The internet routes billions of packets every second across thousands of autonomous systems. At its core sits BGP — a protocol built on trust. And trust, as history shows, is easy to exploit.
What Is BGP and Why Does It Matter
The Border Gateway Protocol (BGP) is the routing protocol that makes the global internet work. Every internet service provider, cloud provider, and large enterprise operates as an Autonomous System (AS) — an independently managed network with a unique AS number (ASN).
BGP is how these systems talk to each other. Each AS announces the IP address prefixes it “owns” — essentially declaring: “Traffic destined for this range of addresses? Send it through me.” Routers around the world collect these announcements and build routing tables that determine how every packet reaches its destination.
The critical flaw: BGP has no built-in mechanism to verify that an announcement is legitimate. When AS64512 says it owns 192.0.2.0/24, every other AS on the internet has to take that on faith.
How BGP Hijacking Works
BGP hijacking occurs when a malicious — or misconfigured — AS announces IP prefixes it does not legitimately own. Because BGP routers prefer more specific routes and closer ASes, a well-crafted fake announcement can redirect global traffic within minutes.
The Core Attack Mechanics
There are two primary techniques:
1. Prefix hijacking (exact match)
The attacker announces the exact same prefix as the legitimate owner. BGP routers receive two competing announcements for 203.0.113.0/24 — one from the real AS, one from the attacker. Traffic gets split or redirected depending on which path routers prefer based on AS path length and local policy.
2. Subprefix hijacking (more specific)
This is more powerful and more dangerous. Instead of announcing 203.0.113.0/24, the attacker announces 203.0.113.0/25 and 203.0.113.128/25 — two more specific /25 blocks that together cover the entire /24.
BGP always prefers the most specific matching route. So 100% of traffic destined for the victim’s prefix now flows through the attacker — even if the legitimate /24 announcement is still present. There is no split; the hijack wins completely.
What Happens to the Traffic
Once traffic is redirected, the attacker has three options:
| Action | Description | Use Case |
|---|---|---|
| Blackhole | Traffic is dropped silently | DoS / censorship |
| Interception | Traffic is inspected, then forwarded | Espionage, credential theft |
| Impersonation | Attacker terminates the connection | Phishing, MITM attacks |
The most sophisticated attacks perform silent interception: traffic flows into the attacker’s network, gets copied or decrypted, then is forwarded to the legitimate destination. The victim sees only slightly elevated latency — often not enough to trigger alerts.
Real-World Incidents
BGP hijacking is not theoretical. It has been used for espionage, financial fraud, and geopolitical disruption at scale.
2010 — China Telecom, 15% of the Internet
For approximately 18 minutes, China Telecom announced routes for over 37,000 IP prefixes belonging to organizations including the US military, Senate, and major internet companies. An estimated 15% of global internet traffic was rerouted through Chinese infrastructure. The cause was officially called a “misconfiguration,” but the incident demonstrated the catastrophic scale a BGP hijack can reach.
2018 — Amazon Route 53 DNS Hijack
Attackers hijacked BGP routes belonging to Amazon’s Route 53 DNS service by announcing them from a small ISP (eNet AS10297). Users trying to reach myetherwallet.com were redirected to a phishing server. ~$160,000 in Ethereum was stolen in roughly two hours before the attack was detected and mitigated.
2022 — Vodafone Germany Outage
A BGP misconfiguration at a smaller ISP caused Vodafone Germany to lose connectivity for millions of customers. Though not malicious, the incident illustrated how a single bad announcement can cascade through the global routing table and cause widespread outages.
2023 — Russia’s Persistent Campaigns
Multiple threat intelligence reports documented Russian state actors using BGP hijacking to redirect traffic from Ukrainian and European networks through Russian infrastructure — particularly targeting government and military communications shortly after the invasion of Ukraine began.
Why Is BGP Still Vulnerable?
Despite being a decades-old problem, BGP hijacking remains widespread. The reasons are structural:
1. BGP was designed for trust, not verification The protocol was created in 1989 for a small network of cooperating institutions. Authentication was never a design requirement. Adding it retroactively means upgrading thousands of independently operated networks simultaneously.
2. Operational incentives are misaligned When AS-A is hijacked, the damage falls on AS-A’s customers. But the cost of deploying defenses falls on every AS in the ecosystem. This classic tragedy-of-the-commons problem slows adoption of mitigations.
3. Misconfigurations look identical to attacks BGP routers cannot distinguish a fat-finger mistake from a deliberate hijack. This ambiguity makes carriers reluctant to aggressively filter routes that might be legitimate but unusual.
4. The routing table is enormous The global BGP routing table now exceeds 1 million prefixes. Validating all of them in real time is computationally expensive.
Defenses and Mitigations
The security community has developed several countermeasures, though none are fully deployed industry-wide.
RPKI — Resource Public Key Infrastructure
RPKI is the most important defense currently available. It works by cryptographically binding IP address prefixes to their legitimate AS owners using Route Origin Authorizations (ROAs).
A ROA is a signed certificate that says: “Prefix 203.0.113.0/24 may only be originated by AS64512.” Routers that implement Route Origin Validation (ROV) can then check incoming BGP announcements against the RPKI database and reject invalid ones.
IP Block Owner (ARIN/RIPE/etc.)
│
▼ signs
ROA Certificate
"203.0.113.0/24 → AS64512 only"
│
▼ published to
RPKI Repository
│
▼ checked by
BGP Router (ROV enabled)
→ VALID: accept route
→ INVALID: reject route
→ NOT FOUND: accept (for now)Current adoption (as of 2024): Approximately 50% of global prefixes have ROAs published, and major transit providers (Cloudflare, AT&T, Deutsche Telekom) enforce ROV. However, full industry-wide adoption would require every AS to participate — and many still do not.
BGPsec
BGPsec extends RPKI by cryptographically signing not just the origin AS but the entire AS path — preventing path manipulation even when origin validation passes. It is specified in RFC 8205 but has seen almost no real-world deployment due to significant performance overhead and the requirement for all ASes in a path to support it simultaneously.
IRR Filtering
Internet Routing Registries (IRR) — databases like ARIN, RIPE NCC, and RADB — allow AS operators to register the routes they intend to announce. Upstream providers can filter customers’ announcements against these registries.
IRR filtering is widely recommended but inconsistently enforced. Registry data is often stale or inaccurate, limiting its effectiveness as a sole defense.
Prefix Filtering (MANRS)
The Mutually Agreed Norms for Routing Security (MANRS) initiative encourages network operators to implement four basic actions:
- Filter announced routes to prevent propagation of incorrect routing information
- Filter inbound traffic to prevent IP address spoofing
- Coordinate with the global operations community
- Publish routing policy in a globally accessible database
Over 1,000 networks have joined MANRS, but adoption among smaller ISPs — often the source of hijacks — remains low.
Real-Time Monitoring
Since prevention is incomplete, detection is critical. Tools like the following provide real-time BGP monitoring:
- BGPmon — alerts on unexpected route announcements for registered prefixes
- Cloudflare Radar — public visibility into BGP anomalies
- RIPE RIS — raw BGP data feeds from global route collectors
- Kentik / ThousandEyes — commercial tools for enterprise BGP monitoring
Organizations that own IP address space should register for prefix monitoring and configure alerts for unexpected origin changes.
How to Protect Your Own Prefixes
If you operate an AS or manage IP address space, here is a practical checklist:
[ ] Create ROAs for all your prefixes in your RIR's RPKI portal
[ ] Set max-length to prevent subprefix hijacking
[ ] Register accurate IRR objects (route objects) with your RIR
[ ] Enable BGP monitoring and alerting on your prefixes
[ ] Use MANRS-compliant upstream providers
[ ] Implement prefix-length filtering (reject /25 and longer from peers if unneeded)
[ ] Audit your own BGP configurations regularly for misconfigurationsThe State of BGP Security in 2024
Progress is real but slow. RPKI adoption has grown significantly — from under 10% in 2018 to roughly 50% today. Major cloud providers and CDNs enforce ROV at their borders, which meaningfully reduces the blast radius of hijacks targeting well-protected prefixes.
But the internet’s long tail of smaller ISPs, particularly in Asia, Latin America, and Eastern Europe, remains largely unprotected. As long as even a minority of transit providers accept unvalidated routes, attackers can find paths that bypass RPKI enforcement.
The uncomfortable truth is that BGP security is a coordination problem as much as a technical one. The protocol can be hardened — the tools exist. What’s lacking is the economic pressure and regulatory incentive to deploy them universally.
Until then, BGP hijacking will remain one of the most powerful and underappreciated attack vectors on the global internet.