BGP Hijacking: Massive Cyber Attacks by Re-routing Internet Traffic

To grasp the magnitude of a BGP hijack, one must first understand the fundamental architecture of internet routing and the mechanics of the Border Gateway Protocol.

Autonomous Systems (AS) and ASNs

The internet is segmented into Autonomous Systems (AS). An AS is a large network or group of networks under a single administrative routing policy. Every AS is assigned a globally unique identifier known as an Autonomous System Number (ASN), issued by regional internet registries (like ARIN, RIPE, or APNIC). For example, Google, Comcast, and Level 3 Communications all operate massive Autonomous Systems identified by specific ASNs.

How BGP Works (The Trust Problem)

BGP operates by having edge routers within an AS constantly "speak" to peering routers in neighboring ASs.

• Route Announcements: When an AS wants to receive traffic for specific IP addresses, its BGP routers send out a "route announcement" to its peers. This announcement essentially says, "I am AS number 12345, and I own the IP address block 192.168.0.0/16. Send traffic for these IPs to me."
• Path Selection: When a BGP router receives multiple announcements for the same IP block from different peers, it must choose the best path. BGP path selection is complex, but the primary criteria are:
  1. Specificity (Prefix Length): BGP always prefers a more specific route. For example, an announcement for 192.168.1.0/24 will always override a broader announcement for 192.168.0.0/16.
  2. AS-Path Length: If the prefix lengths are identical, BGP prefers the path that traverses the fewest number of Autonomous Systems.
• The Lack of Verification: The fundamental flaw in BGP is that, historically, it performs absolutely no cryptographic verification of the route announcements it receives. If AS "A" maliciously announces that it owns AS "B's" IP addresses, BGP routers across the internet will generally accept this announcement at face value and update their routing tables accordingly.

Types of BGP Hijacks

Attackers exploit the BGP path selection criteria to execute different types of hijacks.

• Prefix Hijacking (More Specific Prefix): This is the most common and effective attack. If a legitimate organization announces a /16 block (65,536 IP addresses), an attacker might announce a /24 sub-block (256 IP addresses) from within that range. Because BGP always prefers the more specific route, all internet traffic destined for those 256 IPs will be instantly routed to the attacker, completely bypassing the legitimate owner.
• Exact-Match Hijacking (AS-Path Spoofing): If the attacker cannot announce a more specific prefix, they can announce the exact same prefix as the legitimate owner but artificially manipulate the AS-Path attribute to make their route appear shorter and therefore more desirable to BGP routers.
• Man-in-the-Middle (MitM) BGP Hijacks: In the most sophisticated scenarios, the attacker hijacks the traffic, intercepts or alters the data (acting as a transparent proxy), and then quietly forwards the traffic back to the legitimate destination. This allows the attacker to eavesdrop on unencrypted communications, steal credentials, or inject malicious payloads without causing an obvious outage that would alert the victim.

BGP Hijacking is not a theoretical threat; it is a regular occurrence on the internet, often causing massive, highly visible outages or facilitating stealthy cyber espionage and cryptocurrency theft.

The Pakistan Telecom / YouTube Incident (2008)

One of the earliest and most infamous examples of BGP hijacking occurred in 2008, demonstrating the fragility of internet routing. The government of Pakistan ordered the state-owned ISP, Pakistan Telecom, to block access to YouTube domestically due to content deemed offensive.

To implement the block, Pakistan Telecom created a BGP route announcement for a highly specific IP block belonging to YouTube (a /24 prefix). They intended to route this traffic into a "black hole" within Pakistan, effectively dropping it. However, due to a severe configuration error, this highly specific route announcement "leaked" out of Pakistan and propagated to Pakistan Telecom's upstream provider, PCCW in Hong Kong.

PCCW, blindly trusting the BGP announcement, forwarded it to the rest of the world. Because the rogue Pakistani route was more specific than YouTube's legitimate, broader route announcement, BGP routers globally updated their tables. Instantly, all internet traffic globally destined for YouTube was diverted to Pakistan, where it was dropped. This accidental BGP hijack knocked YouTube completely offline worldwide for nearly two hours.

The Amazon Route 53 and MyEtherWallet Hijack (2018)

In a highly targeted, financially motivated attack, cybercriminals executed a sophisticated BGP hijack against Amazon Web Services (AWS) to steal cryptocurrency. The attackers managed to compromise a BGP router at an ISP called eNet in Ohio.

From this compromised router, the attackers announced more specific BGP routes (highly specific /24 prefixes) for IP addresses belonging to Amazon Route 53, Amazon's global DNS service. The internet accepted these rogue routes, diverting traffic destined for Route 53 to servers controlled by the attackers.

The attackers' goal was not to disrupt AWS, but to target users of the cryptocurrency portal MyEtherWallet. Because the attackers now controlled the DNS traffic for MyEtherWallet, when users attempted to resolve myetherwallet.com, the attackers' rogue DNS servers responded with the IP address of a fake, phishing website located in Russia. When users logged into the fake site, the attackers stole their cryptocurrency credentials. This incident vividly illustrated how BGP hijacking can be weaponized to execute devastating Man-in-the-Middle attacks.

The Rostelecom BGP Hijack Involving Google, AWS, and Cloudflare (2020)

In April 2020, the Russian state-owned telecommunications provider Rostelecom executed a massive BGP hijack that impacted over 200 of the world's largest networks, including Google, Amazon, Cloudflare, and Facebook.

Rostelecom suddenly announced that it was the preferred route for thousands of IP prefixes belonging to these major organizations. While the incident was later explained as a "configuration error" involving an internal traffic engineering system that accidentally leaked to the global internet, the effect was profound. For roughly an hour, vast swaths of internet traffic destined for these major cloud providers and content delivery networks were inexplicably routed through Russia.

While the incident caused noticeable latency and localized outages, the primary concern among security analysts was the potential for traffic interception. Whether accidental or a deliberate test of capabilities by a state-sponsored actor, the incident highlighted that a single major ISP can inadvertently (or intentionally) alter the flow of global internet traffic, underscoring the urgent need for widespread adoption of cryptographic routing security.

Securing the Border Gateway Protocol is immensely challenging because it requires coordinated, global action across thousands of independent network operators. An organization cannot completely protect itself unilaterally; it relies on the security practices of its ISPs. However, several critical mitigation strategies are slowly being adopted across the industry.

Implementing RPKI (Resource Public Key Infrastructure)

RPKI is the most effective technical solution currently available to combat BGP hijacking. It introduces cryptographic verification into the BGP ecosystem.

• Route Origin Authorization (ROA): RPKI allows the legitimate owner of an IP block to create a digitally signed certificate known as a ROA. The ROA cryptographically binds an IP prefix (e.g., 192.168.0.0/16) to the specific Autonomous System Number (ASN) authorized to announce it to the internet.
• Route Origin Validation (ROV): Network operators configure their BGP routers to perform Route Origin Validation. When a router receives a BGP announcement, it checks the cryptographic signatures against the RPKI database. If the announcement originates from an ASN that does not match the signed ROA, the router flags the announcement as "Invalid" and drops it.
• The Adoption Challenge: The effectiveness of RPKI depends on widespread adoption. If an organization creates ROAs for their IPs, but major ISPs do not perform ROV, the organization remains vulnerable. Major providers like Tier 1 ISPs and massive content networks are increasingly mandating RPKI validation, significantly reducing the impact of basic prefix hijacking.

Route Filtering and Peer Strictness

ISPs and large enterprise networks must implement strict ingress and egress filtering on their BGP sessions to prevent the propagation of false routes.

• Prefix Filtering: Operators should maintain strict, manually configured filters that dictate exactly which IP prefixes they will accept from specific peers. An ISP providing transit to a small customer should apply a strict filter allowing only the specific IP blocks that customer is known to own.
• AS-Path Filtering: Filtering based on the AS-Path attribute to reject announcements that contain suspicious routing paths, such as private ASNs or impossibly long paths.
• Mutually Agreed Norms for Routing Security (MANRS): MANRS is a global initiative supported by the Internet Society that provides essential fixes to reduce the most common routing threats. Network operators are encouraged to join MANRS and publicly commit to implementing strict filtering, anti-spoofing, and global validation practices.

BGP Monitoring and Alerting

Organizations must actively monitor the global BGP routing table for unauthorized announcements involving their IP space.

• External Monitoring Services: Utilize commercial or community-driven BGP monitoring services (like Cisco ThousandEyes, Kentik, or BGPmon/Routeviews). These services analyze real-time global BGP data and immediately alert the organization if a new, unauthorized ASN begins announcing their IP prefixes or if their prefixes are announced with suspicious AS-paths.
• Rapid Response: When a hijack is detected, speed is critical. Organizations must have established relationships and emergency contact procedures with their upstream ISPs to demand that the rogue announcements be filtered and blocked.

Network Architecture Defense-in-Depth

Organizations should design their networks to mitigate the impact of a hijack, recognizing that BGP is fundamentally insecure.

• Enforce End-to-End Encryption: Ensure that all critical traffic, both external and internal, uses strong transport layer encryption (TLS/HTTPS). Even if an attacker successfully executes a Man-in-the-Middle BGP hijack, they will only intercept encrypted ciphertext, preventing the theft of sensitive data.
• DNS Security: Implement DNSSEC to ensure the integrity of DNS resolution, mitigating the risk of attackers hijacking DNS traffic (as seen in the Amazon Route 53 incident) to redirect users to malicious infrastructure.