What is a BGP Hijack?
A BGP hijack occurs when a network announces IP prefixes it does not legitimately control. Because BGP is built on trust — routers generally accept route announcements from their peers without cryptographic verification — a malicious or misconfigured network can redirect traffic intended for someone else.
How BGP Hijacking Works
Suppose Google (AS15169) legitimately announces 8.8.8.0/24. A hijacker in a different autonomous system could announce the same prefix, or a more specific one like 8.8.8.0/25. Routers prefer more specific prefixes, so the hijacker's announcement would win — traffic destined for 8.8.8.8 would flow to the attacker instead of Google.
BGP hijacks fall into several categories:
- Origin hijack — announcing someone else's prefix as your own, with your ASN as the origin
- Path hijack — inserting your ASN into the AS path to intercept traffic in transit
- More-specific hijack — announcing a longer prefix (e.g., /25 vs /24) to attract traffic for a subset of the address space
- Leak — accidentally re-announcing routes learned from one peer to another, often due to misconfiguration
Real-World BGP Hijacks
BGP hijacks are not theoretical. Notable incidents include:
- Pakistan vs YouTube (2008) — Pakistan Telecom announced YouTube's prefixes to block it domestically, but the announcement leaked globally and took YouTube offline worldwide for hours.
- China Telecom (2010, 2018) — traffic for US government and military networks was rerouted through China for minutes at a time.
- Amazon Route 53 (2018) — a hijacker rerouted DNS traffic for Amazon's Route 53 to steal cryptocurrency from MyEtherWallet users.
Defenses Against BGP Hijacking
RPKI (Resource Public Key Infrastructure) is the primary defense. It allows networks to cryptographically sign their route announcements, and routers can validate that the originating AS is authorized to announce a given prefix. Routes that fail validation can be dropped.
Monitoring tools like BGP looking glasses help detect hijacks by letting operators see the global routing table and verify that their prefixes are being announced correctly. You can check any prefix's origin AS and path right now: