BGP Hijacking and Route Leaks

BGP is a handshake protocol running in a world that no longer shakes hands.

When the Internet was a few dozen universities exchanging research, BGP's design made sense: announce what you can reach, trust your neighbors to do the same, and routes will converge on truth. There was no verification because verification wasn't needed. Everyone knew everyone.

Today's Internet connects billions of devices across hundreds of thousands of autonomous systems, many with conflicting interests, some with malicious intent. BGP still works the same way. When a network announces "I can reach these addresses," other networks believe it. There's no built-in way to check.

This is how traffic gets stolen.

The Anatomy of a Hijack

BGP hijacking happens when someone announces IP addresses they don't control. The announcement propagates. Routers update their tables. Traffic flows to the wrong place.

Imagine putting up fake highway signs pointing to your warehouse instead of the airport. Drivers follow the signs. They end up at your door. BGP hijacking works the same way—except the "drivers" are packets carrying banking transactions, medical records, government communications.

The hijacker has options:

Blackhole the traffic. Drop everything. The destination becomes unreachable. Denial of service without sending a single attack packet.

Inspect and forward. Route traffic through your network, copy what's interesting, then send it along to the real destination. The victim's connection works—they just don't know you're reading it.

Modify in transit. Change the traffic before forwarding. Inject malware. Alter transactions. Rewrite reality.

The More-Specific Trick

BGP has a simple rule: prefer more specific routes. If Google announces 8.8.8.0/24 (256 addresses) and you announce 8.8.8.0/25 (128 addresses), routers choose your announcement for the first half of that range. You've hijacked half of Google's DNS service by being more specific.

This is elegant and devastating. The legitimate owner can't easily defend against it without fragmenting their own announcements into ever-smaller pieces.

Path Forgery

BGP announcements include a path—the list of autonomous systems the route traverses. Attackers forge these paths to look legitimate. They include the real owner's AS number, making the fake route appear to be a valid path to the destination.

The announcement says "reach Google through me, then AS 15169." It looks like a normal route. It isn't.

When Things Go Wrong

Pakistan vs. YouTube (2008)

Pakistan's government ordered YouTube blocked. Pakistan Telecom's engineers created a BGP announcement to null-route YouTube's addresses within Pakistan. Standard censorship technique.

But the announcement leaked. It propagated upstream, then worldwide. Suddenly, routers across the globe believed the best path to YouTube went through Pakistan Telecom—which was dropping all that traffic into a black hole.

YouTube vanished from the Internet for hours. Not because of an attack on YouTube's infrastructure. Because one country's censorship configuration escaped containment.

A network tried to make YouTube unreachable for its citizens and accidentally made it unreachable for everyone.

China Telecom (2010)

For 18 minutes, China Telecom announced routes for thousands of prefixes it didn't control. Traffic for US military networks, government agencies, and major corporations flowed through China.

Was it an attack? A configuration error? The traffic was forwarded to its destinations, so services kept working. But for those 18 minutes, someone in China could have been copying everything.

We still don't know what happened. That's the problem with a trust-based system—you can't tell the difference between malice and mistake, and you often can't tell anything happened at all.

The Cryptocurrency Heists

BGP hijacking has become a tool for stealing cryptocurrency. Attackers hijack routes to DNS servers or cryptocurrency exchanges, redirect users to fake sites, harvest credentials, drain wallets. The attack vector isn't the exchange's security—it's the Internet's routing infrastructure.

Route Leaks: The Accidental Catastrophe

Route leaks are different from hijacks. A hijack announces addresses you don't own. A leak re-announces routes you received to networks that shouldn't get them.

Here's how it happens:

You're a small ISP. You buy transit from a big carrier (they route your traffic to the Internet) and peer with a few networks (you exchange traffic directly, no payment). The rules are clear: announce your own addresses to everyone, announce peer routes only to customers, don't re-announce your transit provider's routes to peers.

Then someone misconfigures a filter. Your router announces your transit provider's full routing table—hundreds of thousands of routes—to a peer. That peer sees you as a path to everywhere. Traffic floods in. Your links collapse. Your transit provider loses revenue. The peer's traffic takes bizarre paths across the globe.

In 2014, an Indonesian ISP leaked over 300,000 routes. The Internet's routing tables went haywire. Major services became unreachable from random locations. The fix required finding the leak, contacting the ISP, and waiting for them to fix their configuration—while the Internet burned.

Why This Still Happens

We've known about these vulnerabilities for decades. Solutions exist. Why aren't they deployed?

RPKI should fix this. Resource Public Key Infrastructure lets networks cryptographically sign which AS numbers are authorized to announce their prefixes. Routers can validate announcements and reject fakes.

But RPKI requires everyone to participate. If you sign your routes but your neighbors don't validate, you're not protected. If you validate but the routes aren't signed, you can't tell good from bad. We're in the middle of a coordination problem with no coordinator.

Filtering should prevent leaks. Networks should maintain strict filters on what they accept and announce. But filters require maintenance. Addresses change. Relationships change. A filter that was correct last month might leak routes today.

Economics work against security. Deploying RPKI costs money and effort. The benefits are diffuse—you're protecting everyone, not just yourself. The rational individual choice is to let others bear the cost. So deployment crawls forward while vulnerabilities remain.

What Protection Looks Like

For Network Operators

Sign your routes. Create Route Origin Authorizations in RPKI. This lets others validate that your announcements are legitimate.

Validate others' routes. Configure Route Origin Validation on your routers. Reject announcements that fail validation.

Filter aggressively. Accept only expected prefixes from peers. Announce only what you should. Set maximum prefix limits to catch leaks before they propagate.

Monitor constantly. Watch for unexpected announcements of your addresses from other networks. Services like BGPStream, RIPE RIS, and RouteViews provide global visibility.

For Everyone Else

Use encrypted protocols. HTTPS, TLS, encrypted DNS. Hijackers can redirect your traffic, but encryption limits what they can do with it.

Verify certificates. If a hijacker redirects you to a fake server, they can't forge valid certificates (unless they've also compromised a certificate authority, but that's a different nightmare).

Understand the risk. Your traffic traverses infrastructure you don't control, operated by organizations you've never heard of, in countries you'll never visit. The path is not guaranteed. The path is not secure. The Internet works despite this, most of the time.

The Uncomfortable Truth

BGP isn't going away. It's too deeply embedded, too widely deployed, too fundamental to how the Internet works. We can't replace it without replacing the Internet.

So we patch. We add RPKI on top. We build monitoring systems. We establish norms and hope people follow them. We treat the symptoms because we can't cure the disease.

The Internet runs on trust, and trust doesn't scale. Every major BGP incident is a reminder that the foundations are shaky—that the global network connecting hospitals and banks and governments and everything else depends on thousands of independent operators correctly configuring their routers and choosing not to lie.

Mostly, they do. Mostly, it works.

But "mostly" is a thin foundation for civilization's nervous system.