What Is BGP Hijacking? Internet Routing Explained

BGP hijacking is an attack where a malicious network falsely announces IP address blocks prefixes it doesn’t own, causing Internet traffic to be misrouted or intercepted.
It exploits the Border Gateway Protocol BGP, the global routing system used by ISPs and large networks which inherently trusts announcements from other networks.
BGP hijacks matter because they can trigger major outages e.g. YouTube’s worldwide outage in 2008 and allows attackers to spy on, divert, or alter data by rerouting traffic through rogue networks.
Key risks: Attackers can conduct man in the middle interception, redirect users to fake sites to steal credentials over $150K in cryptocurrency was stolen in a 2018 hijack, or knock services offline by blackholing traffic.
The Internet community is rolling out defenses like route filtering and RPKI origin validation to curb hijacks, but uneven adoption means this threat persists.

BGP hijacking aka prefix hijacking is a network attack that maliciously redirects Internet traffic by exploiting the trust based design of the Internet’s routing protocol, BGP. In a hijack, an attacker’s network illegitimately announces someone else’s IP address range as its own. Because routers on the Internet assume announcements are legitimate and lack built-in verification, a false route can spread globally and divert traffic until corrected. In simple terms, it’s like changing road signs on the Internet’s highway system. Traffic that should go to one destination is tricked into taking a different path.

This issue matters today more than ever. Modern enterprises and cloud services rely on BGP to reach users worldwide, so a hijack can impact any organization’s connectivity, even if that organization isn’t running BGP itself. Worryingly, routing incidents whether accidental leaks or malicious hijacks are disturbingly common over 18,000 route hijacks were observed in just the first quarter of 2022. These incidents appear in a variety of contexts, from ISP level outages to targeted cyber attacks. Some are accidental misconfigurations known as route leaks, and others are deliberate attackers hijacking prefixes for espionage or fraud. In all cases, the result is the same: traffic flows where it shouldn’t, posing serious risks to security and availability. This makes BGP hijacking a critical network level attack pattern that security engineers and SOC analysts must understand and watch for.

How BGP Hijacking Works

Figure: An analogy of BGP hijacking like changing highway signs to misdirect traffic. In the illustration, an attacker’s sign diverts cars off the legitimate route. Similarly, a BGP hijacker announces a fraudulent route that causes data to take a wrong exit, sending it to the attacker’s network instead of the intended destination.

BGP Border Gateway Protocol is the Internet’s core routing system that connects thousands of autonomous systems ASes. It operates on trust: each AS advertises the IP prefixes address blocks it can reach, and others believe it by default. A BGP hijack abuses this trust. The attacker who must control or compromise a BGP capable router on some AS starts announcing a route to IP addresses they don’t actually own. If intermediate networks don’t filter out this bogus announcement, it propagates across the Internet’s routing tables.

Because BGP selects routes based on specificity and shortest path, the malicious announcement can override the legitimate route. BGP favors the most specific prefix e.g. a /24 will beat a /16 and also prefers routes with shorter AS paths. Hijackers exploit this by announcing a more specific block or a seemingly shorter path to the target network. As a result, many ISPs update their routing and start sending traffic for that prefix to the attacker’s AS. From that point until the issue is noticed and fixed, the attacker has effectively claimed that all data destined for them is misrouted to the rogue network.

Once in control of the traffic, the attacker can drop it, inspect it, or modify it. In effect, they can cause a denial of service by blackholing packets, or perform an on-path interception of a man in the middle scenario by forwarding the traffic to the real destination after spying on it or altering it. Not just anyone can pull this off the attacker needs BGP access either as an ISP or via a compromised router. But with over 80,000 ASes on the Internet, there are plenty of potential avenues for abuse.

BGP hijacks can be blatant or subtle. In some cases, a hijack is obvious: a major prefix is stolen, causing widespread outages. Other times, attackers operate quietly: they may announce unused IP blocks or route traffic through a chain of other networks to avoid detection. BGP has no global watchdog verifying ownership of routes, so unless operators or monitors notice anomalous paths, a hijack can go unnoticed for a time. This combination of high impact and low immediate visibility is what makes BGP hijacking so dangerous.

Real World Examples

BGP hijacking is not theoretical, it has happened numerous times. A few notable incidents illustrate how it works and the damage it can cause:

YouTube Hijack 2008: In February 2008, Pakistan Telecom, a state run ISP tried to block YouTube domestically by announcing a fake route for YouTube’s IP prefix. The plan backfired spectacularly. The incorrect route was leaked to the ISP’s upstream provider and then propagated globally, since no one filtered it. Suddenly, YouTube traffic worldwide was being misrouted to Pakistan, causing a global YouTube outage for several hours until the bad route was withdrawn. This incident, one of the most famous prefix hijacks, showed that a single errant BGP update can disrupt a major service for the entire Internet.
Crypto Theft via Amazon Route53 2018: In April 2018, attackers hijacked certain IP prefixes belonging to Amazon’s DNS service Route 53 in order to target the MyEtherWallet cryptocurrency website. A Russian AS illegitimately announced routes for Amazon DNS servers, so that queries for myetherwallet.com were silently redirected to the attacker’s servers. The attackers served a fake version of the wallet site and stole users’ credentials and cryptocurrency, totaling about $152,000. This was a carefully orchestrated BGP hijack combined with DNS spoofing by controlling the network path to a critical DNS server, the adversaries tricked users into a phishing page. It’s a prime example of credential theft techniques enabled by BGP hijacking.
Google Traffic Misrouting 2018: In November 2018, a Nigerian ISP MainOne accidentally leaked routes for Google’s network. What should have been a small local issue escalated because a major transit provider, China Telecom CN2, failed to filter the bogus routes. MainOne’s announcement claiming Google’s IP space was trusted and accepted by CN2, then passed on to other networks like TransTelecom in Russia. This resulted in Google traffic from users around the world being misrouted through Nigeria via China and Russia. For about 74 minutes, Google services were unreachable for many, as the detoured traffic overwhelmed those intermediary networks. The incident was not malicious; it was a route leak but it demonstrated how fragile the system is when there’s too much trust and not enough verification in BGP filtering. A simple config error in one ISP caused a cascade of routing chaos due to lack of proper route filtering.

These examples underscore various lessons: the YouTube case highlights the need for filtering outbound routes, the crypto heist shows how hijacks facilitate targeted attacks, and the Google/MainOne leak underlines that even well intentioned mistakes can have far reaching impact in BGP’s trust based ecosystem.

Why BGP Hijacking Is Important

BGP hijacking has serious security and operational implications. On the security side, it undermines the fundamental integrity of Internet communications. If an attacker can reroute traffic, they can potentially monitor or tamper with data in transit. For example, hijacked traffic might be surveilled or recorded by a hostile party without the sender or recipient realizing. Attackers can also use hijacks to direct users to fraudulent websites impersonating legitimate services as part of phishing or malware attacks. Essentially, BGP hijacking is a means to perform large scale on path attacks, the kind of man in the middle capability that can defeat location based trust. In the worst cases, hackers have redirected online banking or crypto trading traffic to steal credentials and funds. Even if content is encrypted, the attacker can cause harm by denying access or by manipulating unencrypted routing metadata. And notably, spammers have abused hijacks to send spam from IP addresses that aren’t theirs, often IP blocks with good reputations, temporarily bypassing reputation blacklists.

Operationally, BGP hijacks can be devastating to uptime and performance. When your traffic is taking a bizarre detour, say, halfway around the world due to a hijack, users experience high latency or complete outages. We’ve seen how an accidental hijack made Google unreachable and how YouTube was knocked offline. For organizations, this means lost connectivity, disrupted services, and frantic incident response until routes are repaired. Even a short lived hijack can violate SLAs and erode user trust. Imagine a SaaS application suddenly slow or unavailable because its traffic is looping through unintended networks. Additionally, if your company’s prefix is hijacked and misused for spam or attacks, your IP range could end up blacklisted by spam filters or security systems, creating cleanup headaches even after the hijack ends.

From a business and risk perspective, BGP hijacking is a supply chain vulnerability in the Internet’s infrastructure. It’s not just an ISP problem; any business reliant on Internet connectivity can be a victim. The impact includes financial losses from downtime or theft, reputation damage, and potential regulatory issues if sensitive data is intercepted. The threat is significant enough that industry and governments are mobilizing to address it for instance, research and education networks have called route hijacks a serious threat to critical infrastructure, and the U.S. government released a 2024 roadmap urging adoption of BGP security measures. In short, BGP hijacking cuts to the core of Internet reliability and trust. Every security engineer should recognize that without additional safeguards, the Internet’s routing is vulnerable and that makes our systems and data vulnerable. It’s a collective problem that elevates the importance of routing security in any defense strategy.

Common Abuse or Misuse of BGP

BGP hijacking is primarily known as an attack technique, and threat actors have leveraged it in various cunning ways:

Espionage & Surveillance: Nation state attackers or sophisticated adversaries can hijack routes to covertly siphon traffic through servers they control. This allows for large scale eavesdropping on communications or metadata collection. For example, if an intelligence agency briefly hijacks cloud provider routes, they could monitor traffic flows or attempt to degrade encryption. Such on path attacks at the BGP level are hard to attribute and can target specific regions or services.
Credential Theft / Phishing: By redirecting traffic, attackers can impersonate legitimate services. The MyEtherWallet incident is a prime example, where users were sent to a fake website to steal credentials. Similarly, an attacker could hijack a bank’s IP range in conjunction with DNS spoofing to present a clone of the bank’s site and harvest logins. This is essentially a sophisticated phishing attack riding on a BGP hijack. The user might not realize anything is wrong since the URL and IP could appear correct only if the route taken was malicious. Without careful user side verification like noticing a certificate anomaly, if any, victims are easily fooled by this method of credential theft techniques.
Spam and Malware Distribution: Cybercriminals have been known to temporarily hijack IP address blocks to send spam or malicious traffic. Because the IPs aren’t normally theirs, those addresses may have a clean reputation not blacklisted at first. Spammers exploit this by sending bursts of spam from the hijacked range and then relinquishing it. According to reports, some misbehaving ASes use hijacked prefixes to spoof legitimate IPs in order to send spam or launch attacks. This abuse takes advantage of the time window before the hijack is noticed and shut down.
Denial of Service and Disruption: An attacker can use BGP hijacking to silence a service by blackholing its traffic. For instance, a hacktivist or a rival could intentionally announce a competitor’s prefix and simply not forward the traffic, causing all data to that service to drop into a void. We’ve effectively seen this outcome in accidental form e.g., Pakistan Telecom unintentionally blackholed YouTube. Malicious actors could do it deliberately to cause outages or extort companies threatening to hijack unless paid. This kind of network level sabotage can be highly effective because it bypasses traditional DDoS mitigations and the traffic never reaches the target at all.
Traffic Manipulation & Censorship: BGP hijacks have been used or at least strongly suspected for censorship or traffic manipulation by nation states. In a censorship scenario, a government-run ISP can hijack routes to, say, a social media site, routing citizens’ traffic to a dead end or a warning page. This is essentially what happened accidentally with YouTube in 2008 a censorship attempt that escaped its cage. There have also been incidents where traffic to secure email or DNS services was mysteriously diverted through other countries, raising speculation of state actors hijacking routes to gather intelligence. While attribution is difficult, the systemic weakness is clear: anyone controlling a BGP router can reroute traffic, whether for overt misuse or subtle manipulation.

A big reason attackers and misconfigurations get away with hijacks is that it’s hard to immediately detect. BGP hijacking is not always obvious; the bad actors can camouflage their activity by making the hijack short lived or by announcing prefixes that aren’t closely monitored. They might also only divert a portion of traffic for instance, specific IP ranges or certain regions, making the symptoms less noticeable. In some advanced cases, attackers exploit the partial deployment of security measures to hide their tracks. For example, with more networks implementing RPKI route validation, a hijacker might focus on networks that haven’t deployed RPKI. In a so called stealthy hijack, the victim’s own routers never see an invalid route announcement because all their immediate neighbors drop it yet the traffic is still redirected via non validated paths in the broader Internet. The victim’s monitoring might show everything as normal: their BGP sessions see the valid route, while, behind the scenes, some portion of their traffic is quietly travelling an alternate route to the attacker. This kind of abuse evades many traditional detection methods and highlights why complete, cooperative security measures are needed to close the gaps.

In summary, attackers abuse BGP hijacking because it’s a powerful, difficult to trace way to impersonate networks, intercept data, and disrupt services. The combination of global reach and poor inherent security makes BGP an attractive target for abuse and a persistent headache for defenders.

Detection & Monitoring

Detecting a BGP hijack in real time is challenging, but not impossible. The key is to use a combination of network telemetry, external monitoring, and collaboration to catch anomalies. Here are important approaches and indicators:

Watch for Network Anomalies: One of the first signs of a hijack may be unusual network behavior. Increased latency, sudden congestion, or strange routing paths packets taking a detour through unfamiliar regions can all be red flags. If users report that your service is slow or unreachable from certain locations while everything appears normal on the server side, it might be a routing issue. Tools like traceroute from multiple global vantage points can reveal if traffic to your service is going through an unexpected AS or geography. For example, if a traceroute to your company’s IP shows it bouncing through an ISP in another country that has no business in the path, that’s a cause for immediate investigation.
BGP Route Monitoring: Organizations that own IP prefixes should closely monitor BGP announcements involving their network. Many large networks continuously monitor BGP update feeds to ensure no one else is announcing their prefixes. They look for telltale signs like a new AS origin for their IP block or a more specific prefix of their network appearing in global tables. There are services and tools to help with this: BGPMon, RIPE RIS, RouteViews, and commercial products can all alert on potential hijacks. In the 2018 Google leak example, independent monitors like BGPMon quickly flagged that Google’s traffic was being routed along abnormal paths.. Security teams can subscribe to such services to get real time alerts. Even if you don’t run BGP yourself, you can monitor the prefixes of your critical providers cloud providers, DNS servers, etc. an alert that, say, your DNS provider’s prefix is suddenly coming from a different AS could warn you of an ongoing incident.
RPKI and Router Logs: If your routers support RPKI based route origin validation ROV, they can automatically drop any BGP announcement that isn’t verifiably legitimate. Monitoring these RPKI logs is useful if you see that an invalid route for your prefix was dropped, it means someone might have tried to announce it as a potential hijack attempt. Even though ROV stops it locally, you’d want to investigate if that announcement propagated elsewhere. Also, enabling features like max prefix limits on sessions can generate alerts or shut down a BGP session if a peer suddenly floods too many routes which often happens in leaks.
Collaboration & External Visibility: No single network has a complete view of the Internet. Often, others will notice your traffic is off before you do. It’s important to tap into the community for broader visibility. Using community projects and data feeds RouteViews, RIPE Atlas, NLNOG’s BGP ranking, etc. can help corroborate if a hijack is happening beyond your perimeter. In fact, sharing information is a key defense: network operators are encouraged to share reports of route anomalies on operator mailing lists or monitoring channels. Researchers suggest that ROV enabled networks share a digest of the invalid routes they’re dropping, to alert others of possible stealthy hijacks. There are also industry response groups like the Mutually Agreed Norms for Routing Security mailing list, or NANOG forums where operators alert each other when they spot a suspicious route. A SOC analyst should know where to look for example, if you suspect a hijack, you might quickly check a public BGP looking glass or a route monitoring site to confirm if your prefix is being announced from an unexpected origin.
End Point Indicators: While end hosts servers, user devices are generally oblivious to BGP, some indirect indicators can surface. If an attacker is performing a man in the middle, they might present an invalid TLS certificate if they’re intercepting HTTPS traffic without the real cert. Users seeing certificate warnings or odd SSL certificate fingerprints could indicate something fishy though a sophisticated attacker might avoid detection by not intercepting encrypted traffic, or by obtaining fraudulent certificates. In addition, large discrepancies in traffic patterns as seen in NetFlow data, for example like a drop in traffic from a region that normally has high usage could mean those users’ traffic is going elsewhere. Monitoring for such traffic anomalies at the edge can complement control plane BGP monitoring.

One common blind spot is assuming that if your network is fine, everything is fine. BGP hijacks often do not affect the victim’s own BGP session with its upstreams, especially if those upstreams filter it out or if the hijack is elsewhere on the Internet. From your perspective, all routes may look normal, yet users are complaining. This is why external monitoring and multi perspective checks are essential. Partial deployment of protections can also be tricky: as noted, if you drop invalid routes via RPKI you might not see the hijack, while non validating networks still propagate it. Thus, detecting BGP hijacks relies on broad awareness and communication. Quick detection is critical the sooner a hijack is confirmed, the sooner network operators can coordinate to mitigate it e.g. by announcing correct routes or asking upstreams to drop the bad one.

Mitigation & Prevention

Preventing BGP hijacking requires strengthening the routing ecosystem at multiple levels. There’s no single fix, but a combination of technical controls and best practices can dramatically reduce the risk:

IP Prefix Filtering: One of the fundamental defenses is for ISPs to filter BGP announcements from their customers and downstream peers. Every network should ideally only accept routes that have been authorized. For example, if a small ISP customers should only advertise their own allocated prefixes, the ISP should block any route advertisement for IP space that customer doesn’t own. Similarly, Tier 1 carriers should filter what their resellers or smaller peers announce, to catch mistakes or hijacks before they spread. This is easier said than done globally, but it’s improving. Tools like Internet Routing Registries IRR and filtering based on as set objects help: network operators register the prefixes and ASes that belong to them in IRR databases, and others can build filter lists from that data. While IRR data can sometimes be stale or inconsistent, when maintained properly it’s a powerful way to ensure you only hear legitimate routes from a neighbor. Prefix filtering dramatically limits the blast radius of a hijack in the 2018 Google incident, if China Telecom had simply filtered MainOne’s routes allowing only MainOne’s own prefixes through, the leak would have been contained locally. Max prefix limits are another related control: if a neighbor suddenly spews thousands more routes than normal, the BGP session can be shut down, potentially halting a runaway leak.
RPKI and Route Origin Validation: In recent years, the biggest improvement in routing security has been the deployment of RPKI Resource Public Key Infrastructure for BGP. RPKI allows IP address holders to create cryptographically signed records called ROAs Route Origin Authorizations which specify which AS is allowed to originate their prefixes. Routers that implement Route Origin Validation ROV will check incoming BGP announcements against these ROAs and mark any invalid mismatched routes as invalid typically rejecting them. In effect, RPKI + ROV is like a global allowlist: if someone hijacks a prefix and there’s a ROA in place, other networks can automatically ignore that illegitimate announcement. For example, one 2024 hijack attempt against a U.S. research network was mitigated by the victim quickly creating an RPKI ROA, which prevented most ISPs from accepting the bad route though it highlighted that one cloud provider not yet doing RPKI still allowed it until contacted. RPKI is maturing; it establishes a chain of trust for IP addresses and AS numbers. Adoption is steadily increasing: as of late 2024, about 53% of all IPv4 prefixes had valid ROAs, covering roughly 70% of Internet traffic. This is a big jump from just a few years prior only ~6% of prefixes in 2017 had ROAs. However, not all networks perform validation yet for instance, in 2024 only ~39% of US originated prefixes were covered by ROAs, lagging behind Europe and others. The goal is to get as many networks as possible to both publish ROAs for their prefixes and to enforce ROV on their routers. It’s not a silver bullet RPKI mainly protects against unauthorized origin announcements, but it doesn’t prevent a misconfigured authorized network from leaking routes and it doesn’t secure the AS path that’s what BGPsec is for. Still, it closes a huge gap. Many recent hijacks would have failed if everyone was doing RPKI validation. The trend is positive, and some large transit providers have moved to drop RPKI invalid routes by default, which is a big deterrent to casual hijacks.
Secure Routing Protocols BGPsec: Beyond origin validation, the next evolution is securing the entire BGP path. BGPsec is an extension that aims to sign each step of the AS path, preventing tampering or unauthorized shortcuts. In theory, BGPsec could stop both origin hijacks and certain route leaks by validating that each AS on the path is legit. However, BGPsec and similar efforts are still in development and not widely deployed. They come with performance and compatibility challenges. For now, the practical approach is RPKI + filtering, but in the future, we may see more comprehensive cryptographic validation in BGP once the kinks are worked out and there’s critical mass to deploy it. In the meantime, ensuring basic BGP security hygiene is paramount.
Network Architecture & Resilience: Enterprises should architect their connectivity with the possibility of routing issues in mind. Multihoming connecting through more than one ISP can provide some resilience. If one provider is affected by a hijack either as victim or as conduit, having an alternate path through another provider might keep you reachable especially if that second provider filters the bad route or never receives it. For instance, if ISP A accidentally leaks your routes but ISP B is strict and does RPKI validation, traffic from portions of the Internet may still reach you via ISP B. Additionally, using a reputable Anycast service or CDN can mitigate impact anycasted services announce the same prefix from multiple locations; a hijack might affect one region but not others, and failover can occur to unaffected endpoints. Care must be taken here: anycast itself relies on routing, so it’s not immune to hijack, but it adds redundancy. Some organizations also design backup communication methods like VPN tunnels or software defined WAN overlays that can route around the public Internet if necessary during a major BGP incident.
Operational Preparedness: Just as you plan for DDoS attacks or server outages, it’s wise to plan for routing incidents. Choose upstream providers carefully favor those who participate in security initiatives like MANRS and have a track record of filtering and RPKI support. Include BGP hijack scenarios in your incident response plan: for example, maintain an up to date list of contacts at your ISPs or at regional network operations groups so you can quickly report and coordinate if your prefixes are hijacked. Some companies have experimented with fast withdrawal or communities to signal upstreams to drop routes in an emergency. In extreme cases, if you detect a hijack of your prefix, one countermeasure is to announce a more specific prefix from your side if you’re able to try to win back traffic, at least in parts of the net essentially fighting the hijack with an authorized more specific route. This must be done with caution and coordination to avoid making things worse, but it’s an option if you have the capability.
Policy and Community Measures: BGP security isn’t just a technical problem; it’s a social one. Efforts like MANRS Mutually Agreed Norms for Routing Security provide a framework: networks that join MANRS commit to steps like filtering, anti spoofing BCP 38, and coordination. Support and push your providers to adhere to such norms. Government regulators are also paying attention for instance, the U.S. White House in 2024 explicitly recommended wider adoption of RPKI and improved routing security practices, and there are discussions in various countries about incentivizing or even requiring basic routing safeguards for critical infrastructure. While regulation is nascent, the fact that it’s on the agenda underscores the importance. Organizations should stay informed on these developments and perhaps contribute to the dialogue e.g., through industry groups or ISACs to promote a more secure routing environment.

In summary, preventing BGP hijacks is a shared responsibility. Network operators must tighten their BGP configuration filters, RPKI, etc., and enterprises should select partners who do so. The technology now exists to significantly reduce hijacks; it just needs broader implementation. Until BGP is fully secured for a long term project, vigilance and layered defenses are key. Think of it like hardening an otherwise fragile system: we bolster it with route filters, crypto validation, monitoring, and smart network design, so that an attacker can’t easily exploit the old weaknesses.

Related Concepts

BGP hijacking touches on several other networking and security concepts:

Route Leaks: Often mentioned alongside hijacks, route leaks are unintended BGP announcements that aren’t malicious but still cause routing issues. For example, an ISP might erroneously announce routes learned from one peer to another peer violating policy, spreading private routes or causing suboptimal paths. The MainOne/Google incident was essentially a route leak. The difference is mainly that intent hijacks are deliberate theft of prefixes, whereas leaks are accidental but the consequences of misrouted traffic can be similar. Mitigations like filtering and RPKI help for both. Understanding route leaks is important because they highlight why verification of routes that don't trust unchecked announcements is needed even without attackers in the mix.
DNS Hijacking: This is another way to misdirect traffic, but at the domain name level. In DNS hijacking, an attacker compromises the resolution of a domain for instance, by spoofing DNS responses or compromising a DNS server so that users get the wrong IP address for a hostname. The end result sending users to the wrong server is akin to BGP hijacking, but it operates at a different layer. Sometimes attackers use both in tandem as seen in the MyEtherWallet case, BGP hijack was used to reroute DNS queries, effectively enabling a DNS hijack. If you’re researching BGP hijacks, it’s useful to also understand DNS based attacks, since both can be used to achieve traffic redirection. Defenses also differ: DNSSEC helps with DNS spoofing, whereas RPKI helps with BGP. Both attacks remind us that trust in shared infrastructure DNS, BGP can be a single point of failure.
On Path Attacks Man in the Middle: BGP hijacking is essentially a mechanism to perform an on path attack on a large scale. In security terms, an on path or man in the middle attack is when an adversary secretly intercepts and possibly alters the communication between two parties. BGP hijack enables this by inserting the attacker’s router in the path. Even if strong encryption like TLS is in use which often prevents the attacker from reading the contents, the attacker can still disrupt or drop communications at will. Also, some on-path attackers will attempt to downgrade or trick users, for example, by serving HTTP instead of HTTPS or using a fraudulent certificate. Thus, BGP hijacking can be seen as part of the broader category of network traffic interception techniques. It highlights the need for defense in depth: even if encryption protects the content, we also need to secure the transport routes to prevent denial of service or traffic analysis.
RPKI and BGPsec: These are emerging standards specifically aimed at routing security, as discussed. They are related concepts in that they attempt to provide the authentication and integrity that BGP lacks. RPKI with route origin validation is actively being deployed now it’s directly related to preventing route hijacks by establishing which AS is authorized for a prefix. BGPsec is the related concept of securing the path. When studying BGP hijacking, one should also become familiar with RPKI and BGPsec, as they are the primary countermeasures evolving in the networking world to address this problem. They represent a shift from the historically open trust model to a more verified model of inter domain routing.
Anycast and Traffic Engineering: Anycast is a networking strategy where multiple distant servers advertise the same IP prefix. BGP then routes users to the nearest server. Interestingly, anycast announcements can superficially resemble a hijack multiple ASes announcing the same prefix intentionally. Distinguishing legitimate anycast from a hijack requires knowing that those ASes are coordinated. This is related in that sometimes alarms about hijacks turn out to be misidentified anycast traffic. Additionally, BGP hijacking can be thought of as illegitimate traffic engineering normally, network operators tweak BGP attributes to influence routes for load balancing or shortening paths. A hijacker is effectively doing traffic engineering for malicious purposes. Understanding concepts like local preference, AS path prepending, and route announcement scopes can provide insight into how hijacks succeed or get mitigated. For example, operators can use BGP community tags to ask upstreams not to announce routes beyond certain scopes to prevent leaks.

By exploring these related topics route leaks, DNS attacks, on path/MITM threats, and routing security measures you build a more comprehensive picture around BGP hijacking. It doesn’t exist in isolation; it’s part of the larger story of securing Internet infrastructure and dealing with threats that exploit fundamental protocols.

FAQs

How is BGP hijacking different from a route leak?

A BGP hijack is a malicious or unauthorized takeover of IP prefixes, essentially someone deliberately announcing your network’s routes as their own. A route leak, on the other hand, is typically an accidental misannouncement. For example, an ISP might leak internal routes or prefixes learned from one peer to another peer when it shouldn’t. In both cases, traffic goes where it shouldn’t. The difference is intent and scope: hijacks are usually targeted when an attacker aims to divert traffic for specific prefixes, whereas leaks are often fat finger errors or misconfigurations that inadvertently cause widespread routing issues. Both can cause outages and security problems, and the mitigation, good filtering, etc. is similar. The 2018 MainOne incident with Google was a route leak. No one was attacking Google, but it looked and felt like a hijack until investigated. In summary: hijack = intentional attack, route leak = unintentional mistake, but the network may not care if it's disrupted either way.

Does encryption HTTPS, VPN, etc. protect my data if a BGP hijack occurs?

Using encryption like HTTPS helps immensely, but it doesn’t completely negate the threat. If your traffic is hijacked, a malicious AS can’t easily decipher or alter the encrypted content without additional tricks assuming your encryption is properly implemented and the attacker doesn’t have the keys. For instance, if you’re visiting a banking site over HTTPS and an attacker hijacks the route, they’ll reach a roadblock when the browser tries to verify the bank’s SSL certificate the attacker would need a valid certificate for the bank’s domain to successfully impersonate it, which is not trivial. That said, encryption won’t prevent the attacker from dropping your traffic or simply reading the metadata like which sites you’re visiting, how much data you’re sending, etc.. Also, an attacker could combine BGP hijacking with DNS hijacking or a compromised certificate authority to still deceive users; there have been incidents of hijacks used to obtain fraudulent TLS certificates. VPNs add another layer: if you’re on a corporate VPN, a hijacker might divert your traffic, but it’s encrypted and going to a fixed VPN endpoint they can’t easily insert themselves between you and the VPN server without detection. So encryption certainly mitigates the damage; it turns a potential secrecy breach into mostly an availability issue; they can’t read data, only block or delay it. However, remember that an attacker controlling your traffic path could perform a DoS or attempt downgrade attacks. In summary: Always use strong encryption TLS, VPN for sensitive data. It's your best defense if traffic is hijacked but know that encryption won’t stop an outage or some of the more cunning hijack scenarios.

How can I tell if my network traffic is being hijacked?

It can be tricky for an average user or even an enterprise to know for sure, but there are clues. If you suspect a BGP hijack, say, users in a certain region suddenly can’t reach your service or you see weird latency spikes, start with traceroute diagnostics from multiple locations. Traceroute will show the path packets take; if you see your data going through an unexpected AS or geography, that’s a red flag. You can use public tools like RIPE Atlas or online Looking Glass services to run traces toward your network from various ISPs globally. Another clue is if only some portion of the Internet can’t reach you while others can, which often indicates a routing issue rather than your server being down. For organizations, BGP monitoring services such as BGPMon, Cloudflare Radar, ThousandEyes, etc. can send alerts if your IP prefix is announced by an unfamiliar AS. Many large network operators or cloud providers also publicly report routing incidents; checking forums like NANOG or Twitter X can sometimes reveal if others are seeing something strange with routes to your network. On the end user side, if you’re extremely suspicious, check the IP address you’re reaching a service at, does it resolve to an unexpected address block?. Also, pay attention to browser warnings if a normally secure website throws certificate errors suddenly, don’t ignore that; it could be a sign of a traffic interception attempt. In short, detection often requires looking at routing from multiple perspectives. Enterprises should invest in route monitoring and have procedures to verify any anomalous connectivity issues.

How common are BGP hijacks, and are they usually accidental or malicious?

Unfortunately, BGP hijacks and leaks are more common than most people realize. Literally thousands of routing incidents happen each year. In fact, one study observed over 3,000 route leaks and 18,000 hijack events in just the first three months of 2022. The majority of these were likely accidental route leaks due to misconfiguration, since every day some network somewhere slips up. However, a significant number are malicious or at least suspicious. We’ve seen explicit attacks like those targeting cryptocurrency services, payment processors, or even attempts to steal credentials for certificate issuance. Some hijacks are very brief and targeted, indicating a deliberate motive for example, hijacking a few minutes of traffic to a bank or crypto exchange during a specific window. In terms of ratio, it’s hard to say the Internet doesn’t have an incident report form for hijackers but many experts estimate the majority are leaks accidents with a smaller but important percentage being intentional hijack attacks. Even a small percentage of tens of thousands is a lot of attacks. So both kinds are regular occurrences. What’s changing is that the community is getting better at catching them quickly and mitigating them with RPKI, etc.. But as long as BGP remains based on trust, both human errors and malicious exploits will keep happening.

Can BGP hijacking be completely prevented?

In the current Internet routing model, no, not completely at least not yet. BGP was not built with security in mind, so retrofitting it is an ongoing effort. However, we’re moving toward a much more secure state. Wide adoption of RPKI/ROV can eliminate the vast majority of simple hijacks where one AS just starts announcing another’s prefix. If every network filtered out routes that failed RPKI validation, attackers would be forced to find other tricks like compromising the target’s own AS, which is much harder. Initiatives like BGPsec securing the path aim to close the remaining gap by ensuring that even intermediate AS hops are legitimate that would pretty much prevent both hijacks and many leaks. The challenge is deployment: all routers worldwide would need to support and use these features, which is a tall order and will take time. BGP is like the airplane engine of the Internet; it's hard to swap out while flying. In the meantime, what can be prevented is large scale damage: network operators can drastically reduce the risk by doing things like prefix filtering, maintaining IRR records, enabling RPKI, and monitoring. These measures have already made hijacks harder today. If someone hijacks a major prefix, many Tier1 networks will catch it or drop it if RPKI is enabled. But can an extremely clever or lucky attacker still hijack some routes? Yes, especially in parts of the world or among providers that haven’t tightened their BGP security. So we can’t say the problem is solved. It’s a work in progress. The end goal is an Internet where invalid routes are automatically rejected and every route announcement is verifiable. We’re not fully there yet, but every year the situation improves. Until then, completely preventing hijacks isn’t feasible, but mitigating their impact is and that’s what network defenders focus on.

What’s the difference between BGP hijacking and DNS hijacking?

Both are attacks that redirect users to the wrong destination, but they operate at different layers of the Internet. BGP hijacking targets the network layer; it tricks routers into sending traffic to a malicious network by falsifying route information. The user is still asking for the correct IP address, but the network doesn’t deliver the packets along the correct path. DNS hijacking targets the naming layer; it tricks the resolution of a domain name to give the user a wrong IP address. For example, if an attacker hijacks DNS for example.com, when you try to find example.com’s IP, you might get the attacker’s IP instead of the real server. In that case, the routing BGP could be perfectly fine, but you were led to the wrong place from the start. Sometimes the two are used together: an attacker could hijack BGP routes to a target’s DNS servers, effectively controlling name resolution for that target like the MyEtherWallet attack, where BGP hijack enabled a DNS hijack of a crypto website. In terms of detection and prevention: DNS hijacking can be mitigated by DNSSEC which ensures authenticity of DNS answers, whereas BGP hijacking is mitigated by the routing protections we discussed RPKI, etc.. From a user perspective, DNS hijack might be noticed if you get an invalid certificate warning when visiting a site since you end up with a fake IP that hopefully can’t present a valid cert for the real domain. BGP hijack might be noticed if things are slow or not loading. Both are serious, and they’re not mutually exclusive. An attacker with resources might use one, the other, or both to achieve their goal of traffic redirection. Think of DNS hijack as giving someone the wrong street address, versus BGP hijack as messing with the roads on the way to that address.

What is RPKI and how does it help prevent BGP hijacks?

RPKI Resource Public Key Infrastructure is a security framework designed to make BGP routing more trustworthy. In simple terms, it lets the legitimate owner of an IP prefix publish a signed statement about which autonomous system AS is authorized to originate that prefix in BGP. That statement is called a ROA Route Origin Authorization. Other networks can check this statement; if they see a BGP announcement for that prefix coming from a different AS than the one in the ROA, they’ll know it’s invalid and can discard it. In practice, network operators deploy RPKI by running validation software that pulls these signed records from global repositories hosted by the regional Internet registries. Their routers are then configured for ROV Route Origin Validation, meaning every BGP update is checked: Does this prefix+ASN pair have a valid ROA? If yes, accept or prefer the route; if no meaning it’s marked invalid, drop it. This mechanism directly thwarts many hijacks if an attacker, ASN X, hijacks a prefix that actually belongs to ASN Y, and ASN Y has a ROA saying only ASN Y is allowed, then routers doing ROV will reject ASN X’s announcement. RPKI doesn’t solve everything an attacker could hijack a prefix that has no ROA many prefixes are still unsigned, and it doesn’t stop route leaks where the origin ASN is actually correct but it’s being propagated wrong. But it closes a major vulnerability: fake origin. It’s akin to having route passports or ID cards. Before RPKI, any AS could claim I own this prefix and others had no automated way to verify that. Now, there’s a decentralized but authoritative way to validate at least that first hop of trust. As more networks enforce RPKI, the window for a successful hijack narrows significantly. RPKI is one of the most important developments in routing security in recent years, and when you hear about governments and companies pushing for routing security, RPKI is usually front and center.

BGP hijacking is essentially an exploit of the Internet’s weakest link, the trust between networks. By injecting false route information, attackers or careless operators can divert and disrupt the flow of data on a global scale. We’ve defined what BGP hijacking is, seen how it works step by step, and examined real incidents that show its impact from stolen cryptocurrency to worldwide outages. The key takeaway is that while BGP hijacks exploit a fundamental vulnerability in Internet architecture, the network community is fighting back. Through better practices like filtering and monitoring and new technologies like RPKI, we are making it harder for hijacks to succeed. However, no single entity can solve this alone; it requires collective action among ISPs, businesses, and regulators. As a security professional, you should ensure your organization and providers are adopting these measures, and stay aware of routing anomalies as part of your threat landscape. In the end, BGP hijacking reminds us that even the plumbing of the Internet needs strong security oversight. By shoring up the routing infrastructure, we protect not just networks, but the reliability and trustworthiness of the Internet itself.

About the Author

Mohammed Khalil is a Cybersecurity Architect at DeepStrike, specializing in advanced penetration testing and offensive security operations. With certifications including CISSP, OSCP, and OSWE, he has led numerous red team engagements for Fortune 500 companies, focusing on cloud security, application vulnerabilities, and adversary emulation. His work involves dissecting complex attack chains and developing resilient defense strategies for clients in the finance, healthcare, and technology sectors.

What Is BGP Hijacking? How Internet Routing Attacks Work