.

In this particular hijack case, we see that relevantrouting anomalies can be extracted from tracer-outes and their visualization. However, studyingtraceroute anomalies is usually insufficient to detectIP prefix hijacking without raising too many falsepositives. Combining network topologies inferredfrom data-plane and control-plane routes, and cor-relating the anomalies uncovered from both planes,allows to perform much more accurate IP prefixhijacking detection.

3.2 Hijack Detection from the Control Plane

This section focuses on the analysis of the Link Tele-com hijack from the control plane. In this respect, itis stressed that the primary routing decision criteriain BGP mostly results from economic agreementsbetween ASes. However, these contracts also re-flect geographical constraints. Hence, there is noapparent operational reason for selecting paths thatsignificantly deviate from the ideal direct route. Inorder to exploit this inherent spatial consistency ofthe routing procedures, the following methodologyis introduced:

• All ASes announced as any prefix’s owner aregrouped on per hosting-country basis.

• For each one of these hosting-countries (C), theset of intermediate-countries is defined as theset of all the different countries that have tobe traversed by any IP traffic that originatesfrom the vantage point of choice (V ) and isaddressed to prefixes hosted by C.

• For each intermediate-country (I), the prob-ability of its appearance (PI ) along a routetowards the hosting-country (C) is calculated

7

AS12182Internap

(USA)

AS31733Link Telecom

(Russia)AS43659Budremyer(Ukraine)

AS31733Link Telecom

(Russia)VP12

3

4

B

A

E

D

C

Fig. 4: Link Telecom (AS31733) Hijack: visualization of the BGP routes from a vantage point (VP) in France during(AB) and after (DE) the hijack. The labels (2) and (4) indicate the location of Link Telecom during and after thehijack respectively, whereas (1) and (3) indicate the direct upstream provider during and after the hijack respectively.

as the fraction of the number of BGP announce-ments including country I as an intermediatehop towards country C against the total num-ber of BGP announcements that regard prefixeshosted in country C. The aim of PI , is toprovide a quantitative metric of how commonis the choice of the respective ASes that arehosted in I as intermediate hops for reachingC.

• The geographic length LI that is introducedby I is computed as the ratio of the lengthof the path CV → I → C against the idealdirect path CV → C, where CV is the countryhosting the vantage point V . Subsequently,besides the L(I), the Z-Score (ZI ) of LI is alsoestimated for all the intermediate-countries ofC, in order to incorporate the overall routingbehavior (distribution of LI ) into the process ofassessing the potentially malicious nature of apath’s announcement.

Specifically, for the case under investigation,AS31733 (Link Telecom) is officially declared to belocated in Russia. Moreover, according to the BGPannouncements, the path towards AS31733 appearsto traverse AS12182 (Fig. 4: route V P

A−→ 1C−→ 4).

Hence, regardless of the actual physical location ofthe hijacking network that forged the AS31733 iden-tity, USA, which hosts AS12182, is considered toact as an intermediate-country (I) towards Russia,which is the legitimate hosting-country (C) of LinkTelecom.

Nevertheless, checking the overall BGP an-nouncements that concern Russian ASes and whichare collected from monitoring routers (Vantage

Points - VPs) situated in central Europe, it is cal-culated that only for 0.11% of the prefixes hostedin Russia it is necessary for the Internet trafficto traverse USA (PUSA = 0.11% for C=Russia).Furthermore, exploiting the same BGP statistics andtaking into account the geographical location ofUSA in juxtaposition with the direct path betweenthe VP and Russia (Fig. 4: route V P

D−→ 3E−→ 4),

the Z-Score of the geographic length introducedby USA into a path towards Russia reaches theextreme value of 26.74. Therefore, the existence ofAS12182 hosted in USA along the route to AS31733raises serious alarm for potential malicious behav-ior.

The proposed BGP hijack detection and attribu-tion mechanism is enhanced with a visualizationtool (Fig. 5) developed for efficiently exploiting thenovel abnormality assessment metrics. Two differ-ent kinds of visualizations are shown to investigateinteresting BGP routings. A pixel visualization isused to get an overview of the geographic lengthof several BGP routes. The coloring of the pixelscommunicates the Z-Score of the geographic lengthfor a target AS. Additional other metrics are visual-ized in the same way to easily recognize patterns ofdifferent combinations. To visually explore the de-tails and underlying connection suspicious eventscan be selected. The obsolete and the newly an-nounced paths are drawn with gray and red colorrespectively along with all the traversed countries.The VP-node as well as the target AS-node arehighlighted with a colored border to quickly spotthe start and end point of the path. This helps toinvestigate the suspicious event through visually

8

Fig. 5: BGP-Event-Visualization: The pixel visualization on the left acts as an overview to be able to focus oninteresting events (e.g., AS31733 with a high Z-Score). The graph visualization with an underlying geographic mapreveals details about the selected route. Grey paths are obsolete, red paths are new routings.

compare the route changes .Figure 5 refers to the detection of the Link Tele-

com hijack incident, where, from both the pixelcoloring and the route divergence, it becomes ev-ident that the depicted event regards a rather ab-normal path alteration. Additionally, the necessaryinformation is provided for efficiently performingthe thorough attribution of the underlying BGPactivity.

4 CONCLUSION

The routing infrastructure of the Internet reliesentirely on BGP as inter-domain routing protocolto maintain and exchange routing information be-tween network providers. Because of the vulnerabledesign of BGP, attackers can easily misuse therouting system through prefix hijacking in order toconduct malicious activities, such as spamming andDoS attacks, without worrying about disclosingtheir identity through their real source IPs.

Efficient network monitoring tools are thus ofutmost importance. However, network administra-tors are challenged today by the sheer volumes

of data to analyze, especially when it comes toBGP data collection and monitoring. In this respect,a short survey is given on network visualizationmethods for BGP, in order to show how visualanalysis tools can support an analyst in finding,understanding and confirming BGP hijacks andother anomalies in routing data, in complement tofully-automated analytical methods. Moreover, thispaper describes methods and tools that are beingdeveloped for BGP monitoring and prefix hijackdetection, within the framework of VIS-SENSE, aEuropean research project that focuses on the ex-ploitation of visual analytics for enhancing Internetforensics. To this aim, a verified prefix hijackingcase that recently occurred is exhaustively analysedby applying the VIS-SENSE methodologies.

ACKNOWLEDGMENTS

The research leading to these results has receivedfunding from the European Commission’s Sev-enth Framework Programme (FP7 2007-2013) undergrant agreement nr. 257495 (VIS-SENSE).

9

REFERENCES

[1] RIPE, “YouTube Hijacking: A RIPE NCC RIS case study,”http://www.ripe.net/news/study-youtube-hijacking.html, [Online; accessed 13-Jan-2011].

[2] R. Mahajan, D. Wetherall, and T. Anderson, “Understand-ing BGP Misconfiguration,” in SIGCOMM ’02: Proceedings ofthe 2002 conference on Applications, Technologies, Architectures,and Protocols for Computer Communications. New York, NY,USA: ACM, 2002, pp. 3–16.

[3] C. Zheng, L. Ji, D. Pei, J. Wang, and P. Francis, “A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacksin Real-Time,” SIGCOMM Comput. Commun. Rev., vol. 37,no. 4, pp. 277–288, 2007.

[4] X. Hu and Z. M. Mao, “Accurate Real-time Identificationof IP Prefix Hijacking,” in SP ’07: Proceedings of the 2007IEEE Symposium on Security and Privacy. Washington, DC,USA: IEEE Computer Society, 2007, pp. 3–17.

[5] “IP Prefix hijacking by Michael Lindsay viaInternap,” http://mailman.nanog.org/pipermail/nanog/2011-August/039379.html, August 2011.

[6] G. Di Battista, F. Mariani, M. Patrignani, and M. Pizzonia,“BGPlay: A System for Visualizing the Interdomain Rout-ing Evolution,” in Graph Drawing (Proc. GD ’03), ser. LectureNotes in Computer Science, G. Liotta, Ed., vol. 2912, 2004,pp. 295–306.

[7] P. Cortese, G. Di Battista, A. Moneta, M. Patrignani, andM. Pizzonia, “Topographic visualization of prefix propaga-tion in the internet,” IEEE Transactions on Visualization andComputer Graphics, pp. 725–732, 2006.

[8] L. Colitti, G. Di Battista, F. Mariani, M. Patrignani, andM. Pizzonia, “Visualizing Interdomain Routing with BG-Play,” Journal of Graph Algorithms and Applications, vol. 9,no. 1, pp. 117–148, 2005.

[9] M. Lad, D. Massey, and L. Zhang, “Visualizing internetrouting changes,” IEEE Transactions on Visualization andComputer Graphics, pp. 1450–1460, 2006.

[10] T. Wong, V. Jacobson, and C. Alaettinoglu, “Internetrouting anomaly detection and visualization.” in DSN.IEEE Computer Society, 2005, pp. 172–181. [Online].Available: http://dblp.uni-trier.de/db/conf/dsn/dsn2005.html#WongJA05

[11] J. Oberheide, M. Karir, and D. Blazakis, “VAST: VisualizingAutonomous System Topology,” in Proceedings of the 3rdinternational workshop on Visualization for computer security.ACM, 2006, pp. 71–80.

[12] S. T. Teoh, K. Zhang, S.-M. Tseng, K.-L. Ma,and S. F. Wu, “Combining visual and automateddata mining for near-real-time anomaly detection andanalysis in bgp.” in VizSEC, C. E. Brodley, P. Chan,R. Lippman, and W. Yurcik, Eds. ACM, 2004, pp. 35–44. [Online]. Available: http://dblp.uni-trier.de/db/conf/vizsec/vizsec2004.html#TeohZTMW04

[13] S. Teoh et al., “Elisha: a visual-based anomaly detectionsystem,” in Int’l. Symp. on Recent Advances in IntrusionDetection (RAID), 2002.

[14] J. Shearer, K. Ma, and T. Kohlenberg, “BGPeep: An IP-SpaceCentered View for Internet Routing Data,” Visualization forComputer Security, pp. 95–110, 2008.

[15] S. T. Teoh, S. Ranjan, A. Nucci, and C.-N. Chuah, “BGPEye: A New Visualization Tool for Real-time Detectionand Analysis of BGP Anomalies,” in VizSEC, W. Yurcik,S. Axelsson, K. Lakkaraju, and S. T. Teoh, Eds. ACM,2006, pp. 81–90. [Online]. Available: http://dblp.uni-trier.de/db/conf/vizsec/vizsec2006.html#TeohRNC06

10