Towards real-time route leak events detection

Malicious attack and misconfiguration can cause unreachable websites, network outages, and other damages. Such incidents are usually observed together with anomalous AS paths which violate a “valley-free” policy. Existing techniques to infer routing policy cannot satisfy industrial demand of real-time route leak detection because they are very likely to trigger false positives. In this paper, we propose an online detection scheme dedicated to detect route leak AS paths. Based on long-lived routing paths, and route anomalous concurrency, we manage to filter possible false positives in online scenarios. Applying this scheme to Oregon´s routing data from 2009 to 2013, we detect 136 route leak events. Our evaluation shows that our scheme triggers no false positives, and most of these events are previously unknown to the research and operation communities at large.