What is BGP hijacking?

Table of Contents 4 sections

What is BGP Hijacking?

BGP hijacking exploits the Border Gateway Protocol, which is the fundamental routing protocol that determines how internet traffic flows between autonomous systems (AS), the large networks operated by ISPs, cloud providers, enterprises, and governments. BGP was designed in an era when all network operators were trusted, and the protocol lacks built-in authentication mechanisms to verify the legitimacy of route announcements. This trust-based design makes it vulnerable to hijacking.

In a BGP hijacking attack, a malicious or compromised network announces routes for IP address prefixes that it does not legitimately own. Because BGP routers propagate these announcements to their peers, the false routes can spread across the internet within minutes. Routers that accept these announcements begin directing traffic destined for the hijacked IP addresses through the attacker's network, enabling traffic interception, manipulation, or denial of service.

Types of BGP Hijacking

Prefix hijacking occurs when an attacker announces an IP prefix that belongs to another organization. If the attacker announces a more specific (longer) prefix than the legitimate owner, routers will prefer the more specific route, directing traffic to the attacker even if the legitimate route is also being announced. This is known as a sub-prefix hijack and is particularly effective because longest-prefix matching is a fundamental BGP routing principle.

AS path hijacking involves an attacker manipulating the AS path attribute in BGP announcements to make their route appear shorter or more attractive to other routers. Route leaks, while often accidental, can have effects similar to intentional hijacking when a network inadvertently announces routes it learned from one peer to another peer, violating the expected routing policies. Some BGP hijacking incidents are caused by configuration errors rather than malicious intent, but the impact on affected traffic can be identical.

Real-World BGP Hijacking Incidents

BGP hijacking incidents have affected major organizations and even entire countries. In 2018, traffic destined for Amazon's Route 53 DNS service was hijacked through a BGP route announcement from an unauthorized network, enabling attackers to redirect cryptocurrency wallet users to a phishing site and steal approximately $150,000 in cryptocurrency. The attack lasted only two hours but demonstrated the financial impact of BGP manipulation.

In 2008, Pakistan Telecom accidentally hijacked YouTube's IP addresses while attempting to implement a government censorship order, causing a global YouTube outage lasting several hours. In 2017, traffic for major financial institutions and government agencies was briefly routed through a Russian autonomous system due to a suspicious BGP announcement. These incidents highlight both the fragility of BGP-based routing and the global impact that hijacking events can have.

Defending Against BGP Hijacking

Resource Public Key Infrastructure (RPKI) is the primary defense mechanism against BGP hijacking. RPKI allows IP address holders to cryptographically sign Route Origin Authorizations (ROAs) that specify which autonomous systems are authorized to announce their IP prefixes. Networks that implement RPKI validation can automatically reject invalid route announcements, preventing hijacked routes from being propagated.

BGP monitoring services track route announcements in real time and can alert organizations when unexpected changes to their prefixes are detected. Implementing prefix filtering and maintaining accurate Internet Routing Registry (IRR) records help ensure that peers only accept legitimate route announcements. Organizations should also configure maximum prefix limits on BGP sessions and use AS path filtering to reject routes with suspicious path attributes. Adoption of BGPsec, which adds cryptographic validation to the entire AS path, would provide comprehensive protection but deployment remains limited.