Glossary

What Is BGP Hijacking?

BGP hijacking is the unauthorized announcement of IP prefixes by an autonomous system that does not own them. Because BGP has no built-in authentication, peers may accept the false announcement and start routing traffic for the hijacked prefix to the wrong network — enabling interception, surveillance, or denial of service.

Why BGP Is Vulnerable

BGP was designed in 1989 around mutual trust between operators. Any AS can announce any prefix; peers decide which announcements to accept based on path length, configured filters, and human relationships. There is no global authority that can stop a hijack at the protocol level.

Common Hijack Types

  • Prefix hijack — announcing the entire prefix as if you owned it.
  • Subprefix hijack — announcing a more specific prefix (e.g. /24 inside a /20). Most routers prefer the more specific announcement, redirecting traffic.
  • Path forgery — claiming a false AS path to influence routing decisions.
  • Route leak — accidentally re-advertising routes that should have been kept private, often causing global outages.

Famous Incidents

  • 2008 — YouTube hijacked by Pakistan Telecom (accidentally), causing global YouTube outage.
  • 2018 — Amazon Route 53 BGP hijack redirected MyEtherWallet traffic and stole cryptocurrency.
  • 2022 — KlaySwap hijack — DNS provider was BGP-hijacked, attackers swapped a JS file, stole user funds.

RPKI and the Path to Authentication

RPKI (Resource Public Key Infrastructure) is the modern defense. Prefix holders publish cryptographic Route Origin Authorizations (ROAs) declaring which AS may originate which prefix. Routers that validate ROAs reject invalid announcements. Adoption has grown steadily — major networks now drop most invalid routes — but full coverage is still years away.

Detecting Hijacks in Real Time

  • Continuous BGP monitoring across many vantage points (RIPE RIS, RouteViews, internal feeds).
  • Alerts when a prefix is announced by an unexpected origin AS.
  • Alerts when AS path length or upstream changes drastically.
  • Cross-reference with RPKI status: invalid routes are strong signals.

BGP Hijacks in Whisper

Whisper ingests global BGP routing in near-real-time. Analysts can ask "which prefixes changed origin AS in the last 24 hours" or "show me prefixes with active RPKI invalid announcements" and pivot directly to the affected hostnames and downstream impact.

Related Terms