End user devices (e.g. 100a, 100b, 100c, 100d, etc.), IP-based network connection point routers (e.g. 120a, 120b, 120c), and routers in the IP-based network cloud, can be configured for use in accordance with embodiments disclosed herein to identify network traffic flowing between an end user device and an IP-based network server. Using the systems and techniques disclosed herein, some or all of the devices may establish a historical average packet round trip time from the network packets sent by the end user device to the IP-based network server and the corresponding response packets. Sent packets may be matched to packets received, with the match being made using fields in the TCP/IP packets. For example, TCP/IP sequence numbers or other information within the TCP/IP packets themselves may be used to match sent and received packets. Alternatively or in addition, the time difference between when a packet was sent and the corresponding response may be calculated and used to identify corresponding packets.

Alternatively or in addition, packet responses may be matched in an application program and round-trip times computed at the application layer instead of within the IP stack such as is performed by IP protocols such as the network time protocol. However, in some configurations the network time protocol may not be able to detect BGP hijacking because the packet flow to and from the time server does not follow the same routing as traffic to other IP-based network servers.