What Is BGP Hijacking? How Internet Routing Attacks Work

• Definition: BGP hijacking occurs when an attacker falsifies Border Gateway Protocol BGP route announcements to redirect internet traffic away from its rightful destination.
• Where: It targets the global Internet’s routing fabric primarily between Autonomous Systems AS in the public Internet eBGP affecting ISPs, cloud providers, and enterprise networks.
• Why it matters: Because BGP controls how packets traverse the Internet, a hijack can render services unreachable or secretly intercept data, leading to outages, data theft, or financial fraud.
• Key risk: Hijacked routes can enable traffic blackholing or man in the middle attacks, as seen when cryptocurrency users were tricked into fake sites by a BGP route hijack.

BGP hijacking is an Internet routing attack where a malicious or misconfigured network operator announces IP address blocks prefixes it does not own. In plain terms, an AS Autonomous System lies about the locations of specific IP addresses in BGP updates, tricking other routers into sending traffic toward the attacker’s network instead of the legitimate owner. Since BGP lacks built-in authentication of announcements, this false information propagates quickly across the Internet, corrupting routing tables along the way.

This issue is critical today because nearly all Internet traffic from web services to cloud APIs to blockchain networks relies on correct BGP routing. A single hijack can make large websites or critical services unreachable or hijack sensitive traffic for espionage or theft. High profile examples include hijacks that targeted cloud DNS services and cryptocurrency sites, costing victims hundreds of thousands of dollars. Enterprises, cloud providers, and ISPs therefore treat BGP security as a core concern. BGP hijacks most commonly appear in discussions of network and cloud security incidents, but they are also a fundamental networking threat that can amplify or enable many other attacks for example, by redirecting or intercepting data.

How BGP Hijacking Works

BGP is the protocol that routers use to exchange route information between ASes external or eBGP and within an AS internal or iBGP. In normal operation, each AS announces the IP prefixes it legitimately controls. Other routers choose routes based on attributes like prefix length longest match and AS path length shortest path. A BGP hijack exploits this trust model by injecting one of two basic anomalies into BGP:

• Prefix hijack: The attacker announces a victim’s IP prefix or a more specific sub prefix as if it belonged to the attacker’s AS. Because routers prefer more specific prefixes, announcing a subnetwork e.g. /24 instead of /23 can make all traffic for those IPs flow to the attacker. The attacker can then drop, inspect, or modify the traffic at will.
• AS path manipulation: The attacker may also forge or shorten the AS path in BGP announcements to make its route look more attractive than the legitimate path. Other networks then prefer this attractive route and send traffic along it. This is a more subtle variation of hijacking.
• Route leak: Although not always malicious, a route leak happens when an AS improperly re-announces routes from one transit provider to another downstream. For example, a customer AS mistakenly advertises learned routes to other peers. Route leaks can inadvertently hijack traffic on a larger scale if unfiltered.

These techniques almost always involve eBGP sessions between ASes. In eBGP hijacking, one ISP AS announces bad routes to its peers. The false routes propagate across the Internet’s backbone if not stopped. By contrast, iBGP misuse within an AS typically only affects internal routing; it doesn’t easily escape into other networks. Still, an internal misconfiguration such as a route reflector leak can disrupt all customers of an AS or confuse traffic engineering, so iBGP errors are a local risk. The overwhelming majority of high impact hijacks, however, exploit external BGP peering.

Because BGP has no native validation, an attacker’s announcement will be trusted by default. Only after the fact checks like the Resource Public Key Infrastructure RPKI have become available to counter this. In practice, any AS that neglects proper filtering or RPKI validation can unwittingly accept a hijacked route. The attacker typically injects the false routes into BGP for example, by logging in to a misconfigured router, compromising an Internet exchange, or via a rogue customer, waits for other networks to propagate those announcements, and then diverts or drops the victim’s traffic.

Real World Examples

BGP hijacks have occurred repeatedly with serious consequences. Notable cases include:

• Cryptocurrency theft 2018: In April 2018, attackers hijacked routes to Amazon’s Route 53 DNS servers used by MyEtherWallet. They announced more specific prefixes for AWS IP ranges, causing MyEtherWallet DNS queries to be redirected to a malicious server. Unsuspecting users logged in to a fake site and lost roughly $150,000 in Ethereum. This attack combined BGP prefix hijacking with DNS spoofing; essentially, a hijacked BGP announcement poisoned DNS resolution for myetherwallet.com. The attackers made an elementary error by not obtaining a valid SSL certificate, which alerted some victims, but many still proceeded and had their wallets drained.
• Cloud DNS disruption 2024: On June 27, 2024, an ISP in Brazil AS267613, Eletronet mistakenly advertised a /32 host route for 1.1.1.1 Cloudflare’s public DNS address while another AS leaked the /24. Some tier 1 networks accepted this more specific /32 announcement. As a result, global DNS resolution for 1.1.1.1 briefly broke. In other words, a BGP hijack/route leak combination caused traffic to fall off before reaching Cloudflare. Cloudflare’s analysis showed that announcing 1.1.1.1/32 was indeed a hijack of their prefix: AS267613 was not authorized ROA to originate 1.1.1.1, so networks that accepted it effectively blackholed Cloudflare’s resolver. This incident illustrates how even a single unrouted IP, the longest prefix /32 can override normal routing, impacting hundreds of networks for a time.
• ISP route leaks 2020: On April 1, 2020, Russia’s telecom provider Rostelecom inadvertently announced over 8,000 prefixes it did not own, including those for Google, Facebook, and Amazon. Rostelecom advertised more specific /21 routes for those /20 blocks, so traffic meant for those services was instead sent toward Rostelecom and then dropped. Though this leak was accidental, probably a BGP optimizer misconfiguration, its scale was massive: it disrupted traffic to major Internet services until the routes were withdrawn. Networks with RPKI validation e.g. Telia, NTT ignored the bad announcements, limiting damage. This shows how a single ISP’s mis step in BGP can ripple out as a global outage.
• YouTube global outage 2008: In a famous case, Pakistan Telecom AS17557 intended to block YouTube domestically by announcing the YouTube IP block 208.65.153.0/24 in BGP, but it accidentally leaked this route to its upstream providers. Those providers accepted it and propagated it worldwide, causing most of the Internet to send YouTube bound traffic to Pakistan instead. For about two hours, YouTube was effectively offline globally until Pakistan retracted the announcement. The root cause was a well intentioned censorship effort, but it had the side effect of a BGP hijack outage. YouTube later reannounced finer subnets to reclaim the traffic.

These incidents highlight how hijacks can be malicious cryptocurrency theft, espionage or benign accidents misconfiguration. They also underscore key factors in real world attacks: targeting cloud DNS and blockchain infrastructure, exploiting the longest prefix rule, and evading detection by injecting into high tier networks. Several well known cases involved cryptocurrency and cloud services, reflecting the high impact of intercepting those high value targets.

Why BGP Hijacking Is Important

BGP is the Internet’s backbone routing system. Any compromise of BGP integrity can have far reaching effects on security and operations. Key reasons this topic matters:

• Traffic interception and data theft: A hijacker can silently eavesdrop on or modify traffic. This could expose confidential data or enable sophisticated man in the middle attacks. For example, intercepting DNS lookups as in the MyEtherWallet incident allowed attackers to steal cryptocurrency. Similarly, nation state actors could reroute traffic to monitor or manipulate sensitive communications.
• Service disruption and denial of service: Hijacks can effectively knock services offline. Even without malicious intent, routing the wrong way or dropping traffic traffic blackholing can cause a targeted network or service to be unreachable. Outages at major companies or cloud providers have been traced to bad BGP announcements. Given how many businesses rely on multi cloud and global connectivity, such outages can halt critical operations or cause revenue loss.
• Security of Internet infrastructure: BGP’s trust assumptions are very weak. Hijacks expose that almost any AS can claim to be anywhere. This undermines confidence in the global Internet. Network engineers and business leaders must pay close attention to routing security through RPKI, filtering, etc. to protect their assets and customers.
• Cost and liability: If customer traffic is misrouted, organizations may face legal or financial repercussions. For example, if a hospital’s BGP routes were hijacked and patient data were intercepted, there could be regulatory fallout. Crypto funds stolen via BGP hijack represent direct financial loss. Thus, BGP security is a business risk.
• Challenges for defenders: Detecting a BGP hijack is non-trivial. Unlike a malware infection that leaves logs on a computer, routing anomalies may only appear in logs on core routers or in global BGP collectors. Many organizations lack visibility into upstream route updates, so hijacks often go unnoticed until users complain or an incident report is published.

In short, BGP hijacking matters because it attacks the very infrastructure of the Internet. The consequences span from technical outages to strategic security breaches, making it a high priority concern in network defense.

Common Abuse or Misuse

How attackers abuse BGP: Malicious actors exploit BGP hijacking because it can reroute a large volume of traffic with relatively little effort. Common abuses include:

• Cryptocurrency and financial fraud: As seen in the MyEtherWallet case, hijackers often aim to steal cryptocurrency by redirecting wallets and exchange connections to phishing servers. Similarly, fake DNS or API endpoints for online banking could be fed by a BGP hijack.
• Traffic interception for espionage: State affiliated attackers may hijack specific routes to spy on an adversary’s internet usage. For example, intercepting traffic for a certain geographic region or critical organization could allow clandestine monitoring of content or communications.
• Distributed Denial of Service DDoS evasion: Attackers sometimes use route hijacks to redirect or absorb inbound DDoS traffic. For instance, an AS might illegitimately announce a victim’s IP range to lure the traffic acting as a blackhole or diffuse an attack across different routes.
• Ad injection or malware distribution: Hijacking can be used to insert an attacker’s ad or malware server in the path of legitimate content e.g. intercepting traffic to a software update server. Though this is harder to accomplish stealthily, it remains a potential motive.

Why it’s effective and hard to detect: BGP hijacking often works because Internet routers largely trust BGP announcements and rarely validate them. An AS with significant connectivity like Hurricane Electric or Level 3 can propagate bogus routes globally in minutes. Unless other networks have prefix filters or RPKI checks, they will accept and forward these announcements. From the perspective of end users, traffic simply fails or goes to the wrong place; there are no on screen alarms for a BGP hijack except, perhaps, a TLS certificate warning if users reach a fake HTTPS site. Without specialized monitoring, neither network operators nor victims immediately realize a hijack is happening. Even when detected, attribution is difficult: the announcement often comes from a downstream ISP, not directly naming the perpetrator. These factors make BGP hijack a subtle, yet powerful attack tool.

Detection & Monitoring

Defenders must combine global routing data with local monitoring to spot hijacks promptly:

• BGP route monitoring: Organizations can subscribe to real time BGP monitoring feeds such as RIPE RIS, Route Views, or commercial services to watch for unexpected route changes. Tools like BGPmon or BGPstream alert on suspicious announcements e.g. a prefix that suddenly appears with an unauthorized AS origin, or a new longer prefix for a known route. For example, cloud providers often scan public BGP collectors for any announcements of their IPs from unknown ASes. If a prefix shows up with a different origin AS, this can trigger an alarm.
• RPKI validity alerts: If an ISP or enterprise enforces RPKI Route Origin Validation, they will automatically classify invalid route announcements as suspect. Monitoring systems can log or alert whenever a route is RPKI invalid or has no ROA. This provides a technical signal that an announcement is illegitimate as in the Cloudflare 1.1.1.1 incident.
• Router and network logs: Core routers should log BGP updates that change route preferences. Anomalies like a sudden new neighbor AS or a flurry of withdrawals may indicate a hijack or leak. Correlating these logs with unusual traffic patterns e.g. loss of reachability for certain destinations can confirm an issue. Network flow or telemetry systems like NetFlow, sFlow, or blackhole telemetry can show if expected traffic suddenly drops or diverts.
• DNS and endpoint anomalies: Since hijacks often target services, security teams should watch for service disruptions. Unusual DNS failures or anomalies in how users are routed e.g. traceroutes landing at unexpected networks can be a clue. End user complaints of inaccessible sites or TLS certificate warnings from a man in the middle should trigger an investigation of routing as a cause.
• Community sources: Outage detection platforms and news e.g. Cloudflare Radar, BGPStream alerts on Twitter often pick up major hijacks quickly. Being plugged into the networking community’s feeds can provide early warnings of large incidents.

Blind spots: Many networks lack full visibility. If an ISP does not share BGP logs or enforce RPKI, it may never notice a hijack unless others tell them. Moreover, iBGP issues inside an AS can be invisible to outside monitors. Regular audits of BGP sessions, prefix filters, and coordination with peering partners help cover these gaps.

Mitigation & Prevention

To defend against BGP hijacks, networks implement multiple layers of controls:

• Route Origin Authorization RPKI/ROA: The strongest measure is to use RPKI. Network operators create ROAs that specify which AS is authorized to announce each IP prefix. Upstream ISPs and peers then validate incoming BGP updates against these ROAs Route Origin Validation, ROV. If ROV is strictly enforced, any announcement from an unauthorized AS is dropped. In the Cloudflare incident, AS267613’s 1.1.1.1/32 announcement was flagged RPKI Invalid, demonstrating this protection. Widespread RPKI adoption of a MANRS best practice would limit the success of most hijacks.
• Prefix filtering and max prefix policies: ISPs should configure strict filters on what prefixes they accept from peers and customers. This includes rejecting overly specific prefixes e.g. dropping a /24 if the ISP only advertises /20 and limiting the number of prefixes. For instance, if a customer suddenly starts announcing thousands of new routes, that should trigger a filter or shutoff. MANRS networks publish IRR based and static prefix lists for this purpose. Simple filtering could have prevented the Amazon hijack if Hurricane Electric or 1&1 had blocked announcements outside the known AWS range.
• BGP session security: Use TCP MD5 or TTL security features on BGP sessions to prevent spoofed session setups. While this doesn’t stop hijacks if the attacker already has a legitimate session, it helps guard the control plane. Keeping BGP router software up to date also prevents attackers from exploiting routing daemon vulnerabilities to inject fake routes.
• Monitoring and quick reaction: Have automated systems to alert engineers the moment an unexpected route appears. This can shorten the window of exposure. For example, Cloudflare’s engineers used BGP monitoring RouteViews, BMP during the 1.1.1.1 incident to spot and reject the invalid route.
• Diversified transit and anycast: Using multiple transit providers and anycast routing can reduce single points of failure. Even if one path is hijacked, traffic can reroute through a different upstream. Anycast as with 1.1.1.1 has some self healing other anycast sites continue to serve unaffected regions.
• DNS and TLS safeguards: While not directly BGP controls, using DNSSEC and HSTS can mitigate the impact. In the MyEtherWallet case, DNSSEC could have prevented poisoned DNS records, and strict certificate checks would have stopped users from trusting a self signed TLS certificate. These are complementary layers of defense.
• Operational policies: Network teams should audit configurations regularly. For example, disallow customers from announcing routes that belong to the provider or other customers. Use BGP monitor tools like prefix list checkers before accepting new peer sessions.

Collectively, these controls cryptographic validation of routes, strict filters, and active monitoring form a defense in depth. No single control is foolproof, but together they dramatically reduce the risk that an attacker’s false BGP update will take root. Encouragingly, incidents like the Rostelecom leak caused far less harm to networks enforcing RPKI or prefix filters, showing the value of these precautions.

Related Concepts

BGP hijacking is part of a broader set of routing security issues and attack chains:

• BGP route leaks vs hijacks: A route leak occurs when an AS unintentionally advertises someone else’s routes to the wrong peers, often one AS announcing routes learned from another peer. Unlike an outright hijack, a leak might not target a prefix specifically, but it can propagate irregular routing widely. Both result in suboptimal or misdirected traffic, but leaks are usually configuration errors while hijacks are usually intentional. However, real incidents can involve elements of both.
• RPKI and BGPsec: RPKI/ROA discussed above is now widely adopted; the more advanced BGPsec which would sign AS paths is another proposal for hardening BGP, though it’s not yet deployed broadly. These are technical safeguards for the same underlying problem of trusting route announcements.
• DNS hijacking and cache poisoning: Attackers sometimes use DNS attacks to mislead users to bad IPs. A BGP hijack can facilitate this by redirecting DNS traffic. Using DNSSEC can protect against false DNS records even if BGP is compromised.
• Network layer attacks: BGP hijack is an example of an IP layer attack analogous to ARP spoofing on Ethernet. Related network attacks include MAC spoofing in LANs or IP spoofing in DDoS. Each exploits trust in addressing, but BGP hijacks do so at the scale of autonomous systems.
• Lateral movement in networks: Within an enterprise, a compromised router could perform a local version of hijacking by injecting bad iBGP routes. While iBGP scope is limited, it’s similar in concept: if an attacker controls the core routers, they could misdirect traffic internally. This is why internal network routing protocols and MPLS VPNs also need strong controls though that’s beyond public BGP.
• Attack chains: BGP hijacking can be one link in a larger chain. For example, a hacker might first compromise a credential in an ISP, then use that access to announce fake routes the BGP hijack, and finally steal data or money from the redirected traffic. Conversely, hijacking is also a pivot tool: once traffic is flowing through the attacker’s network, they could launch additional exploits e.g. DNS hijack or SSL stripping.

FAQs

• What’s the difference between a BGP hijack and a BGP route leak?

A hijack typically means an AS intentionally announces IP prefixes it doesn’t own, often more specific subnets to steal or drop traffic. A route leak is usually accidental: an AS improperly redistributes routes between its providers or peers. Both cause misrouting, but leaks are configuration errors while hijacks are malicious though in practice the line can blur.

• How does prefix specificity affect a BGP hijack?

Routers choose the longest prefix match. If an attacker announces a more specific prefix e.g. 203.0.113.0/24 than the legitimate one 203.0.112.0/23, all traffic for addresses within 203.0.113.x will go to the attacker’s route. This is why hijackers often use smaller subnets: they win over the broader announcement.

• Can RPKI Route Origin Validation completely prevent BGP hijacks?

RPKI greatly reduces hijacks by cryptographically binding IP prefixes to ASes. If networks validate routes, any announcement not matching a valid ROA is dropped as happened with the 1.1.1.1/32 hijack. However, RPKI adoption is not universal. A hijack can still succeed against networks that ignore RPKI or have no ROA configured. In addition, RPKI doesn’t yet protect AS paths, only origin ASes, so advanced attacks could bypass it without careful filtering.

• How do attackers use BGP hijacking to steal cryptocurrency?

Attackers target services like cryptocurrency wallets or exchanges. They hijack the prefix of a DNS or API server used by the service. For example, in 2018 hackers announced AWS DNS routes so that MyEtherWallet’s DNS traffic went to a malicious server. The fake server responded with an IP for a phishing site. Users who went there entered private keys or login data, allowing the thieves to empty their wallets. Essentially, the hijack redirects the initial traffic DNS or HTTP through the attacker’s infrastructure, enabling credential theft.

• Which logs or tools can detect that a BGP hijack is happening?

Network operators use BGP monitoring tools RouteViews, RIPE RIS, or commercial BGPMon to catch unexpected route announcements. Router logs showing a new origin AS for a critical prefix or withdrawals can also signal trouble. On the service side, DNS errors or unusual traffic drops hint at hijacks. Real time notification services like BGPStream alerts and community reports often flag big hijacks within minutes. It’s crucial to correlate BGP data with operational symptoms e.g. a global service outage to confirm a hijack.

• Have nation states used BGP hijacking as a tactic?

Yes, state affiliated actors can and have exploited BGP weaknesses. Examples some disputed include alleged cases of traffic surveillance by hijacking specific country or organization routes. While exact attribution is tricky, any BGP hijack could theoretically be state sponsored if it aligns with national cyber espionage interests. The sheer scope of potential impact makes BGP an attractive vector for advanced persistent threats.

• What are the most effective mitigations against BGP hijacking?

The most effective steps are: 1 Publish and use RPKI ROAs and enforce ROV on all BGP sessions; 2 Apply strict prefix filtering only allow prefixes an AS should announce; 3 Monitor BGP feeds for anomalies; and 4 Coordinate with upstream providers. These actions together ensure that even if a malicious route is announced, it gets dropped before affecting end users. Also, using DNSSEC and HSTS for web services means end users are less likely to trust a hijacked site even if the traffic is misrouted.

BGP hijacking is the practice of corrupting Internet routing by falsely announcing IP address ownership, and it poses serious security and operational risks. By hijacking routes, attackers can disrupt services, eavesdrop on traffic, or perpetrate financial theft as in cryptocurrency heists. The root cause is the trust based design of BGP, any network can claim any IP block. Modern defenses RPKI, prefix filtering, vigilant monitoring are essential to detect and block hijacks. Understanding BGP hijacking is crucial for network and security teams because even well protected web applications or cloud services can be undermined by a bad routing update. In short, ensuring the integrity of BGP routing is vital for maintaining a secure and reliable Internet.

About the Author

Mohammed Khalil is a Cybersecurity Architect at DeepStrike, specializing in advanced penetration testing and offensive security operations. With certifications including CISSP, OSCP, and OSWE, he has led numerous red team engagements for Fortune 500 companies, focusing on cloud security, application vulnerabilities, and adversary emulation. His work involves dissecting complex attack chains and developing resilient defense strategies for clients in the finance, healthcare, and technology sectors.