HOWLR: Hijack Observation via Witness-Led Response

Abstract

The Border Gateway Protocol (BGP) is critical to Internet routing but lacks built-in security measures, leaving it vulnerable to hijacks that can reroute, intercept, and drop traffic. Existing hijack detection methods—such as origin validation, path monitoring, and traffic analysis—suffer from limited deployment and high overhead. This work introduces HOWLR (Hijack Observation via Witness-Led Response), a lightweight, deployable system that enables node-level detection of BGP hijacks by leveraging certificate-verifiable IPs—termed witnesses—within a victim's /24 prefix. HOWLR defines two tiers of protection, Light and Strong, based on the number and CA diversity of witnesses. The system is optimized for runtime performance, requires no ISP cooperation, and can be applied to security-sensitive applications like Bitcoin. Evaluation across applications, autonomous systems, geographic regions, and previously hijacked prefixes demonstrates that HOWLR provides timely and accurate protection, even when deployed at a single node. A proof-of-concept integration with Bitcoin further illustrates its practical viability.