PDF(5852 KB)
SimBlock: Global internet route blocking simulation and detection system
Yizhi LI, Jiang LI, Jiahao CAO, Yangyang WANG, Mingwei XU
Journal of Tsinghua University(Science and Technology) ›› 2025, Vol. 65 ›› Issue (11) : 2221-2235.
PDF(5852 KB)
PDF(5852 KB)
SimBlock: Global internet route blocking simulation and detection system
Objective: Route blocking is a newly emerged category of routing threats following the Russia-Ukraine conflict. Unlike conventional routing threats, route blocking constitutes targeted, large-scale network-layer obstruction between regions or even nations, typically affecting extensive areas at regional or national levels. The damage caused by route blocking extends beyond economic losses, potentially triggering political or social instability, thus necessitating effective security measures. However, the vast scope of route blocking poses a challenge to comprehensively analyzing its impact on the real-world Internet. Furthermore, conducting route blocking experiments on the real-world Internet incurs prohibitively high costs and raises a series of ethical concerns. Consequently, conducting an in-depth security analysis becomes difficult, and validating the effectiveness of designed defense measures becomes even more challenging. Methods: To design and validate effective countermeasures against route blocking, this paper proposes SimBlock, a fine-grained global Internet route blocking simulation and detection system that analyzes the characteristic patterns of route blocking through simulation to provide a foundation for security measure design and validation. SimBlock comprises four modules: (1) global Internet topology construction using open third-party topology data, (2) global Internet routing simulation on the established topology, (3) route blocking simulation implementing various blocking techniques based on the designed routing algorithm, and (4) route blocking detection and identification through characteristic analysis. SimBlock is capable of simulating both autonomous system (AS)-level and router-level paths between arbitrary IP addresses. The system additionally supports the simulation of point-to-point packet transmission, ping probing, and traceroute probing, while enabling the granular simulation of dynamic network conditions, including congestion and failures. SimBlock demonstrates comprehensive simulation capabilities of at least five fundamental route blocking methods: DDoS attacks, IP blocking, physical blocking, route hijacking, and business relationship termination. Building upon this foundation, the system has successfully validated a route blocking detection and identification algorithm based on distributed prober triplets, delivering robust security measures to mitigate potential route blocking threats. Results: This paper conducts extensive experiments to validate the effectiveness of SimBlock. The experimental results demonstrate that: (1) even with 47.65% of the routers lacking valid IP addresses in the dataset, SimBlock can simulate valid AS/router-level paths with a 98.94% success rate, proving that the constructed global Internet topology maintains high coverage and excellent connectivity; (2) without prior knowledge of specific AS-routing policies, the AS-level paths simulated by SimBlock achieve an average 61.00% similarity with real-world traceroute paths (reaching over 80% similarity in 16.21% of cases), while the router-level paths maintain an average 42.44% similarity (exceeding 70% in 7.40% of cases) despite 47.65% missing router IPs, confirming that the simulation algorithm accurately captures overall routing trends; (3) for Internet topologies containing over 70, 000 AS nodes, SimBlock maintains millisecond-level latency in AS-level path simulation and handles router-level simulation for approximately 60 million nodes with second-level latency, demonstrating exceptional efficiency in large-scale Internet data processing; (4) across various victim-attacker country combinations, the detection algorithm of SimBlock reliably distinguishes route blocking from normal network failures, and its identification algorithm effectively differentiates between various blocking techniques, validating the effectiveness and universality of the system. Conclusions: In summary, SimBlock provides an effective solution for in-depth analysis of route blocking, while also offering an effective security measure to counter the potential threats posed by route blocking.
border gateway protocol (BGP) / route blocking / routing threat detection / routing simulation
| 1 |
RIPE NCC Academy. Learn online with the RIPE NCC![EB/OL]. [2025-03-01]. https://academy.ripe.net.
|
| 2 |
RIPE NCC. YouTube Hijacking: A RIPE NCC RIS case study[EB/OL]. (2008-03-17)[2025-03-01]. https://www.ripe.net/about-us/news/youtube-hijacking-a-ripe-ncc-ris-case-study/.
|
| 3 |
KLAYswap. KLAYswap Incident Report[EB/OL]. (2022-02-03)[2025-03-01]. https://medium.com/klayswap/klayswap-incident-report-feb-03-2022-70ff124aed6b.
|
| 4 |
Major BGP leak disrupts thousands of networks globally[EB/OL]. (2021-04-17)[2025-03-01]. https://www.bleepingcomputer.com/news/security/major-bgp-leak-disrupts-thousands-of-networks-globally/.
|
| 5 |
JAIN A, PATRA D, XU P J, et al. The Ukrainian internet under attack: An NDT perspective[C]// Proceedings of the 22nd ACM Internet Measurement Conference. Nice, France: Association for Computing Machinery, 2022: 166-178.
|
| 6 |
|
| 7 |
YE H L, WANG S, LI D. Impact of international submarine cable on internet routing[C]// IEEE INFOCOM 2023-IEEE Conference on Computer Communications. New York, USA: IEEE, 2023: 1-10.
|
| 8 |
KALRA A, LEVY R, MATTSSON M. Targeted disruptions: internet shutdowns in India[EB/OL]. Social Science Research Network, (2025-02-14)[2025-03-01]. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5129468.
|
| 9 |
BISCHOF Z S, PITCHER K, CARISIMO E, et al. Destination unreachable: Characterizing internet outages and shutdowns[C]// Proceedings of the ACM SIGCOMM 2023 Conference. New York, USA: Association for Computing Machinery, 2023: 608-621.
|
| 10 |
BIRGE-LEE H, WANG L, REXFORD J, et al. SICO: Surgical interception attacks by manipulating BGP communities[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. London, United Kingdom: Association for Computing Machinery, 2019: 431-448.
|
| 11 |
LEPINSKI M, KENT S. An infrastructure to support secure internet routing[R]. San Francisco: IETF, 2012.
|
| 12 |
HLAVACEK T, JEITNER P, MIRDITA D, et al. Stalloris: RPKI downgrade attack[C]// Proceedings of the 31st USENIX Security Symposium. Boston, USA: USENIX Association, 2022: 4455-4471.
|
| 13 |
ZHANG Z, ZHANG Y, HU Y C, et al. Ispy: Detecting ip prefix hijacking on my own[C]// Proceedings of the ACM SIGCOMM 2008 Conference on Data Communication. Seattle, USA: Association for Computing Machinery, 2008: 327-338.
|
| 14 |
SHI X G, XIANG Y, WANG Z L, et al. Detecting prefix hijackings in the internet with argus[C]// Proceedings of the 2012 Internet Measurement Conference. Boston, USA: Association for Computing Machinery, 2012: 15-28.
|
| 15 |
|
| 16 |
QIN L C, LI D, LI R F, et al. Themis: Accelerating the detection of route origin hijacking by distinguishing legitimate and illegitimate MOAS[C]// Proceedings of the 31st USENIX Security Symposium. Boston, USA: USENIX Association, 2022: 4509-4524.
|
| 17 |
HOLTERBACH T, ALFROY T, PHOKEER A, et al. A system to detect forged-origin BGP hijacks[C]// Proceedings of the 21st USENIX Symposium on Networked Systems Design and Implementation. Santa Clara, USA: USENIX Association, 2024: 1751-1770.
|
| 18 |
LI J, CAO J H, MENG Z L, et al. RoLL: real-time and accurate route leak location with AS triplet features[C]// IEEE International Conference on Communications. Rome, Italy: IEEE, 2023: 5240-5246.
|
| 19 |
CHEN Y H, YIN Q L, LI Q, et al. Learning with semantics: Towards a semantics-aware routing anomaly detection system[C]// Proceedings of the 33rd USENIX Conference on Security Symposium. Philadelphia, USA: USENIX Association, 2024: 5143-5160.
|
| 20 |
GOLDBERG S, SCHAPIRA M, HUMMON P, et al. How secure are secure interdomain routing protocols[C]// Proceedings of the ACM SIGCOMM 2010 Conference. New Delhi, India: Association for Computing Machinery, 2010: 87-98.
|
| 21 |
FURUNESS J, MORRIS C, MORILLO R, et al. BGPy: the BGP python security simulator[C]// Proceedings of the 16th Cyber Security Experimentation and Test Workshop. Marina del Rey, USA: Association for Computing Machinery, 2023: 41-56.
|
| 22 |
AS relationships (serial-2)[EB/OL]. (2015-12-01)[2025-03-01]. https://catalog.caida.org/dataset/as_relationships_serial_2.
|
| 23 |
ITDK: Internet topology data kit[EB/OL]. (2010-01)[2025-03-01]. https://catalog.caida.org/dataset/ark_itdk.
|
| 24 |
|
| 25 |
RIPE NCC. Routing information service (RIS)[EB/OL]. [2025-03-01]. https://www.ripe.net/analyse/internet-measurements/routing-information-service-ris/.
|
| 26 |
RouteViews. University of Oregon RouteViews project[EB/OL]. [2025-03-01]. https://www.routeviews.org/routeviews/.
|
| 27 |
Ark IPv4 prefix-probing[EB/OL]. (2015-12-08)[2025-03-01]. https://catalog.caida.org/dataset/ark_ipv4_prefix_probing.
|
/
| 〈 |
|
〉 |
