Buddyguard: A buddy system for fast and reliable detection of IP prefix anomalies

Due to operational malpractice or security attacks, an IP prefix (i.e., a block of IP addresses) can undergo many types of routing anomalies. Perhaps the most well-known of such anomalies is prefix hijacking, where an attacker hijacks traffic meant to reach the legitimate user of a prefix. Anomalies can also easily occur through route leaks, which can disrupt traffic for numerous prefixes at once. While various solutions have been proposed to detect such anomalies, these solutions are limited and susceptible to attacker countermeasures. In this paper we present Buddyguard, a new approach to detecting prefix anomalies including prefix hijacking and route leaks. Buddyguard compares the behavior of a monitored prefix with the behavior of a set of numerous buddy prefixes. The system detects anomalies when the behavior of the monitored prefix significantly diverges from that of its buddies. Our evaluation results show that Buddyguard provides fast, accurate and lightweight monitoring of IP prefix anomalies, and its introduction and use of buddy prefixes enables it to be resilient against resourceful attackers.