Fact-checked by Grok 2 weeks ago

BGP hijacking

(BGP) hijacking, also termed route hijacking, constitutes the injection of false route advertisements by an autonomous (AS) into the Internet's interdomain fabric, diverting traffic intended for specific IP prefixes to unauthorized destinations. BGP, the prevailing for exchanging information among ASes, relies on unverified announcements predicated on mutual rather than cryptographic safeguards, rendering it vulnerable to both inadvertent errors and deliberate exploitation. This mechanism enables an AS to prepend illegitimate origin AS numbers or fabricate AS paths, prompting upstream routers to propagate the deceptive routes based on BGP's path-vector selection criteria. Hijacking manifests in forms such as prefix hijacking, where an AS originates routes for unallocated prefixes, or subprefix hijacking, involving more specific announcements that outcompete legitimate ones due to BGP's longest-prefix-match forwarding. Motivations span accidental misconfigurations from faulty filters or peering disputes to intentional acts like traffic redirection for , amplification of denial-of-service floods, or circumvention of sanctions, with empirical observations indicating a rise in state-linked incidents leveraging BGP's global propagation delays for sustained redirection. Detection challenges persist owing to the protocol's for multiple paths and absence of origin validation, often requiring anomaly analysis of control-plane updates against empirical route histories. Mitigation strategies encompass (RPKI) to attest prefix ownership via digitally signed objects, enabling ASes to reject invalid origin advertisements, alongside BGPsec extensions for securing AS path integrity through cumulative signatures—yet deployment lags due to validation overhead, burdens, and incomplete inter-AS coordination. These vulnerabilities underscore BGP's foundational design trade-offs favoring over , perpetuating risks to resilience despite incremental hardening efforts.

Fundamentals of BGP and Hijacking

Definition and Scope

BGP hijacking refers to the deliberate or erroneous advertisement of false (BGP) routes by an autonomous system (AS), resulting in the unauthorized redirection of destined for specific IP prefixes away from legitimate paths. This vulnerability stems from BGP's design, which relies on trust among peering ASes without built-in or validation of route origins or paths, allowing malicious actors or misconfigurations to propagate deceptive announcements across the global . The scope of BGP hijacking primarily encompasses inter-domain disruptions, where an attacker AS announces prefixes it does not own, actions such as interception for , selective denial-of-service, or rerouting for or financial . Forged-origin hijacks, a common subtype, involve an unauthorized AS claiming direct control over a victim's prefix, often detectable via discrepancies in AS_PATH attributes but propagatable rapidly due to BGP's path-vector mechanics. While some incidents arise from like typos or unintended prepending, the term typically denotes malicious intent, distinguishing it from benign route leaks defined in 7908 as unintended propagation of internal or customer routes beyond their designated . In practice, hijacks can affect prefixes representing millions of addresses, with propagation times ranging from minutes to hours depending on BGP update damping and peering topology, potentially impacting global services like financial networks or content delivery. The phenomenon's breadth includes both state-sponsored operations and , but excludes intra-domain issues or protocol-independent attacks, focusing solely on BGP's exterior role connecting over 100,000 ASes worldwide as of 2024. Detection relies on tools monitoring control-plane anomalies, though incomplete adoption of defenses like (RPKI) leaves the protocol susceptible to such exploits.

Core BGP Protocol Mechanics

The (BGP), specified in RFC 4271, operates as an to exchange routing information between autonomous systems (ASes) on the , enabling policy-based path selection rather than shortest-path metrics used in interior protocols. BGP employs a path vector mechanism, where routers advertise reachable network prefixes (NLRI, or Network Layer Reachability Information) along with the sequence of ASes traversed to reach them, facilitating loop detection and administrative control over route preferences. Unlike distance-vector protocols, BGP does not inherently compute metrics but relies on configurable attributes to influence route dissemination and selection, supporting (CIDR) for efficient prefix aggregation. BGP sessions establish over TCP connections using port 179 for reliable, ordered delivery, with peers assuming roles of sender or receiver based on TCP three-way handshake completion. Upon TCP connection, peers exchange OPEN messages to negotiate parameters including BGP (typically 4), local AS number, hold time (minimum 3 seconds, or 0 for indefinite), and a unique BGP identifier (an IPv4 address). Sessions progress through a finite state machine—Idle, Connect, Active, OpenSent, OpenConfirm, Established—with KEEPALIVE messages sent at intervals no less than one-third of the hold time to maintain connectivity, and NOTIFICATION messages to signal errors like version mismatch or connection closure. External BGP (eBGP) peers typically connect directly or via multi-hop configurations, while internal BGP (iBGP) operates within the same AS, often requiring full-mesh or route reflectors for scalability. Core message types include OPEN for initialization, for dynamic route information, for liveness, and NOTIFICATION for termination. messages, the primary vehicle for routing data, carry path attributes followed by NLRI for new advertisements or withdrawn routes for removals, allowing multiple prefixes sharing attributes in a single message to optimize exchange. Attributes are categorized as well-known (mandatory like NEXT_HOP or AS_PATH, or discretionary like LOCAL_PREF) or optional (transitive or non-transitive), with types encoded numerically—e.g., AS_PATH (type code 2) as a sequence of AS numbers prepended by the advertising router to record traversal history. Route advertisement involves injecting prefixes into the Adj-RIB-Out table after local policy application, then propagating via UPDATE to peers, with withdrawals triggering removal from forwarding tables upon validation. The BGP decision process selects best paths through sequential comparisons: highest LOCAL_PREF for outbound preference, shortest AS_PATH length to favor brevity, lowest origin type (IGP over EGP or incomplete), lowest MED for inbound ties, and eBGP over iBGP preference. Loop prevention relies fundamentally on AS_PATH inspection; if the local AS appears in the path, the route is discarded to avoid circular propagation. This design prioritizes policy flexibility over cryptographic validation, as attributes like NEXT_HOP (updated to the advertiser's IP for eBGP) propagate without inherent origin authentication.

Types and Mechanisms

Classification of Hijack Types

BGP hijacking events are classified based on the specific mechanism of the anomalous route announcement, distinguishing between misconfigurations that mimic hijacks and deliberate manipulations. A analysis by researchers at the Center for Applied Internet Data Analysis (CAIDA) categorizes reported hijacking incidents into four primary types using heuristics like AS hegemony scores and edit distances: typos, which involve inadvertent errors in entering prefixes or Autonomous System Numbers (ASNs), such as mistyping a like 191.96.129.0/24 as 191.86.129.0/24 due to input mistakes; prepending mistakes, where errors occur in AS path prepending configurations, like incorrectly specifying a repetition count instead of repeating the ASN, leading to unintended route preferences; origin changes, characterized by the advertisement of unowned prefixes from a new AS, often malicious and detected via Multi-Origin AS (MOAS) conflicts, allowing traffic interception or blackholing; and forged AS paths, involving fabricated paths to bypass detection, identified by inconsistencies in global AS rankings or local path similarities. Malicious hijacks, distinct from accidental misconfigurations, are further subdivided by propagation dynamics and intent. (or origin hijacking) occurs when an unauthorized AS announces routes for a victim's prefix, either matching the exact length to compete via shorter paths or using more specific subnets (e.g., /24 over /23) to exploit BGP's longest-match preference, redirecting traffic for or denial-of-service. AS path hijacking, or path poisoning, manipulates the AS_PATH attribute by prepending fake ASes or inserting the attacker's AS into legitimate paths, making the route appear valid while steering traffic through the hijacker, often for man-in-the-middle attacks. These intentional types differ from route leaks, which involve unintended propagation of internal routes but share similar detection challenges due to BGP's lack of inherent validation. Classification schemes like those from CAIDA achieve high accuracy (e.g., 95.71% via models) by integrating BGP data from monitors such as BGPStream, emphasizing the need to differentiate hijacks from benign anomalies like link failures. In practice, hijacks are also grouped by outcome: blackholing (dropping traffic), (inspecting/relaying), or disruption, with malicious variants prioritizing through path over crude origin shifts.

Execution and Propagation Dynamics

BGP hijacking execution begins when an under attacker control configures its border routers to issue unauthorized BGP messages announcing an prefix belonging to a victim AS. The attacker typically advertises the prefix as originating from its own AS number, often forging or manipulating the AS_PATH attribute to present a shorter path than legitimate routes, exploiting BGP's preference for brevity in path selection. To increase effectiveness, the hijacker may announce a more specific prefix (e.g., /24 instead of the legitimate /23), leveraging BGP's rule to override broader announcements. These false announcements propagate through eBGP sessions to directly connected peer ASes, which receive the UPDATE, apply local policies, and—if the route is deemed superior via the BGP best-path algorithm (prioritizing factors like LOCAL_PREF, AS_PATH length, origin type, and MED)—install it in their routing information base (RIB) and forward it onward. Propagation occurs hop-by-hop across the internet's AS graph, with iBGP used internally within each AS to distribute the route to all routers, potentially leading to global adoption if unfiltered. The dynamics of propagation are governed by BGP's asynchronous update process, influenced by timers such as the Minimum Route Advertisement Interval (MRAI, default 30 seconds) that throttle announcement bursts, and keepalive/hold timers (typically 60 seconds) that maintain session stability. Full convergence can take minutes to hours, depending on network topology, peering density, and the presence of route dampening or filtering policies that may suppress or delay invalid routes. In practice, hijacked routes often spread rapidly via high-tier transit providers, as seen in the 2008 Pakistan YouTube incident where a false prefix announcement propagated worldwide within minutes, diverting traffic until countermeasures like more-specific legitimate announcements were deployed. Without validation mechanisms like RPKI or IRR checks, the lack of inherent authentication in BGP allows unchecked dissemination, enabling partial hijacks (where traffic splits between legitimate and false paths) or complete takeovers.

Historical Incidents

Pre-2010 Events

On April 25, 1997, a router in 7007, operated by , experienced a that caused it to withdraw nearly all global BGP routes before readvertising them with AS 7007 prepended to the AS paths. This incident partitioned the , rendering approximately half of reachable destinations inaccessible for about 20 to 30 minutes as invalid routes propagated. The event exposed BGP's vulnerability to erroneous route announcements lacking inherent validation mechanisms. On December 24, 2004, TTNet (AS 9121), 's largest ISP, inadvertently re-originated over 106,000 prefixes—representing a significant portion of global routes—to its upstream provider Telecom Italia due to a peering configuration error. This leak directed much of the world's through Turkey for several hours, causing widespread , , and service disruptions until the invalid announcements were withdrawn. The incident highlighted operational risks in BGP peering sessions without route filtering. On January 22, 2006, Con Edison Communications (AS 25706) erroneously announced routes for numerous prefixes owned by its customers and other entities, including Panix (AS 2033), leading to traffic interception and outages for affected networks. The hijack persisted until manual intervention restored legitimate paths, demonstrating BGP's susceptibility to unauthorized origin changes from misconfigured or compromised ASes. On February 24, 2008, (AS 17557) announced the prefix 208.65.153.0/24—allocated to AS 36561—to block domestic access per government order, but the more specific advertisement propagated globally, redirecting worldwide traffic to and rendering the site inaccessible for up to two hours. The event affected tens of millions of users and underscored how local intent can cascade into international disruptions via BGP's path-vector propagation without authentication. Resolution required withdrawal of the false route and reliance on backup addressing by . These pre-2010 incidents, primarily stemming from misconfigurations rather than malice, collectively illustrated BGP's trust-based design flaws, prompting early discussions on enhancements like route origin validation.

2010s Developments

In April 2010, announced bogus routes for approximately 50,000 IP prefixes, representing a significant portion of global tables, which rerouted up to 15% of worldwide through its networks for about 18 minutes. This incident, often classified as a hijack due to its scale and the announcement of non-originating prefixes, affected traffic destined for major U.S. entities including government (.gov) and military (.mil) domains such as the , , , and , potentially enabling interception or surveillance. Analysis indicated the event was not accidental, as selectively originated prefixes it did not own, demonstrating the protocol's vulnerability to state-level actors conducting large-scale traffic diversion. By 2013, BGP hijacks increasingly targeted financial and governmental infrastructure for man-in-the-middle attacks. In August, actors in originated false routes for prefixes owned by U.S. processors and Icelandic government networks, sustaining the hijack for six days and enabling potential on sensitive transactions. Concurrently, the Italian firm executed a BGP hijack on behalf of to reroute traffic for operations, highlighting how private entities could exploit BGP for authorized but protocol-violating interceptions. The mid-to-late 2010s saw a rise in BGP hijacks motivated by theft, exploiting the protocol's trust model to redirect wallet and exchange traffic. In 2014, adversaries hijacked routes between miners and pools to intercept unencrypted communications, altering mining rewards. By 2018, such attacks escalated; unknown perpetrators hijacked MyEtherWallet's domain resolution, stealing approximately $17 million in by redirecting users to sites. also engaged in prolonged misrouting of U.S. domestic traffic through its infrastructure from 2017 to 2018, spanning over two years and affecting providers like , raising concerns over persistent state-sponsored surveillance capabilities. These incidents underscored BGP's ongoing susceptibility, with documented hijacks numbering in the thousands annually by the decade's end, though distinguishing intentional hijacks from leaks remained challenging without enhanced monitoring. Responses included proposals for cryptographic route origin validation, but adoption lagged, leaving networks reliant on reactive detection.

2020s and Recent Cases

In April 2020, Russian telecommunications provider (AS12389) executed a large-scale BGP hijack by announcing more specific routes for over 8,000 prefixes belonging to major networks, including , , , Akamai, and , diverting traffic to its own infrastructure where much of it was blackholed. The incident began around 7:30 PM UTC on April 1 and persisted until routes were withdrawn the following day, causing widespread service disruptions and outages for affected content delivery networks. While some operators like Telia and NTT filtered the invalid announcements using RPKI validation, others such as Level 3 propagated them, amplifying the impact. Cryptocurrency platforms emerged as frequent targets in the early 2020s, exemplified by the August 17, 2022, attack on , a cross-chain bridging service. Attackers employed forged BGP announcements and fake entries in the AltDB database—a free alternative to Internet Routing Registries—to impersonate ' address space, tricking a UK-based transit provider into redirecting traffic. By forging an Amazon ASN in the path to evade partial RPKI route origin validation, the hijack enabled interception of user transactions, resulting in the theft of approximately $235,000 from 32 victims over about three hours. This case highlighted vulnerabilities in reliance on unverified databases and incomplete RPKI adoption for . In 2024, BGP hijacks persisted, including a January 3 incident affecting Orange Spain, where "" exploited vulnerabilities in the database to hijack BGP routes, causing a nationwide . Later that year, in July, a commercial hijacked IP addresses from a U.S. research and regional by announcing more specific routes, leading to traffic disruptions until partial mitigation via RPKI route origin authorizations (ROAs); full resolution was delayed by a cloud provider's lack of RPKI . of BGP from 2014 to 2023 identified ongoing "serial hijackers"—autonomous systems repeatedly seizing prefixes, with about 40% of previously flagged actors remaining active into 2022-2023, often evading detection due to sparse monitoring and reallocation of AS numbers. These patterns underscore the persistence of hijacking for , outages, and theft, despite incremental defenses like RPKI.

Underlying Vulnerabilities

Protocol Design Flaws

The Border Gateway Protocol (BGP), specified in RFC 4271, operates without inherent mechanisms to authenticate the origin of route advertisements or validate the authority of an autonomous system (AS) to announce specific network layer reachability information (NLRI). This trust-based model assumes cooperative behavior among peering ASes, enabling any participant to insert false routes that propagate transitively across the internet routing table without cryptographic or authoritative checks. As a result, malicious actors can perform prefix hijacks by advertising unauthorized IP prefixes, diverting traffic intended for legitimate destinations. BGP sessions rely on for transport but lack protocol-level peer entity , making them susceptible to spoofing, , and insertion of fabricated messages. While optional extensions like TCP MD5 signatures (per RFC 2385) can provide some session protection, they are not mandated by the core and do not address data integrity or origin validation for routing attributes. Deprecated authentication fields from earlier BGP versions (e.g., BGP-1 through BGP-3) were removed in BGP-4 due to lack of adoption, leaving the without built-in defenses against message modification or replay. A critical flaw lies in the absence of validation for path attributes, particularly the AS_PATH, which is intended to prevent loops but can be forged, prepended, or truncated to manipulate route selection. Without verifying the legitimacy of AS numbers in the or the originating AS's right to advertise a , BGP accepts and disseminates potentially bogus routes based solely on policy and shortest- metrics. This enables path hijacks, where attackers insert themselves into legitimate routes by announcing altered AS sequences, often undetected until traffic anomalies occur. These vulnerabilities trace to BGP's design in the late for a smaller, research-oriented dominated by trusted entities like and academic networks, prioritizing over . The protocol's evolution, including the standardization of BGP-4, did not retroactively incorporate robust validation, as early options proved ineffective and unused. Consequently, route hijacking remains feasible, as demonstrated in analyses showing how unverified announcements can corrupt global routing tables.

Operational and Human Factors

Operational vulnerabilities in BGP arise primarily from the protocol's design reliance on unverified trust relationships between autonomous systems (ASes), where route announcements are accepted without cryptographic authentication or origin validation. Network operators often fail to deploy comprehensive inbound and outbound prefix filtering, allowing invalid or unexpected routes to propagate unchecked; for instance, the absence of proper filters contributed to the AS17557 incident, where misconfigured announcements disrupted traffic to major providers. Additionally, incomplete implementation of route origin authorization systems like RPKI leaves approximately 50% of advertised prefixes unprotected as of 2024, enabling hijackers to forge valid-looking announcements that evade basic operational checks. Human factors exacerbate these issues through configuration errors and insufficient oversight, with many BGP incidents classified as route leaks stemming from accidental misconfigurations rather than deliberate malice. A 2002 analysis of BGP updates identified misconfigurations as a leading cause of instability, including erroneous announcements that increase global load and mimic hijacking effects. For example, the November 2015 route leak, affecting over 2,000 prefixes, resulted from in AS handling, leading to widespread traffic redirection without intent to hijack. Such errors often occur due to fat-finger inputs or overlooked policy updates during network expansions, compounded by the protocol's complexity, which demands precise manual configurations across distributed teams. Adoption barriers for mitigations like RPKI further highlight human and organizational inertia, including reluctance to navigate certificate issuance errors or inter-AS dependencies that could disrupt legitimate routing. Studies of BGP events indicate that human-induced anomalies, such as similar prefix announcements between hijacker and victim, frequently signal unintentional errors rather than sophisticated attacks, underscoring the need for automated validation tools to reduce reliance on operator vigilance. Initiatives like MANRS promote operational norms such as global validation and anti-spoofing, yet slow uptake—driven by training gaps and fear of self-inflicted outages—persists, leaving networks exposed to both erroneous and malicious exploits.

Impacts and Ramifications

Immediate Network Effects

BGP hijacking triggers rapid propagation of unauthorized route announcements across the , leading routers to redirect traffic destined for hijacked IP prefixes to the attacker's autonomous system rather than the legitimate origin. This misdirection often manifests as immediate connectivity disruptions, where affected traffic is intercepted, rerouted through inefficient paths, or dropped entirely if the hijacker employs blackholing techniques. In scenarios where the hijacker forwards intercepted packets, users encounter elevated and performance degradation, as data traverses longer or congested alternative routes outside standard or peering arrangements. can occur due to route instability or deliberate non-forwarding, exacerbating issues like failed connections and increased retransmissions. A prominent example is the February 24, 2008, hijack of YouTube's 208.65.153.0/24 prefix by Pakistan Telecom (AS17557), which diverted global traffic to its network, resulting in widespread outages lasting approximately two hours as packets failed to reach YouTube's servers (AS36561). On April 1, 2020, Russian provider (AS12389) announced over 8,800 prefixes belonging to entities including , Akamai, and , causing traffic diversion, packet drops, and intermittent service interruptions for users reliant on those networks. More recently, on June 27, 2024, AS267613 hijacked Cloudflare's 1.1.1.1/32 prefix, blackholing traffic accepted by multiple upstream providers and triggering DNS resolution outages for 1.1.1.1 users beginning at approximately 18:51 UTC, with some networks enforcing route blackholing that amplified the impact.

Broader Security and Economic Consequences

BGP hijacking extends beyond localized traffic disruptions to enable pervasive security threats, including man-in-the-middle attacks that intercept sensitive data traversing unencrypted paths. Attackers can eavesdrop on communications, alter payloads, or impersonate legitimate endpoints, compromising data integrity and confidentiality across intercepted routes. State-sponsored actors have exploited these vulnerabilities for espionage, diverting traffic to surveillance points to access personal, corporate, or governmental information without detection. Such incidents undermine the foundational trust in internet routing, facilitating broader cyber operations like , , or the disruption of dependencies on stable BGP announcements. For instance, hijacks targeting DNS can misdirect queries globally, amplifying risks to authentication systems and enabling cascading failures in secure communications protocols. Economically, BGP hijacks precipitate direct financial losses through service outages and , with downtime for affected networks potentially costing enterprises millions in foregone revenue and remediation expenses. In targeted attacks on platforms, hijackers have redirected traffic to malicious endpoints, enabling thefts such as the February 2022 incident where KLAYswap lost $1.9 million in assets via illicit transactions facilitated by route manipulation. These events correlate with profit motives, including correlations between hijack timings and mining payouts observed in 2014 cases. Persistent vulnerabilities also impose indirect costs, as organizations invest in advanced monitoring, redundant routing, and validation protocols like RPKI to mitigate recurrence, straining operational budgets particularly for smaller autonomous systems lacking resources for comprehensive defenses. Hijacks exploiting economic incentives, such as rerouting to sites or amplifying denial-of-service attacks, further erode user confidence in digital transactions, contributing to sector-wide losses in and .

Geopolitical and Strategic Implications

BGP hijacking enables state actors to redirect through their controlled networks, facilitating and on adversaries' communications. In April 2010, announced false routes that rerouted approximately 15% of global , including data from U.S. government websites and systems, through Chinese infrastructure for up to 18 minutes, raising concerns over potential data interception despite official denials of malicious intent. Such incidents underscore the strategic value of BGP manipulation in allowing covert access to sensitive military, diplomatic, and economic data without direct confrontation. During geopolitical conflicts, BGP hijacks serve as tools for disruption and intelligence gathering. In the context of Russia's 2022 invasion of , reports indicated Russian entities rerouting Ukrainian internet traffic for potential sniffing and interference, alongside suspected hijacks targeting Ukrainian networks to degrade connectivity and enable man-in-the-middle attacks. This aligns with broader patterns where authoritarian regimes exploit BGP vulnerabilities to censor opposition, as seen in the 2008 Pakistan hijack that inadvertently disrupted global access, highlighting how domestic controls can spill over into international tensions. Strategically, these capabilities pose risks to by threatening and enabling asymmetric cyber operations. U.S. agencies have warned that state-sponsored hijacks can expose unencrypted traffic to theft, extortion, and , potentially compromising financial transactions or command-and-control systems during crises. The persistence of such vulnerabilities, exemplified by ongoing suspicions of Chinese traffic rerouting via global ASNs, erodes confidence in the interdependent architecture, prompting calls for enhanced to counter great-power competition without fragmenting the network. Failure to mitigate these risks could escalate , where BGP attacks precede or accompany kinetic actions, amplifying geopolitical instability.

Detection, Mitigation, and Responses

Monitoring and Detection Methods

BGP monitoring relies on global infrastructures that collect routing announcements from multiple vantage points to identify anomalies indicative of hijacking. Public BGP collectors, such as the Route Views project operated by the and RIPE NCC's Routing Information Service (RIS), aggregate UPDATE messages from diverse autonomous systems (ASes), enabling the detection of inconsistencies like unexpected prefix origins or multiple competing announcements for the same IP block. These systems provide real-time data streams, with tools like BGPStream facilitating analysis of historical and live feeds to spot deviations from expected routing tables. Detection methods primarily employ heuristic rules to flag hijacks, such as sub-prefix attacks where an illegitimate AS announces a more specific than the legitimate one, or forged-origin hijacks where the AS_PATH attribute is manipulated to attribute a to an unauthorized origin. For instance, s cross-reference announced origins against known allocations from regional registries (RIRs) and detect events when a suddenly appears under a new AS not matching its authoritative holder. (RPKI) enhances this by validating Route Origin Authorizations (ROAs); announcements failing ROA checks—due to mismatched AS origins—are invalidated, as implemented in Cloudflare's BGP hijack detection launched in July 2023, which integrates RPKI with control-plane monitoring to alert on invalid routes within minutes. Complementary data-plane techniques monitor end-to-end metrics like minimum round-trip times (minRTTs), identifying sustained delay spikes as evidence of traffic rerouting through distant or malicious paths, with experiments showing detection of Bitcoin-related hijacks via such . Advanced detection incorporates machine learning for unsupervised anomaly identification, such as AP2Vec, which embeds AS relationships into vector spaces to detect role shifts during hijacks, achieving high precision on labeled datasets from 2019-2021 events. Multi-dimensional approaches analyze features like announcement volume, AS path length, and withdrawal patterns, with one method detecting over 99% of 1,487 prefix hijacks validated against BGPStream data. Open-source tools like ARTEMIS, developed by RIPE NCC in 2018 and updated through 2019, provide real-time prefix hijack detection using route leak and sub-prefix heuristics, integrated with mitigation signaling for operators. Similarly, APNIC's BGPWatch platform, introduced in February 2024, employs knowledge-based algorithms to diagnose incidents, visualizing hijack propagation across the routing table and attributing events to specific ASes. Despite these methods, challenges persist, including false positives from legitimate route changes and vulnerabilities to monitor poisoning, where attackers flood collectors with benign data to mask hijacks, as demonstrated in analyses of systems like showing susceptibility to large-scale BGP data manipulation. Global monitoring remains incomplete, with undetected attacks exploiting uRPF filtering or selective announcements evading public collectors, underscoring the need for diverse, operator-deployed sensors.

Technological Defenses

(RPKI) provides a cryptographic framework to validate the authorization of autonomous systems (ASes) to originate specific prefixes, mitigating prefix by enabling route origin validation (ROV). Through Route Origin Authorizations (ROAs), resource holders digitally sign attestations of prefix ownership, which relying parties validate against BGP announcements to discard invalid routes. RPKI deployment has progressed significantly, with Route Origin Validation implemented by major networks; for instance, as of January 2024, (AS701) achieved full ROV across its infrastructure, contributing to a where invalid routes are increasingly filtered globally. By October 2025, RPKI's integration into routing processes has demonstrably reduced successful hijacks by embedding origin checks directly into BGP decision-making, though it does not address path manipulations like prepend attacks or leaks from authorized origins. BGPsec extends RPKI by securing the full AS path through cryptographic signatures appended by each forwarding AS, preventing path hijacking or forgery where an attacker inserts unauthorized segments. Standardized in 8205, BGPsec requires routers to verify the integrity and authenticity of the entire update path, rejecting alterations. However, adoption remains limited due to operational complexities, including the need for public key distribution and performance overhead, with pilot implementations but no widespread deployment as of 2025. Autonomous System Provider Authorization (ASPA), an extension to RPKI, validates customer-provider relationships to defend against more sophisticated violations, such as unauthorized or interception via invalid . ASPA objects specify authorized upstream providers, allowing routers to confirm legitimacy beyond mere . Simulations indicate ASPA's effectiveness against manipulation increases with adoption rates above 50%, complementing ROV but requiring similar cryptographic . Despite these advances, comprehensive protection demands layered implementation, as no single protocol fully secures BGP against all hijack variants without broad ecosystem participation.

Policy and Operational Best Practices

Operators should prioritize the deployment of (RPKI) to enable route origin validation (ROV), which cryptographically validates whether an Autonomous System (AS) is authorized to announce specific IP prefixes via Route Origin Authorizations (ROAs). ROAs must be created to match exact announced prefixes, with maxLength parameters set conservatively to cover only legitimate sub-allocations and avoid enabling more-specific hijacks. Routers configured for ROV should initially monitor invalid routes before progressing to tagging or dropping them, using multiple redundant validators for reliability. Participation in the Mutually Agreed Norms for Routing Security (MANRS) initiative commits operators to four core actions: filtering announcements to prevent propagation of incorrect routing information, coordinating globally to minimize disruption from errors or attacks, implementing anti-spoofing measures aligned with BCP 38 (RFC 2827), and maintaining accurate contact information in public registries for rapid incident response. MANRS encourages validation against Internet Routing Registries (IRRs) alongside RPKI, with operators publishing filtering policies and AS-set objects to peers. Operational hardening of BGP sessions includes mandatory authentication using TCP Authentication Option (TCP-AO) or with strong keys to prevent hijacking of peering relationships, combined with Generalized TTL Security Mechanism (GTSM) to verify peer proximity by enforcing expected values (e.g., 255 for eBGP over directly connected links). Control-plane policing should rate-limit BGP traffic to mitigate denial-of-service attempts, while maximum prefix limits per neighbor (e.g., tearing down sessions exceeding thresholds like 80% of limit) protect router resources from table exhaustion. Route filtering policies require inbound and outbound prefix lists to accept only authorized prefixes (e.g., whitelisting customer allocations and rejecting unallocated or bogon space per IANA registries) and AS-path access lists to block invalid paths, such as those not originating from expected upstreams. Operators must enforce specificity limits (e.g., no IPv4 /25 or longer from peers unless explicitly allowed) and enable of neighbor changes alongside route flap dampening to suppress unstable announcements without excessive penalties. Regular audits of configurations, including of ROAs via tools like regional RPKI dashboards, and on these practices reduce human-error-induced leaks or misconfigurations that enable hijacks.

References

  1. [1]
    [PDF] BGP hijacking classification - CAIDA.org
    Jan 1, 2019 · The Border Gateway Protocol (BGP) is the Internet's de facto inter-domain routing protocol [1]. It allows an Au- tonomous System (AS) to ...
  2. [2]
    [PDF] A System to Detect Forged-Origin BGP Hijacks - USENIX
    Apr 18, 2024 · Clearly, BGP hijacking attacks are not a surprise anymore. They repeatedly make the headlines [1,2] and are known as attack vectors to steal ...
  3. [3]
    [PDF] Border Gateway Protocol (BGP) Route Origin Validation
    A route prefix hijack occurs when an autonomous system (AS) accidentally or maliciously originates a. Border Gateway Protocol (BGP) update for a route prefix ...
  4. [4]
    [PDF] Using ML to Block BGP Hijacking - USENIX
    The second is the increase in traffic redirection: in other words, route hijacking as an attack vector. Consider first, misguided network configurations. China ...
  5. [5]
    ARTEMIS: Neutralising BGP Hijacking Within a Minute | RIPE Labs
    Jul 19, 2018 · BGP prefix hijacking is a persistent threat against Internet organisations, attributed to a lack of authorisation and authentication ...
  6. [6]
    What is BGP hijacking? | Cloudflare
    BGP hijacking is a malicious rerouting of Internet traffic that exploits the trusting nature of BGP, the routing protocol of the Internet.
  7. [7]
    Enhanced AS-Loop Detection for BGP - IETF
    Mar 3, 2024 · BGP: Border Gateway Protocol¶. BGP hijacking : is the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables ...<|separator|>
  8. [8]
    RFC 7908: Problem Definition and Classification of BGP Route Leaks
    This document provides a working definition of route leaks while keeping in mind the real occurrences that have received significant attention.
  9. [9]
    Cloudflare Radar's new BGP origin hijack detection system
    Jul 28, 2023 · BGP origin hijacks allow attackers to intercept, monitor, redirect, or drop traffic destined for the victim's networks.
  10. [10]
    A Survey of Advanced Border Gateway Protocol Attack Detection ...
    The critical, and insecure, inter-domain protocol that binds the Internet is known as the Border Gateway Protocol (BGP); it connects more than 80,000 Autonomous ...
  11. [11]
    RFC 4271 - A Border Gateway Protocol 4 (BGP-4) - IETF Datatracker
    This document discusses the Border Gateway Protocol (BGP), which is an inter-Autonomous System routing protocol.Missing: mechanics | Show results with:mechanics
  12. [12]
    https://datatracker.ietf.org/doc/html/rfc4271#section-1
  13. [13]
    https://datatracker.ietf.org/doc/html/rfc4271#section-1.2
  14. [14]
    https://datatracker.ietf.org/doc/html/rfc4271#section-4
  15. [15]
    https://datatracker.ietf.org/doc/html/rfc4271#section-4.2
  16. [16]
    https://datatracker.ietf.org/doc/html/rfc4271#section-8
  17. [17]
    https://datatracker.ietf.org/doc/html/rfc4271#section-6.1
  18. [18]
    https://datatracker.ietf.org/doc/html/rfc4271#section-4.1
  19. [19]
    https://datatracker.ietf.org/doc/html/rfc4271#section-4.3
  20. [20]
    https://datatracker.ietf.org/doc/html/rfc4271#section-5
  21. [21]
    https://datatracker.ietf.org/doc/html/rfc4271#section-3.1
  22. [22]
    https://datatracker.ietf.org/doc/html/rfc4271#section-5.1.1
  23. [23]
    https://datatracker.ietf.org/doc/html/rfc4271#section-9.1.2.2
  24. [24]
    https://datatracker.ietf.org/doc/html/rfc4271#section-5.1.3
  25. [25]
    BGP Hijacking: Tutorial, Prevention & Examples - Catchpoint
    A BGP route hijack occurs when a “hostile” AS decides to advertise a prefix that is not its own. For example, in the following diagram, AS 140 is illegitimately ...
  26. [26]
    [PDF] BGP hijacking: brief guide on protecting BGP from bad actors
    Unauthorized takeover of BGP routes. BGP hijacking occurs intentionally or unintentionally when an AS is announcing a route to IP prefixes it doesn't control.
  27. [27]
    BGP Hijacking: Understanding Threats to Internet Routing - Kentik
    BGP hijacking, also known as IP hijacking, route hijacking, or prefix hijacking, is a cyberattack that corrupts the Border Gateway Protocol (BGP) routing tables ...<|separator|>
  28. [28]
    What is BGP Hijacking? Prevention and defense mechanisms.
    The attackers used BGP and DNS vulnerabilities to intercept and reroute traffic to Amazon's Route 53 DNS infrastructure service. The only known victim so far is ...
  29. [29]
    Understanding the Risks of Traffic Hijacking - Cisco
    An originating BGP router announces an IP address prefix to its attached neighbors. Those routers then propagate the information to other routers until a target ...
  30. [30]
    A Brief History of the Internet's Biggest BGP Incidents | Kentik Blog
    Jun 6, 2023 · What is the difference between a BGP hijack and a BGP route leak? Generally the phrase “BGP hijack” often connotes malicious intent, whereas ...
  31. [31]
    7007 Explanation and Apology - nanog
    Apr 26, 1997 · ... 1997, our border router, stamped with AS 7007, recieved a full routing view from a downstream ISP (well, a view contacing 23,000 routes anyway).
  32. [32]
    [PDF] New BGP analysis tools and a look at the AS9121 Incident
    Mar 6, 2005 · AS9121 incident on Dec 24 2004. At 09:19 UTC on Dec 24, 2004, AS9121 began re- originating a large number of globally routed prefixes. Peaked ...
  33. [33]
    Six worst Internet routing attacks - NYTimes.com
    Jan 15, 2009 · On Dec. 24, 2004, TTNet sent out a full table of Internet routes via BGP that routed most Internet traffic through Turkey for several hours that ...
  34. [34]
    [PDF] Pretty Good BGP: Improving BGP by Cautiously Adopting Routes
    On January 22, 2006, Con Edison (AS 25706) originated many prefixes it did not own, causing outages for several networks such as Panix (AS 2033) [5]. Verio ...
  35. [35]
    YouTube Hijacking: A RIPE NCC RIS case study
    Mar 17, 2008 · On Sunday, 24 February 2008, Pakistan Telecom (AS17557) started an unauthorised announcement of the prefix 208.65.153.0/24.Introduction · Event Timeline · Event Analysis · Routing States - BGPlay...
  36. [36]
    YouTube Hijacking (February 24th 2008) Analysis of BGP Routing ...
    On Sunday, 24 February 2008, Pakistan Telecom (AS17557 ) started an unauthorized announcement of the prefix 208.65.153.0/24. One of Pakistan Telecom's ...
  37. [37]
    A Case Study of the China Telecom Incident - The Citizen Lab
    Dec 17, 2012 · In April 2010, China Telecom's network announced incorrect paths to 50,000 IP prefixes, referred to as a “hijack”. While incidents like this are ...Missing: pre- | Show results with:pre-
  38. [38]
    Chinese ISP hijacked US military, gov web traffic - The Register
    Nov 17, 2010 · The hijacking, which lasted 18 minutes, affected email and web traffic traveling to and from .gov and .mil domains, including those for the US ...
  39. [39]
    [PDF] Characterizing Large-scale Routing Anomalies: A Case Study of the ...
    China Telecom's hijack of approximately 50,000 IP prefixes in April 2010 highlights the potential for traffic interception on the In- ternet. Indeed, the ...
  40. [40]
    https://www.wired.com/2013/12/bgp-hijacking-belarus-iceland/
  41. [41]
    https://arstechnica.com/information-technology/2015/07/hacking-team-orchestrated-brazen-bgp-hack-to-hijack-ips-it-didnt-own/
  42. [42]
    https://www.theregister.com/2018/04/24/myetherwallet_dns_hijack/
  43. [43]
    https://arstechnica.com/information-technology/2018/11/strange-snafu-misroutes-domestic-us-internet-traffic-through-china-telecom/
  44. [44]
    Rostelecom's Route Hijack Highlights Need for BGP Security
    On April 1, 2020, thousands of prefixes were “hijacked” by the Russian telecommunications provider via illegitimate BGP route announcements.
  45. [45]
    Not just another BGP Hijack - MANRS
    Apr 6, 2020 · On April 1, 2020, AS12389 (Rostelecom) hijacked routes, causing service disruptions for many, including Amazon and Akamai, impacting over 8800 ...
  46. [46]
    Russian Telco Hijacked Internet Traffic of Major Networks
    Apr 7, 2020 · A huge BGP hijack by Russian state telecommunications provider Rostelecom diverted the traffic from more than 200 networks – including Google, Amazon, Facebook ...Missing: details | Show results with:details
  47. [47]
    What can be learned from recent BGP hijacks targeting ... - Kentik
    Sep 22, 2022 · On August 17, 2022, an attacker was able to steal $235,000 in cryptocurrency by employing a BGP hijack against Celer Bridge, a cryptocurrency ...The Attack Against Celer Bridge · What is BGP Hijacking?
  48. [48]
    What can be learned from BGP hijacks targeting cryptocurrency ...
    Nov 7, 2022 · On 17 August 2022, an attacker was able to steal approximately USD 235,000 in cryptocurrency by employing a BGP hijack against the Celer Bridge, ...
  49. [49]
    Celer Bridge incident analysis - Coinbase
    Sep 9, 2022 · On August 17, 2022, Celer Network Bridge dapp users were targeted in a front-end hijacking attack which lasted approximately 3 hours and resulted in 32 ...
  50. [50]
    Orange Spain Outage: BGP Traffic Hijacked by Threat Actor - TuxCare
    Jan 19, 2024 · Orange Spain faced a significant internet outage on January 3, 2024. A threat actor, going by the name 'Snow,' exploited vulnerabilities in the company's RIPE ...
  51. [51]
    What We Learned From Three Routing Security Incidents - Internet2
    Sep 11, 2024 · Radar data, the global internet experienced over 3,000 route leaks and over 18,000 route hijacks in the first quarter of 2022. Here, we take a ...
  52. [52]
    Serial BGP hijackers: A reproducibility study and assessment of ...
    Oct 25, 2024 · 'Serial hijackers' to refer to malicious actors that repeatedly carry out prefix hijacks on various networks, some lasting for months or years.
  53. [53]
    Q2 2024 DDoS, Bots and BGP Incidents Statistics and Overview
    Aug 21, 2024 · As for global BGP hijacking, there was only one incident in the second quarter, which occurred on May 25. Notably, we didn't register any ...
  54. [54]
    RFC 4272 - BGP Security Vulnerabilities Analysis - IETF Datatracker
    This document discusses some of the security issues with BGP routing data dissemination. This document does not discuss security issues with forwarding of ...
  55. [55]
    https://datatracker.ietf.org/doc/html/rfc4272#section-3
  56. [56]
    https://datatracker.ietf.org/doc/html/rfc4272#section-3.1.5.4
  57. [57]
    None
    Summary of each segment:
  58. [58]
    [PDF] Reviewing a historical Internet vulnerability: why isn't BGP more ...
    As an example, BGP hijacking was used to steal at least $83,000 worth of cryptocurrency in 2014, and again more recently in April 2018. Thus, securing BGP is ...
  59. [59]
    https://datatracker.ietf.org/doc/html/rfc4272#section-3.1.5.3
  60. [60]
    [PDF] A Survey of BGP Security Issues and Solutions - cs.Princeton
    Aug 7, 2008 · BGP security issues include uncertainty about IP prefixes and AS numbers, use of TCP, and potential to tamper with route announcements.
  61. [61]
    Why is Routing Security Adoption Moving So Slowly?
    Oct 15, 2024 · Today, in 2024, only about half of the IP addresses advertised in BGP are covered by RPKI records. Time series graph showing the percentage of ...
  62. [62]
    [PDF] Understanding BGP Misconfiguration - Ratul Mahajan
    Routing load: Misconfigurations increase routing load by gen- erating unnecessary BGP updates. Many BGP speaking routers are already heavily loaded due to the ...
  63. [63]
    BGP Hijackings Come Back! - NSFOCUS, Inc., a global network and ...
    Jul 5, 2019 · On April 24, 2018, Amazon suffered BGP route hijacking events that affected Australia and the USA, in which attackers were motivated to steal ...
  64. [64]
    [PDF] Are We There Yet? On RPKI's Deployment and Security
    We examine potential reasons for scarce adoption of RPKI and ROV, including human error in issuing RPKI certifi- cates and inter-organization dependencies, and ...
  65. [65]
    How to Protect Your Business from BGP Hijacking - LoginRadius
    Nov 12, 2021 · Prefix hijacking. This is the most common type of BGP hijacking, where there is an unauthorized takeover of IP addresses after hackers can ...<|separator|>
  66. [66]
    Cloudflare 1.1.1.1 incident on June 27, 2024
    Jul 4, 2024 · On June 27, 2024, a small number of users globally may have noticed that 1.1.1.1 was unreachable or degraded. The root cause was a mix of BGP (Border Gateway ...
  67. [67]
    4 Real BGP Troubleshooting Scenarios - ThousandEyes
    Apr 5, 2024 · When BGP issues arise, inter-network traffic can be affected, leading to increased packet loss and latency to complete loss of connectivity.
  68. [68]
    Impact of BGP Hijacking on Global Internet Traffic - NRS.help
    Apr 23, 2025 · MyEtherWallet attack in 2018: Hackers hijacked BGP routes to steal over $150,000 in cryptocurrency by rerouting traffic to a fake website. China ...
  69. [69]
    The Most Important Part of the Internet You've Probably Never Heard ...
    Aug 2, 2023 · ... BGP's vulnerability to hijacking. These “BGP hijacks” can expose personal information, enable theft, extortion, and state-level espionage ...
  70. [70]
    BGP Hijacking: Understanding, Mitigation, and Best Practices
    Jan 24, 2024 · BGP hijacking is a malicious technique where an attacker manipulates the Border Gateway Protocol (BGP) to redirect internet traffic towards their own network.
  71. [71]
    Crypto Exchange KLAYswap Loses $1.9M After BGP Hijack
    Feb 16, 2022 · Crypto Exchange KLAYswap Loses $1.9M After BGP Hijack. Hackers Performed Border Gateway Protocol Hack to Conduct Illegal Transactions Prajeet ...
  72. [72]
    BGP Hijacking for Cryptocurrency Profit - Secureworks
    Aug 7, 2014 · CTU researchers observed the correlation of hijacking events and the payouts normally received from his mining pool (called Hashfaster). The ...
  73. [73]
    Experts detailed how China Telecom used BGP hijacking to redirect ...
    Nov 12, 2018 · Security researchers revealed in a recent paper that over the past years, China Telecom used BGP hijacking to misdirect Internet traffic through China.
  74. [74]
    BGP hijacking allows Russia, China, and other countries to redirect ...
    Nov 16, 2018 · In 2010, Pentagon traffic was routed through Beijing in another BGP hijacking, which potentially compromised information sent to and from ...<|separator|>
  75. [75]
    Did Ukraine suffer a BGP hijack and how can networks protect ...
    Mar 4, 2022 · Russia is intentionally re-routing and sniffing massive amounts of internet traffic from Ukraine. · Potential #BGP hijacks attempt against ...
  76. [76]
    Unlearned Lessons from the First Cybered Conflict Decade
    Dec 22, 2021 · Most notably publicized was the China Telecom IP hijack attack in that year where 15% of the global Internet traffic was rerouted or "hijacked" ...
  77. [77]
    https://bgpstream.caida.org/
  78. [78]
    AP2Vec: An Unsupervised Approach for BGP Hijacking Detection
    Apr 11, 2022 · In this paper, we introduce a novel approach for BGP hijacking detection that is based on the observation that during a hijack attack, the functional roles of ...Missing: techniques peer- reviewed
  79. [79]
    ARTEMIS: an Open-source Tool for Detecting BGP Prefix Hijacking ...
    Aug 21, 2019 · ARTEMIS is a defense approach against BGP prefix hijacking attacks. It is (a) based on accurate and fast detection operated by the AS itself.<|control11|><|separator|>
  80. [80]
    BGPWatch — A comprehensive platform for detecting ... - APNIC Blog
    Feb 7, 2024 · In prefix hijacks, the attacker simply announces an IP prefix that belongs to another AS. This triggers a conflict known as Multiple Origin ...Missing: effects | Show results with:effects
  81. [81]
    [PDF] Stealth BGP Hijacks with uRPF Filtering - USENIX
    Aug 12, 2025 · We introduce Stealthy BGP Attack against. uRPF (SBA-uRPF), a novel attack vector that leverages prefix hijacking to manipulate uRPF filtering ...
  82. [82]
    Is BGP safe yet? · Cloudflare
    ... BGP (Border Gateway Protocol). Unfortunately, issues with BGP have led to malicious actors being able to hijack and misconfigure devices leading to security ...
  83. [83]
    How RPKI Prevents BGP Hijacks & Protects Your Network Traffic
    Oct 13, 2025 · Current Adoption Rates and Drivers. RPKI adoption has accelerated dramatically in recent years, driven by several factors: Growing ...
  84. [84]
    [PDF] Securing BGP ASAP: ASPA and other Post-ROV Defenses
    Feb 24, 2025 · BGPsec [53] is the IETF standardized protection against path manipulation attacks. Its deployment, however, faces formidable obstacles, ...
  85. [85]
    RPKI's limitations in BGP security - Anapaya
    Jun 4, 2020 · BGPsec was designed to solve this and more sophisticated types of hijacks by cryptographically authenticating the whole path in BGP messages.
  86. [86]
    RPKI Best Practices and Lessons Learned - ARIN
    Sep 25, 2025 · After creating a ROA, it is recommended to verify that your prefixes have been properly signed and that no BGP routes have been invalidated. To ...
  87. [87]
    MANRS Implementation Guide for Network Operators
    The guide is targeted at stub networks and small providers, and captures the best current operational practices deployed by network operators around the world.
  88. [88]
    RFC 7454 - BGP Operations and Security - IETF Datatracker
    This document describes measures to protect the BGP sessions itself such as Time to Live (TTL), the TCP Authentication Option (TCP-AO), and control-plane ...
  89. [89]
    [PDF] A Guide to Border Gateway Protocol (BGP) Best Practices
    Sep 10, 2018 · The dominant routing protocol on the Internet is the Border Gateway Protocol (BGP). ... • Route Hijacking: A rogue BGP neighbor maliciously ...Missing: explanation | Show results with:explanation