























Abstract:BGP hijacking enables impersonation attacks in which adversaries divert traffic at the prefix level and serve malicious content to unsuspecting clients. Detecting such attacks has traditionally been the responsibility of network operators, leaving end hosts exposed for hours. We argue that end hosts can detect prefix-level impersonation independently, exploiting a fundamental asymmetry: a BGP hijack diverts traffic for an entire IP prefix, but impersonating every co-hosted service within that prefix is prohibitively difficult at scale, especially if each service is authenticated by a different Certificate Authority. We propose HOWLR, a tool that operationalizes this insight by using co-hosted, TLS-authenticated services as witnesses: if a client can no longer authenticate them, it has evidence of an ongoing attack. This work evaluates the feasibility of this method by quantifying the existence and diversity of witnesses in the wild. We show that HOWLR can protect 89% of Tor relay prefixes, and 75% of Bitcoin pool gateway prefixes.
From: Constantine Doumanidis [view email]
[v1]
Sat, 20 Jun 2026 02:54:48 UTC (890 KB)
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。