pith. sign in

arxiv: 2606.21845 · v1 · pith:I2WJ7FH5new · submitted 2026-06-20 · 💻 cs.NI · cs.CR

HOWLR: A Client-Driven Approach to BGP Hijack Detection

Constantine Doumanidis , Anya Kalogerakos , Maria Apostolaki This is my paper

Pith reviewed 2026-06-26 11:36 UTC · model grok-4.3

classification 💻 cs.NI cs.CR
keywords BGP hijack detectionclient-driven detectionTLS witnessesprefix impersonationTor relaysBitcoin gatewayscertificate authorities
0
0 comments X

The pith

End hosts can detect BGP prefix hijacks by checking TLS-authenticated services co-hosted in the same prefix.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper claims end hosts can independently detect BGP hijacks instead of waiting for network operators. It exploits the fact that a hijack diverts traffic for a whole prefix, but impersonating every service inside it is hard when each uses a different certificate authority. HOWLR treats these co-hosted TLS services as witnesses: losing authentication to them while the target remains reachable signals an attack. Evaluation on live prefixes shows coverage for most Tor relays and Bitcoin gateways. A reader would care because this moves detection to the client and shortens exposure windows during attacks.

Core claim

HOWLR operationalizes client-driven BGP hijack detection by using co-hosted TLS-authenticated services within an IP prefix as witnesses. Failure to authenticate these witnesses while the target service is reachable constitutes evidence of prefix-level impersonation. The approach rests on the asymmetry that hijacking diverts an entire prefix yet impersonating every co-hosted service at scale, especially across different certificate authorities, remains prohibitively difficult.

What carries the argument

Co-hosted TLS-authenticated services used as witnesses to verify prefix integrity.

If this is right

  • End hosts can detect hijacks without depending on network operators.
  • The method covers 89 percent of Tor relay prefixes.
  • The method covers 75 percent of Bitcoin pool gateway prefixes.
  • Detection can occur at the client as soon as witness authentication fails.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Browsers or applications could embed similar witness checks for high-value services to reduce user exposure.
  • The same asymmetry might apply to other authentication mechanisms beyond TLS certificates.
  • Combining client-side checks with operator alerts could create layered detection with faster initial response.

Load-bearing premise

Impersonating every co-hosted service within a prefix is prohibitively difficult at scale when each service is authenticated by a different certificate authority.

What would settle it

An observed BGP hijack on a prefix with multiple co-hosted services where the attacker serves valid TLS content for all of them without any witness failure.

Figures

Figures reproduced from arXiv: 2606.21845 by Anya Kalogerakos, Constantine Doumanidis, Maria Apostolaki.

Figure 3
Figure 3. Figure 3: Distribution of IPv4 prefixes / ASes over average concurrent witness IPs/CAs/Certificates for witness [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
read the original abstract

BGP hijacking enables impersonation attacks in which adversaries divert traffic at the prefix level and serve malicious content to unsuspecting clients. Detecting such attacks has traditionally been the responsibility of network operators, leaving end hosts exposed for hours. We argue that end hosts can detect prefix-level impersonation independently, exploiting a fundamental asymmetry: a BGP hijack diverts traffic for an entire IP prefix, but impersonating every co-hosted service within that prefix is prohibitively difficult at scale, especially if each service is authenticated by a different Certificate Authority. We propose HOWLR, a tool that operationalizes this insight by using co-hosted, TLS-authenticated services as witnesses: if a client can no longer authenticate them, it has evidence of an ongoing attack. This work evaluates the feasibility of this method by quantifying the existence and diversity of witnesses in the wild. We show that HOWLR can protect 89% of Tor relay prefixes, and 75% of Bitcoin pool gateway prefixes.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper proposes HOWLR, a client-driven BGP hijack detection system that treats co-hosted TLS-authenticated services within an IP prefix as witnesses; failure to authenticate any witness signals a prefix-level impersonation attack. The central claim is that this approach is feasible because impersonating all such services (especially those authenticated by different CAs) is prohibitively difficult at scale. The authors quantify witness existence and diversity in the wild and report that HOWLR can protect 89% of Tor relay prefixes and 75% of Bitcoin pool gateway prefixes.

Significance. If the quantification and asymmetry hold after addressing the noted gaps, the work would offer a novel end-host mechanism for timely BGP hijack detection that does not rely on operator cooperation. The concrete percentages for Tor and Bitcoin provide a falsifiable starting point for deployment studies, and the witness-diversity measurement is a strength that could be extended to other prefix sets.

major comments (2)
  1. [Abstract] Abstract: the specific coverage figures (89% Tor, 75% Bitcoin) are presented as results of 'wild quantification' with no accompanying description of the measurement methodology, dataset, prefix selection criteria, exclusion rules, or error analysis. Without these, the central feasibility claim cannot be evaluated.
  2. [Abstract] Abstract (core asymmetry paragraph): the claim that 'impersonating every co-hosted service ... authenticated by a different Certificate Authority' is prohibitively difficult is load-bearing for the entire approach, yet the text provides no evidence that the counted witnesses use validation methods (e.g., DNS-01 or domain-validated only) that would resist an attacker who controls the hijacked prefix and can complete ACME HTTP-01 challenges to obtain fresh valid certificates for every domain whose A record points into the prefix.
minor comments (1)
  1. [Abstract] The abstract would be clearer if it briefly indicated how a client would maintain and query the witness list in practice.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback. We address the two major comments point-by-point below and will revise the manuscript to improve the abstract's self-containment and to qualify the asymmetry claim where appropriate.

read point-by-point responses

  1. Referee: [Abstract] Abstract: the specific coverage figures (89% Tor, 75% Bitcoin) are presented as results of 'wild quantification' with no accompanying description of the measurement methodology, dataset, prefix selection criteria, exclusion rules, or error analysis. Without these, the central feasibility claim cannot be evaluated.

    Authors: We agree the abstract is too terse on this point. The full measurement methodology (including Tor consensus data from the Tor Project, public Bitcoin pool gateway announcements, prefix selection from active relay/pool lists, exclusion of non-TLS services, and basic error bounds from sampling) appears in Section 4. To make the abstract evaluable on its own, we will add one sentence summarizing the datasets and high-level approach. This is a partial revision because the detailed analysis remains in the body. revision: partial

  2. Referee: [Abstract] Abstract (core asymmetry paragraph): the claim that 'impersonating every co-hosted service ... authenticated by a different Certificate Authority' is prohibitively difficult is load-bearing for the entire approach, yet the text provides no evidence that the counted witnesses use validation methods (e.g., DNS-01 or domain-validated only) that would resist an attacker who controls the hijacked prefix and can complete ACME HTTP-01 challenges to obtain fresh valid certificates for every domain whose A record points into the prefix.

    Authors: This is a substantive limitation we must address. Our witness-diversity counts are based on observed certificates and their issuing CAs, but we did not inspect the validation methods (ACME challenge type, etc.) used to issue those certificates. An attacker controlling the prefix could indeed satisfy HTTP-01 challenges for A-record domains. We will revise the abstract and the asymmetry discussion to explicitly note this caveat and to state that the claimed difficulty scales with CA diversity and with certificates that rely on non-prefix-controllable validation (e.g., DNS-01). The revision will qualify rather than remove the claim. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical measurement of external witnesses with no equations or self-referential reductions.

full rationale

The paper proposes HOWLR by stating an asymmetry assumption (impersonating all co-hosted TLS services is difficult) and evaluates protection percentages via measurement of witness existence and diversity in Tor and Bitcoin prefixes. No equations, fitted parameters, derivations, or self-citations are load-bearing in a way that reduces claims to inputs by construction. The central results rest on external data collection rather than renaming or fitting internal quantities. This is self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Ledger extracted from abstract only; one domain assumption is load-bearing and no free parameters or invented entities are stated.

axioms (1)
  • domain assumption A BGP hijack diverts traffic for an entire IP prefix, but impersonating every co-hosted service within that prefix is prohibitively difficult at scale, especially if each service is authenticated by a different Certificate Authority.
    This asymmetry is presented as the core insight enabling the witness-based detection method.

pith-pipeline@v0.9.1-grok · 5696 in / 1209 out tokens · 37585 ms · 2026-06-26T11:36:54.529338+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

52 extracted references · 5 canonical work pages

  1. [1]

    Lawrence Abrams. 2024. Hacker hijacks orange spain ripe account to cause bgp havoc. https://www.bleepingcompu ter.com/news/security/hacker-hijacks-orange-spain-ripe-account-to-cause-bgp-havoc/. Accessed: 2025-06-03. (2024)

    2024

  2. [2]

    Maria Apostolaki, Aviv Zohar, and Laurent Vanbever. 2017. Hijacking bitcoin: routing attacks on cryptocurrencies. In2017 IEEE symposium on security and privacy (SP). IEEE, 375–392

    2017

  3. [3]

    ayeowch. 2014. Bitnodes.io. Online; accessed July 7 2025. (2014). https://bitnodes.io. 12 Constantine Doumanidis, Anya Kalogerakos, and Maria Apostolaki

    2014

  4. [4]

    Henry Birge-Lee, Maria Apostolaki, and Jennifer Rexford. 2025. Global bgp attacks that evade route monitoring. InPassive and Active Measurement. Cecilia Testart, Roland van Rijswijk-Deij, and Burkhard Stiller, (Eds.) Springer Nature Switzerland, Cham, 335–357.isbn: 978-3-031-85960-1

    2025

  5. [5]

    Henry Birge-Lee, Yixin Sun, Anne Edmundson, Jennifer Rexford, and Prateek Mittal. 2018. Bamboozling certificate authorities with{bgp}. In27th USENIX Security Symposium (USENIX Security 18), 833–849

    2018

  6. [6]

    Henry Birge-Lee, Liang Wang, Jennifer Rexford, and Prateek Mittal. 2019. Sico: surgical interception attacks by manipulating bgp communities. InProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 431–448

    2019

  7. [7]

    Nick Bouwhuis. 2023. Setting up a personal asn.nick.bouwhuis.net. https://nick.bouwhuis.net/posts/2023-02-12-setti ng-up-a-personal-asn/

    2023

  8. [8]

    Russel Brandom. 2018. Hackers emptied ethereum wallets by breaking the basic infrastructure of the internet.The Verge. accessed 16 August 2024. Retrieved Aug. 16, 2024 from https://www.theverge.com/2018/4/24/17275982/myeth erwallet-hack-bgp-dns-hijacking-stolen-ethereum

    2018

  9. [9]

    CertiK. 2023. Bgp hijacking: how hackers circumvent internet routing security to tear the digital fabric of trust. CertiK Blog. Online; accessed July 8 2025. https://www.certik.com/resources/blog/bgp-hijacking-how-hackers-circu mvent-internet-routing-security-to-tear-the

    2023

  10. [10]

    Cloudflare

    Inc. Cloudflare. 2026. Cloudflare radar. Cloudflare Radar. (2026). Retrieved June 4, 2026 from https://radar.cloudflare .com

    2026

  11. [11]

    Alex Halderman

    Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halderman. 2015. A search engine backed by Internet-wide scanning. In22nd ACM Conference on Computer and Communications Security. (Oct. 2015)

    2015

  12. [12]

    Zakir Durumeric, Eric Wustrow, and J Alex Halderman. 2013. {Zmap}: fast internet-wide scanning and its security applications. In22nd USENIX Security Symposium (USENIX Security 13), 605–620

    2013

  13. [13]

    Artyom Gavrichenkov. 2015. Breaking https with bgp hijacking.Black Hat. Briefings

    2015

  14. [14]

    Yossi Gilad, Omar Sagga, and Sharon Goldberg. 2017. Maxlength considered harmful to the rpki. InProceedings of the 13th International Conference on emerging Networking EXperiments and Technologies, 101–107

    2017

  15. [15]

    Sharon Goldberg. 2014. Why is it taking so long to secure internet routing?Commun. ACM, 57, 10, (Sept. 2014), 56–63. doi:10.1145/2659899

    work page doi:10.1145/2659899 2014

  16. [16]

    Dan Goodin. 2022. How 3 hours of inaction from amazon cost cryptocurrency holders $235,000.Ars Technica. accessed 16 August 2024. Retrieved Aug. 16, 2024 from https://arstechnica.com/information-technology/2022/09/how-3-hour s-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/

    2022

  17. [17]

    Andreas Haeberlen, Ioannis Avramopoulos, Jennifer Rexford, and Peter Druschel. 2009. Netreview: detecting when interdomain routing goes wrong. In6th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2009). USENIX, 437–452

    2009

  18. [18]

    Ethan Heilman, Alison Kendler, Aviv Zohar, and Sharon Goldberg. 2015. Eclipse attacks on{bitcoin’s} {peer-to-peer} network. In24th USENIX security symposium (USENIX security 15), 129–144

    2015

  19. [19]

    Bryton Herdes, Mingwei Zhang, and Tanner Ryan. 2024. Cloudflare 1.1.1.1 incident on june 27, 2024. https://blog.clo udflare.com/cloudflare-1111-incident-on-june-27-2024/. Accessed: 2025-06-03. (2024)

    2024

  20. [20]

    Tomas Hlavacek, Haya Shulman, Niklas Vogel, and Michael Waidner. 2023. Keep your friends close, but your routeservers closer: insights into {rpki} validation in the internet. In32nd USENIX Security Symposium (USENIX Security 23), 4841–4858

    2023

  21. [21]

    Josh Howarth. 2025. Most visited websites in the world (february 2025).Exploding Topics. Online; accessed July 6

    2025

  22. [22]

    https://explodingtopics.com/blog/most-visited-websites

  23. [23]

    Xin Hu and Z Morley Mao. 2007. Accurate real-time identification of ip prefix hijacking. In2007 IEEE Symposium on Security and Privacy (SP’07). IEEE, 3–17

    2007

  24. [24]

    Yiyi Huang, Nick Feamster, Anukool Lakhina, and Jim Xu. 2007. Diagnosing network disruptions with network-wide analysis.ACM SIGMETRICS Performance Evaluation Review, 35, 1, 61–72

    2007

  25. [25]

    Bagueros Isabela. 2020. Tor security advisory: exit relays running sslstrip in may and june 2020.The Tor Project Blog. Online; accessed July 8 2025. https://blog.torproject.org/bad-exit-relays-may-june-2020/?utm_source=chatgpt.com

    2020

  26. [26]

    Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczyński, and Wouter Joosen. 2019. Tranco: a research-oriented top sites ranking hardened against manipulation. InProceedings of the 26th Annual Network and Distributed System Security Symposium(NDSS 2019). (Feb. 2019). doi:10.14722/ndss.2019.23386

    work page doi:10.14722/ndss.2019.23386 2019

  27. [27]

    Let’s Encrypt. [n. d.] Certificate transparency (ct) logs. Online; accessed June 6 2026. (). https://letsencrypt.org/docs/c t-logs/

    2026

  28. [28]

    Jun Li, Dejing Dou, Zhen Wu, Shiwoong Kim, and Vikash Agarwal. 2005. An internet routing forensics framework for discovering rules of abnormal bgp events.SIGCOMM Comput. Commun. Rev., 35, 5, (Oct. 2005), 55–66. doi:10.1145 /1096536.1096542. HOWLR : A Client-Driven Approach to BGP Hijack Detection 13

    arXiv 2005

  29. [29]

    Pat Litke, Joe Stewart, and Dell SecureWorks Counter Threat Unit. 2014. Bgp hijacking for cryptocurrency profit. Dell SecureWorks. Online; Internet Archive 21 December 2014. https://web.archive.org/web/20141221001200/https: //www.secureworks.com/cyber-threat-intelligence/threats/bgp-hijacking-for-cryptocurrency-profit#expand

    arXiv 2014

  30. [30]

    Jianning Mai, Lihua Yuan, and Chen-Nee Chuah. 2008. Detecting bgp anomalies with wavelet. InNOMS 2008-2008 IEEE Network Operations and Management Symposium. IEEE, 465–472

    2008

  31. [31]

    Q Misell, Florian Steurer, Johannes Zirngibl, Anja Feldmann, and Tobias Fiebig. 2025. Measuring the deployment of dnssec bootstrapping using authenticated signals. InProceedings of the 2025 ACM Internet Measurement Conference, 1002–1009

    2025

  32. [32]

    Bahaa Al-Musawi, Philip Branch, and Grenville Armitage. 2015. Detecting bgp instability using recurrence quan- tification analysis (rqa). In2015 IEEE 34th International Performance Computing and Communications Conference (IPCCC). IEEE, 1–8

    2015

  33. [33]

    NoVirusThanks Company Srl. [n. d.] Ipvoid: random ip generator. Online; accessed July 6 2025. (). https://www.ipvoi d.com/random-ip/

    2025

  34. [34]

    Padmanabhan and Daniel R

    Venkata N. Padmanabhan and Daniel R. Simon. 2003. Secure traceroute to detect faulty or malicious routing. SIGCOMM Comput. Commun. Rev., 33, 1, (Jan. 2003), 77–82. doi:10.1145/774763.774775

    work page doi:10.1145/774763.774775 2003

  35. [35]

    Arntz Pieter. 2021. Was threat actor kax17 de-anonymizing the tor network?MalwareBytes Labs. Online; accessed July 8 2025. https://www.malwarebytes.com/blog/news/2021/12/was-threat-actor-kax17-de-anonymizing-the-tor-n etwork

    2021

  36. [36]

    B Aditya Prakash, Nicholas Valler, David Andersen, Michalis Faloutsos, and Christos Faloutsos. 2009. Bgp-lens: patterns and anomalies in internet routing updates. InProceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining, 1315–1324

    2009

  37. [37]

    Dingledine Roger. 2015. Did the fbi pay a university to attack tor users?The Tor Project Blog. Online; accessed July 8

    2015

  38. [38]

    https://blog.torproject.org/did-fbi-pay-university-attack-tor-users/

  39. [39]

    Tal Shapira and Yuval Shavitt. 2022. Ap2vec: an unsupervised approach for bgp hijacking detection.IEEE Transactions on Network and Service Management, 19, 3, 2255–2268

    2022

  40. [40]

    Xingang Shi, Yang Xiang, Zhiliang Wang, Xia Yin, and Jianping Wu. 2012. Detecting prefix hijackings in the internet with argus. InProceedings of the 2012 Internet Measurement Conference, 15–28

    2012

  41. [41]

    Aftab Siddiqui. 2022. Klayswap – another bgp hijack targeting crypto wallets.MANRS. accessed 16 August 2024. Retrieved Aug. 16, 2024 from https://manrs.org/2022/02/klayswap-another-bgp-hijack-targeting-crypto-wallets/

    2022

  42. [42]

    Nick Sullivan. [n. d.] Introducing certificate transparency and nimbus. Online; accessed June 6 2026. (). https://blog.cl oudflare.com/introducing-certificate-transparency-and-nimbus/

    2026

  43. [43]

    Yixin Sun, Maria Apostolaki, Henry Birge-Lee, Laurent Vanbever, Jennifer Rexford, Mung Chiang, and Prateek Mittal

  44. [44]

    ACM, 64, 6, (May 2021), 86–96

    Securing internet applications from routing attacks.Commun. ACM, 64, 6, (May 2021), 86–96. doi:10.1145/3429 775

    work page doi:10.1145/3429 2021

  45. [45]

    Yixin Sun, Anne Edmundson, Laurent Vanbever, Oscar Li, Jennifer Rexford, Mung Chiang, and Prateek Mittal. 2015. {Raptor}: routing attacks on privacy in tor. In24th USENIX Security Symposium (USENIX Security 15), 271–286

    2015

  46. [46]

    Daryll Swer. 2022. How i set up my own autonomous system.APNIC Blog. Online; accessed June 5, 2025. https://blog .apnic.net/2022/07/01/how-i-set-up-my-own-autonomous-system/

    2022

  47. [47]

    The University of Oregon. [n. d.] Route Views Project. (). http://www.routeviews.org/routeviews/

  48. [48]

    Trickest. [n. d.] Resolvers: the most exhaustive list of reliable dns resolvers. Online; accessed June 6 2026. (). https://g ithub.com/trickest/resolvers

    2026

  49. [49]

    Laurent Vanbever, Oscar Li, Jennifer Rexford, and Prateek Mittal. 2014. Anonymity on quicksand: using bgp to compromise tor. InProceedings of the 13th ACM Workshop on Hot Topics in Networks, 1–7

    2014

  50. [50]

    Jilong Wang and Changqing An. 2024. BGPWatch — A comprehensive platform for detecting and diagnosing hijacking incidents.APNIC Blog. accessed 15 May 2025. Retrieved May 15, 2025 from https://blog.apnic.net/2024/02/07/bgpwat ch-a-comprehensive-platform-for-detecting-and-diagnosing-hijacking-incidents/

    2024

  51. [51]

    Wikipedia. 2025. List of most-visited websites — Wikipedia, the free encyclopedia. http://en.wikipedia.org/w/index.p hp?title=List%20of%20most-visited%20websites&oldid=1298817684. Online; accessed July 6 2025]. (2025)

    2025

  52. [52]

    Ying Zhang, Zheng Zhang, Zhuoqing Morley Mao, Charlie Hu, and Bruce MacDowell Maggs. 2007. On the impact of route monitor selection. InProceedings of the 7th ACM SIGCOMM Conference on Internet Measurement(IMC ’07). Association for Computing Machinery, San Diego, California, USA, 215–220.isbn: 9781595939081. doi:10.1145/12983 06.1298336. 14 Constantine Dou...

    work page doi:10.1145/12983 2007