LDC: Detecting BGP Prefix Hijacking by Load Distribution Change

BGP prefix hijacking remains a serious security threat to the Internet. Despite many detection mechanisms have been proposed, few of them are practically deployed in a large scale. Inaccuracy of detection and inefficiency of deployment are two major causing problems. In this paper, based on the key observation that the distribution of traffic load to a prefix will change unusually after the prefix is hijacked, we present a system LDC to detect BGP prefix hijacking by passively monitoring Load Distribution Change on direct providers of prefix's owner, with the purpose of Leveraging Data-plane information to detect Control-plane problem. Through large amount of simulations of hijacking attacks and AS failure events based on empirical data, we evaluate the accuracy of LDC under different deployment situations, moreover, gain useful insights about choosing detection threshold accordingly.