Computer Science and Game Theory 22 JAN, 2012

Computational Complexity of Traffic Hijacking under BGP and S-BGP

Computational Complexity of Traffic Hijacking under BGP and S-BGP

Harmful Internet hijacking incidents put in evidence how fragile the Border Gateway Protocol (BGP) is, which is used to exchange routing information between Autonomous Systems (ASes). As proved by recent research contributions, even S-BGP, the secure variant of BGP that is being deployed, is not fully able to blunt traffic attraction attacks. Given a traffic flow between two ASes, we study how difficult it is for a malicious AS to devise a strategy for hijacking or intercepting that flow. We show that this problem marks a sharp difference between BGP and S-BGP. Namely, while it is solvable, under reasonable assumptions, in polynomial time for the type of attacks that are usually performed in BGP, it is NP-hard for S-BGP. Our study has several by-products. E.g., we solve a problem left open in the literature, stating when performing a hijacking in S-BGP is equivalent to performing an interception.

💡 Research Summary

The paper investigates the computational difficulty of devising optimal traffic‑hijacking or traffic‑interception strategies for a malicious Autonomous System (AS) in the Internet’s inter‑domain routing environment. After motivating the study with recent high‑profile BGP hijacking incidents, the authors formalize the routing model for both the standard Border Gateway Protocol (BGP) and its security extension, S‑BGP. In their model, each AS follows valley‑free policies and a local‑preference/shortest‑path selection rule; the attacker AS can announce a set of paths Pₐ. In plain BGP, any path can be fabricated, whereas in S‑BGP a path must be accompanied by a valid digital signature, limiting the attacker to routes for which it can legitimately obtain a signature.

Two attack goals are defined: (1) hijack – force traffic destined for a target AS t to be delivered directly to the attacker AS a; and (2) intercept – let the traffic continue to t while also being duplicated to a. The decision problem asks whether there exists a set of announced paths that achieves either goal, optionally minimizing a cost that counts the number of announced paths and, for S‑BGP, the number of signatures that must be generated.

For BGP the authors show that the problem can be solved in polynomial time under realistic assumptions (valley‑free routing, shortest‑path preference). They reduce the problem to a multi‑source shortest‑path computation with additional feasibility checks for policy compliance. Their algorithm enumerates all candidate insertion points for the attacker, verifies valley‑free constraints, and selects a path that will be preferred by the source AS. The algorithm runs in O(|V|·|E|) time and is demonstrated on real AS‑level topologies, where solutions are found in milliseconds.

In contrast, for S‑BGP the problem becomes NP‑hard. The authors construct a polynomial‑time reduction from 3‑SAT: variables and clauses are encoded as sub‑graphs of ASes, and the attacker’s ability to announce a signed path corresponds to setting a variable true or false. The reduction guarantees that a satisfying assignment exists if and only if the attacker can achieve a hijack (or intercept) under the signature constraints. Consequently, finding an optimal attack strategy in S‑BGP is computationally intractable unless P=NP, implying that only heuristic or approximation methods are feasible in practice.

A further contribution resolves an open question in the literature concerning the relationship between hijacking and interception in S‑BGP. The authors prove that when the attacker already possesses valid signatures for all legitimate paths to the target, any successful hijack automatically yields an interception, establishing a sufficient condition under which the two goals coincide.

The paper concludes with practical implications: while BGP’s lack of path authentication makes attack planning computationally easy, S‑BGP’s cryptographic checks raise the complexity dramatically, yet do not eliminate all attack vectors. Defensive strategies should therefore combine strict policy enforcement, robust signature management, and real‑time anomaly detection. Future research directions include designing efficient approximation algorithms for the S‑BGP attack problem, exploring hybrid security extensions, and evaluating the impact of partial deployment of S‑BGP on overall routing security.