What Is BGP Routing?

How BGP Works

BGP runs between routers at the edges of autonomous systems. Each router advertises the IP prefixes its AS can reach — and the AS path required to get there — to its peers. Peers re-advertise those announcements, building a global picture of reachability. There is no central authority; BGP is consensus by gossip.

Announcements, Withdrawals, and Path Selection

• Announcement: "I can reach 192.0.2.0/24 via AS path X → Y → Z."
• Withdrawal: "I can no longer reach that prefix."
• Best-path selection: routers pick one route per prefix using rules like AS path length, local preference, MED, and origin code.

BGP Hijacking and Route Leaks

BGP has no built-in authentication: any AS can announce any prefix and the announcement may be accepted by peers. Two failure modes matter most:

• Hijack: an AS announces prefixes it doesn't own, redirecting traffic for surveillance or theft.
• Leak: an AS accidentally re-advertises routes it shouldn't, causing global outages.

RPKI (Resource Public Key Infrastructure) is the modern defense — cryptographic attestations that authorize which AS can announce which prefix — but adoption is incomplete.

What BGP Data Reveals in Security

• Origin AS for any IP at any historical moment.
• Path changes — sudden re-routing through a new transit provider.
• Prefix instability — flapping prefixes are often misconfiguration, sometimes hijacks.
• Peer relationships — which networks an organization actually depends on.

BGP in Whisper

Whisper ingests BGP announcements continuously. Analysts can ask "which ASN announced 198.51.100.0/24 in March 2025?" or "which prefixes did this ASN add and withdraw last week?" against the same graph as DNS, WHOIS, and threat-intel data.