The Border Gateway Protocol (BGP) is the core routing protocol of the internet. It enables autonomous systems (ASes)—large networks operated by ISPs, governments, or organizations—to exchange routing information and decide the best paths for data packets to travel across the global network. BGP relies on trust between ASes, where each advertises its own IP address prefixes (blocks of IP addresses) to neighbors, and routers propagate this information to build global routing tables.
What is BGP Hijacking?
BGP hijacking, also known as route hijacking, prefix hijacking, or IP hijacking, occurs when an attacker illicitly manipulates BGP announcements to redirect internet traffic away from its intended destination. By falsely claiming ownership of IP address blocks (prefixes) that belong to someone else, the attacker can insert themselves into the data path, effectively “hijacking” the route. This exploits BGP’s lack of built-in authentication, making it vulnerable to spoofing.
How Does BGP Hijacking Work?
BGP operates on a “trust but verify” model, but verification is weak. Here’s a simplified step-by-step:
1. Normal BGP Operation: An AS announces its IP prefixes to BGP peers (neighboring ASes) via UPDATE messages. Peers propagate these announcements, and routers select paths based on attributes like shortest path or policy.
2. Hijacking Initiation: The attacker, controlling a rogue AS or compromising a legitimate router, sends a false BGP UPDATE announcing a more attractive route (e.g., shorter path) to the victim’s prefixes. This could involve:
• Forging the announcement with a spoofed AS number.
• Using a compromised router in a legitimate AS to issue the bogus route.
3. Propagation: BGP peers accept and propagate the false route because BGP doesn’t inherently validate the source. Global routing tables update, redirecting traffic through the attacker’s network.
4. Traffic Diversion: Legitimate traffic destined for the hijacked prefixes now flows to the attacker, who can inspect, modify, or drop it before (optionally) forwarding it onward.
This can happen in seconds and affect millions of users, as BGP announcements propagate rapidly.
Types of BGP Hijacking Attacks
BGP hijacks vary in scope and intent. Common classifications include:
• Prefix Hijacking: The attacker targets a specific IP prefix, announcing it as their own to siphon traffic. This is the most common type, often for eavesdropping or man-in-the-middle (MitM) attacks.
• AS Path Hijacking (or Subprefix Hijacking): The attacker prepends or alters the AS path attribute to make their route appear preferable, subtly diverting traffic without fully claiming the prefix.
• Route Leaking: An AS accidentally or maliciously leaks internal routes to the public internet, causing widespread misrouting. Malicious leaks can masquerade as hijacks.
• Blackholing: The attacker announces a route but drops all traffic, effectively launching a denial-of-service (DoS) attack.
Research has identified over a dozen subtypes based on indicators like announcement volume and duration, aiding in detection.
Impacts of BGP Hijacking
The consequences can be severe and far-reaching:
• Data Interception and Modification: Attackers can spy on unencrypted traffic (e.g., HTTPS if certificates are compromised) or inject malware.
• Service Disruption: Redirected or dropped traffic leads to outages for websites, cloud services, or critical infrastructure like financial systems.
• Economic and Geopolitical Damage: Hijacks have enabled censorship, ransomware extortion, or state-sponsored espionage. For instance, traffic rerouting can undermine trust in global DNS or certificate authorities.
A single hijack can affect up to 10-20% of global internet traffic, depending on the prefix size.
Real-World Examples
BGP hijacks are not theoretical; they’ve disrupted the internet repeatedly:
• 2018 Crypto Exchange Hijack: The Russian telecom Rostelecom hijacked routes for major cryptocurrency exchanges (e.g., Binance, MyEtherWallet), likely for surveillance or theft, diverting traffic for hours.
• 2020 Twitter Outage: A misconfiguration (or possible hijack) by a U.S. cloud provider leaked routes, causing intermittent global downtime for Twitter.
• Pakistan YouTube Hijack (2008): Pakistan Telecom announced false routes for YouTube’s prefixes to block access domestically, inadvertently blackholing the site worldwide for hours.
• Recent Incidents (2023-2025): In 2023, a hijack targeted a certificate authority during domain verification, allowing attackers to issue fake certificates. As of early 2025, state actors have used “camouflaged” AS hijacks to route changes through proxies, evading detection.
These events highlight how hijacks can stem from errors, insiders, or deliberate malice.
Mitigation and Prevention
BGP’s vulnerabilities persist, but defenses are improving:
• BGPsec and RPKI: Resource Public Key Infrastructure (RPKI) uses cryptographic signatures to validate route origins, preventing invalid announcements. BGPsec adds path validation.
• Monitoring Tools: Services like ThousandEyes or Kentik detect anomalies in real-time by analyzing BGP feeds.
• Filtering and Policies: ASes implement strict prefix filters and maximum prefix limits to reject suspicious announcements.
• Redundancy: Multi-homing (connecting to multiple ISPs) and anycast routing make networks more resilient.
Despite these, adoption is uneven—full global protection requires widespread cooperation. Organizations should monitor their AS announcements via tools like BGPmon or RIPEstat.
In summary, BGP hijacking underscores the internet’s fragile trust model: a single false announcement can cascade globally. For deeper dives, refer to resources from Cloudflare or the Internet Society.