How BGP Works
BGP (Border Gateway Protocol) is the routing protocol that connects the autonomous systems (ASes) that make up the internet. An autonomous system is a network under a single administrative control — an ISP, a cloud provider, a university, or a large enterprise — identified by a unique Autonomous System Number (ASN). Each AS announces the IP prefixes it is responsible for originating, and BGP propagates those announcements to neighboring ASes, which in turn pass them along to their neighbors. Routers use these announcements to build forwarding tables: when a packet arrives destined for 198.51.100.0/24, the router consults its BGP table to find which AS claims that prefix and which path to use to reach it.
BGP path selection uses several attributes — AS path length, local preference, MED (Multi-Exit Discriminator), and others — to choose among multiple available routes. The AS path attribute lists every AS the announcement has traversed, which allows loop detection and provides an audit trail for route origin.
What BGP Hijacking Is
A BGP hijack occurs when an AS announces a prefix that belongs to another AS. Other routers on the internet receive two competing announcements for the same or overlapping address space: one from the legitimate originator and one from the attacker or misconfigured network. Depending on how many networks accept and propagate the false announcement, some or all internet traffic destined for those addresses can be drawn toward the wrong AS.
Accidental vs Malicious Hijacking
| Type | Cause | Typical Intent | Typical Result |
|---|---|---|---|
| Accidental prefix hijack | Misconfigured router or fat-finger BGP config | None — operator error | Traffic blackhole or detour until corrected |
| Route leak | Incorrect route propagation between peers | None — policy misconfiguration | Congestion or inefficient paths |
| Malicious hijack | Deliberate announcement of someone else's space | Traffic interception, DDoS, censorship | Traffic routed to attacker's infrastructure |
| More-specific hijack | Announcing a /24 inside someone else's /20 | Targeted traffic capture | Subset of addresses attracted to wrong AS |
Real-World Incidents
Some of the most cited BGP incidents illustrate both accidental and deliberate misuse:
- Pakistan Telecom / YouTube (2008) — Pakistan Telecom, attempting to implement a domestic block of YouTube, announced a more-specific prefix for YouTube's IP space. Because no filtering prevented the announcement from propagating globally, YouTube became unreachable from large parts of the internet for several hours. This is the textbook example of how a single misconfiguration can have worldwide impact.
- Pirate Bay route leak (2010) — A Swedish ISP implementing a court order accidentally made a more-specific route for The Pirate Bay's address space globally visible, causing collateral reachability issues for other services sharing the same address range.
- Rostelecom / AWS (2020) — Russian ISP Rostelecom announced roughly 8,800 prefixes belonging to Amazon, Google, Akamai, and others for approximately an hour. Traffic to major cloud services was rerouted through Rostelecom's network, raising significant security concerns about traffic interception potential.
- China Telecom incidents (multiple years) — Researchers documented multiple cases where China Telecom appeared to originate routes for North American and European address space, causing traffic to traverse Chinese infrastructure before reaching its legitimate destination.
RPKI and Route Origin Authorizations
Resource Public Key Infrastructure (RPKI) is the primary cryptographic defense against origin hijacks. A Route Origin Authorization (ROA) is a signed object created by the legitimate IP address holder that states: "AS X is authorized to originate prefix P with a maximum prefix length of L." Routers that perform Route Origin Validation (ROV) check incoming BGP announcements against the RPKI database. An announcement that is covered by an ROA but comes from the wrong AS is marked INVALID and can be dropped. An announcement with no matching ROA is UNKNOWN — not automatically dropped, but treated as less trusted by operators who configure ROV policies accordingly. RPKI adoption has grown significantly since 2019, with major networks including AWS, Cloudflare, AT&T, and many European providers publishing ROAs and enforcing ROV. However, adoption is not universal, and RPKI does not protect against route leaks — only unauthorized origin.
BGP Communities and IRR Filtering
BGP communities are optional attributes attached to route announcements that carry policy signals between operators — for example, "do not export this route beyond your network" or "apply this QoS treatment." They are widely used for traffic engineering but are not a security mechanism on their own. Internet Routing Registries (IRRs) such as the RIPE Routing Registry, RADB, and others are databases where operators document their routing policies and prefix lists. Filtering based on IRR records — accepting only prefixes that a neighbor has registered — is a long-standing best practice that can catch many route leaks and some hijacks. IRR data quality varies, however, as entries are self-maintained and not cryptographically validated the way RPKI ROAs are.
How ISPs Detect Hijacks
Real-time BGP monitoring services allow operators and researchers to observe route changes across the internet:
- BGPmon — A monitoring service that alerts operators when their prefixes are announced by unexpected ASes or when unusual route changes occur.
- RIPE RIS (Routing Information Service) — RIPE NCC operates a global network of route collectors that capture BGP updates from hundreds of peers. The data is publicly available and used for research and monitoring.
- RouteViews — A University of Oregon project providing similar public BGP data collection from dozens of vantage points worldwide.
- Cloudflare Radar and similar dashboards — Provide near-real-time visibility into BGP anomalies including hijacks, leaks, and outages.
Detection is reactive: these services can alert operators after a hijack begins, but they do not prevent it. A fast response and good relationships with upstream providers or NOC contacts are critical for containing the damage quickly.
Why the Internet Still Trusts BGP
BGP was designed in an era when the internet was a network of cooperating institutions rather than the adversarial global infrastructure it has become. The protocol itself has no authentication — it relies entirely on operators behaving correctly and filtering their neighbors' announcements. Despite high-profile incidents, most of the time BGP works because the vast majority of operators act in good faith and because the economic and reputational consequences of major route leaks are significant. Replacing or fundamentally redesigning BGP globally is impractical given the scale and diversity of the internet. The realistic path forward is incremental: wider RPKI ROA publication, broader enforcement of ROV, consistent IRR filtering, and better tooling for detection and response.
Frequently Asked Questions
What is BGP hijacking?
BGP hijacking is when a network announces routes to IP prefixes it is not authorized to originate, causing some internet traffic to be misrouted.
What is a route leak?
A route leak is when routing information is propagated beyond where it should be, often causing traffic to take unintended or inefficient paths.
Does HTTPS stop BGP hijacking?
HTTPS protects content and helps detect impersonation through certificate validation, but it does not prevent traffic from being misrouted at the BGP layer.