BGP (Border Gateway Protocol) is the routing system that helps autonomous systems exchange reachability information across the internet. A hijack happens when a network announces IP prefixes it does not legitimately control, either by mistake or on purpose. This breaks the trust model that internet routing depends on.
Because BGP relies heavily on trust between autonomous systems, the result can be traffic disruption, detours, interception, packet loss, or partial outage. Validation and monitoring remain the only consistent ways to defend against these vulnerabilities in a system that was never designed with security as a primary requirement.
What BGP Is: The Internet's Routing Directory
BGP is often described as the "internet's routing directory." To understand it, you must first understand the concept of an Autonomous System (AS). The internet is not one single entity; it is a collection of tens of thousands of individual networks managed by ISPs, universities, and tech giants. Each of these networks is an Autonomous System, assigned a unique number (ASN).
BGP is the protocol these systems use to tell each other: "I have a path to these IP addresses." Without BGP, your computer would have no way of knowing how to route data packets from your home ISP in London to a web server in Singapore. BGP maintains the global routing table, constantly updating the most efficient paths between these large interconnected networks.
How BGP Route Announcements Work
When an AS wants to let the world know it can reach a specific block of IP addresses (called a prefix), it sends out a BGP announcement. This announcement includes the prefix (e.g., 203.0.113.0/24) and the AS_PATH, which lists the systems the announcement has traversed.
Nearby routers receive this info and pass it along to their neighbors. Eventually, the announcement propagates across the global routing table. Routers then choose the "best" path based on several factors, including the shortest AS_PATH (the fewest hops between networks) and local routing policies. The critical flaw is that, by default, BGP assumes that if an AS says it owns a prefix, it actually does.
The Longest-Prefix Match Rule
BGP normally prefers the most specific route available. This is a fundamental networking concept called the Longest-Prefix Match. If one network announces 203.0.113.0/24 and another announces 203.0.113.0/25, assuming the /25 is accepted and not filtered, traffic for the /25 usually follows the more specific path. That is one reason more-specific hijacks can be so effective: they can attract traffic away from the legitimate route even when the original announcement is still visible.
In CIDR notation, a /25 is a smaller, more specific block of addresses than a /24. Because routers are programmed to prioritize the most narrow destination possible, an attacker doesn't even need to overwrite your route; they just need to announce a "more specific" piece of it to steal your traffic.
The Anatomy of a BGP Hijack
Hijacking occurs when a malicious or misconfigured AS injects false information into the global routing table. There are several ways this manifests:
Prefix Hijacking
This is the most direct form of attack. An AS that has no technical or legal claim to a prefix begins announcing it to its neighbors. If the neighbors have weak filtering, they accept the route and pass it on. Traffic intended for the legitimate network is instead redirected into the unauthorized AS, where it is typically blackholed (dropped), leading to an immediate outage.
More-Specific Hijacking
As discussed with the longest-prefix rule, the attacker announces a sub-block of your IP space. Because routers prefer the /25 over the /24, 100% of the traffic for that specific range will move toward the attacker, even if your legitimate /24 announcement is still perfectly valid. This is often used for surgical interceptions rather than broad outages.
AS_PATH Spoofing
In this more advanced technique, the attacker doesn't just announce the prefix; they forge the AS_PATH to include the legitimate owner's ASN at the end. This makes the announcement look authentic to automated filters, as it appears the attacker is simply a path *to* the legitimate owner, rather than a rogue origination.
Comparison: Route Leaks vs. Hijacks
It is important to distinguish between deliberate attacks and operational errors. While the result is often the same, the intent and scope differ significantly.
| Event Type | What Happens | Common Cause | Result |
|---|---|---|---|
| Route Leak | Valid routes advertised to wrong peers | Misconfiguration | Congestion or detours |
| Prefix Hijack | Unauthorized AS advertises a prefix | Error or attack | Loss of reachability |
| More-Specific Hijack | Smaller prefix announced | Malicious or accidental | Traffic redirection |
| ASN Spoofing | False AS path announced | Deliberate attack | Interception risk |
Real-World Incident: Pakistan Telecom and YouTube
In 2008, the government of Pakistan ordered Pakistan Telecom to block YouTube within the country. To do this, their engineers announced a more-specific YouTube prefix that pointed to a dead end locally. However, they accidentally leaked this "more specific" local route to their upstream provider. Within minutes, the announcement circled the globe, and for several hours, users worldwide were unable to reach YouTube because their traffic was being routed into Pakistan and dropped.
Real-World Incident: MainOne and Google
In 2018, a Nigerian ISP called MainOne misconfigured its filters, causing a massive route leak that redirected Google's traffic through a Russian transit provider. This was not a malicious hijack in the traditional sense, but it showcased how a single mistake in Lagos could degrade Google services for users across the globe due to the interconnected nature of BGP trust.
Traffic Interception vs. Outages
Not all hijacks result in a visible "down" state. In a Man-in-the-Middle (MitM) BGP hijack, the attacker redirects your traffic, inspects or copies it, and then quietly routes it back to the legitimate destination. The user might notice a slight increase in latency, but service remains functional. This allows attackers to harvest unencrypted data, session tokens, or perform traffic analysis over long periods without being detected.
Securing the Protocol: RPKI and Validation
Because BGP was built on trust, the networking community has had to build additional security controls retroactively. The most important of these is RPKI (Resource Public Key Infrastructure).
RPKI and ROAs
RPKI is a framework that uses digital signatures to prove who is allowed to announce an IP prefix. Network owners create a Route Origin Authorization (ROA), which cryptographically binds their prefix to their ASN. When a router receives an announcement, it checks the ROA. If the ASN doesn't match, the router can mark the route as "Invalid" and ignore it. While RPKI adoption continues to grow across large providers and content networks, its effectiveness depends on every network in the path implementing Route Origin Validation (ROV).
IRR and Route Filtering
Before RPKI, networks relied entirely on Internet Routing Registries (IRR). These are databases where admins list their routing policies. Upstream providers generate filters based on these records. However, IRR databases are often out-of-date or filled with conflicting records, making them less reliable than the cryptographically enforced RPKI.
BGP Monitoring and Visibility Tools
Since hijacks target the global state of the internet, you can't always detect them by looking at your own internal logs. You need a global view. Networking teams use platforms like:
- BGPMon: A service that observes the global routing table from hundreds of vantage points and alerts you if someone else starts announcing your IPs.
- Kentik and ThousandEyes: These platforms provide visual maps of BGP paths, helping admins see when their traffic is taking an illogical detour through another country.
- BGPStream: An open-source framework for analyzing historical BGP data to identify trends in routing leaks and hijacks.
The Role of BGP Communities
Large networks use BGP Communities to control how their routes are propagated. A community is essentially a tag (e.g., 65000:100) that tells an upstream provider to handle the route in a special way. For instance, an admin might use a community tag to prevent a route from being advertised to a specific peer that they know is prone to leaks, providing a manual layer of protection alongside automated systems.
Conclusion
BGP hijacking matters because internet routing is only as reliable as the controls around route announcements. In a modern "Zero Trust" world, relying on the implicit honesty of tens of thousands of autonomous systems is an unacceptable risk. While RPKI, stronger IRR hygiene, and real-time monitoring do not remove all risk, they transform the internet from a "trust-based system" into a more verifiable, resilient global utility. For administrators, the operational priority is clear: sign your ROAs, monitor your prefixes, and validate route announcements whenever possible.