Based on the data that I collected, I think keeping track of the following metrics is a good idea:
-
Number of connection path changes: since paths to a specific destination remain mostly stable (same ASes and routers on path - Insight #4), if many or all of our connections’ paths change to be routed through a common AS, that is a sign of this attack. The attacker can tamper with traceroute traffic that goes through their AS but not before it - this allows us to observe a common path on which connections will consolidate to if this attack takes place.
-
Connection churn rate for non reachable nodes: the attacker wants to minimize the number of prefix hijacks they maintain in order to reduce the traffic they forward, and increase their chances of remaining unnoticed. Thus the attacker prefers to reset inbound connections to the victim and occupy their slots with connections of their own. A high churn rate of non reachable nodes can be an indicator of this attack.
I might be missing some candidate metrics though - happy to discuss other ideas.
Authentication would help in preventing the attacker from impersonating unauthenticated connections or MITM-ing new ones during the handshake. For existing authenticated connections, the attacker can still intercept them, but not inspect their traffic, using this attack.
Multi-homing a node is probably one of the best countermeasures against routing-based attacks.