BGP Prefix Hijacking Detection

Advanced Security

Traffic destined for your IP address range is being routed through an unexpected autonomous system — a classic sign of BGP prefix hijacking. An attacker or misconfigured router has announced your prefix with a shorter or equal AS path, causing internet routers worldwide to redirect your traffic away from you, enabling eavesdropping, credential interception, or a denial-of-service condition.

Symptoms

⚠ Sudden unexplained outages for users in specific geographic regions or ISPs
⚠ BGP route monitoring services (BGPmon, RIPE RIS) alert on unexpected new-origin announcements for your prefix
⚠ traceroute from multiple vantage points shows your prefix routing through an unknown ASN
⚠ Network reachability drops to near-zero for your announced prefix
⚠ Certificate errors from legitimate services as traffic is intercepted at a rogue router
⚠ SSL stripping or unexpected certificate substitution visible in connectivity tests

Possible Root Causes

• Malicious BGP route hijack: attacker ASN announces a more specific /25 prefix to attract traffic
• Accidental route leak: misconfigured transit AS propagates your prefix with their ASN prepended
• Fat-finger error at a peer: NOC accidentally originates your prefix during a maintenance window
• Route server misconfiguration at an IXP allowing unauthenticated prefix origination
• Missing RPKI ROA records leaving your prefix unvalidated and susceptible to unauthorised announcements

Diagnosis Steps

1. Confirm which ASN is currently originating your prefix

# Query a route server via Telnet for real-time BGP routing view
# RIPE NCC route server (public read-only)
telnet route-server.ripe.net

# Once connected, type:
show ip bgp YOUR_PREFIX/24
# Look for 'Origin AS' — it should be YOUR ASN only

# Alternative: use RIPE Stat REST API
curl "https://stat.ripe.net/data/bgp-state/data.json?resource=YOUR_PREFIX/24&rrcs=0" \
  | python3 -m json.tool | grep -A5 '"asns"'

2. Check BGP looking glass from multiple vantage points

# Query RIPE RIS looking glass
curl "https://stat.ripe.net/data/routing-status/data.json?resource=YOUR_PREFIX" \
  | python3 -m json.tool

# Check BGP.he.net for real-time route visibility
# https://bgp.he.net/net/YOUR_PREFIX — verify 'Origin AS' column

3. Trace the path from multiple geographic locations

# Use traceroute to see where traffic is being diverted
traceroute -n YOUR_IP

# Use RIPE Atlas for multi-point measurement (requires atlas account)
# Or use online tools: ping.pe, traceroute.org

4. Check RPKI validation status of your prefix

# Verify RPKI ROA exists and is valid for your prefix
curl "https://stat.ripe.net/data/rpki-validation/data.json?resource=YOUR_ASN&prefix=YOUR_PREFIX/24" \
  | python3 -m json.tool | grep '"status"'

# If status is NOT_FOUND or INVALID, your prefix is not RPKI-signed

5. Contact your upstream providers

# Identify your upstream transit providers via BGP
# Check your router's BGP table if accessible
show ip bgp summary        # Cisco/Juniper/FRR
show bgp summary           # Bird2

# Or use RIPE Stat to see your current upstreams
curl "https://stat.ripe.net/data/asn-neighbours/data.json?resource=YOUR_ASN" \
  | python3 -m json.tool | grep '"left"'

Solution

Immediate: Contact your BGP peers and upstream providers

Action 1: Call your upstream transit providers' NOC hotline immediately.
Give them the hijacking AS number and your prefix — they can filter the rogue announcement upstream.

Action 2: Issue a BGP community-based blackhole or emergency withdrawal to your peers.

Create an RPKI ROA (Route Origin Authorisation)

RPKI ROAs cryptographically bind your prefix to your ASN, and RPKI-validating routers will reject invalid originations.

1. Log in to your RIR portal (ARIN, RIPE NCC, APNIC, LACNIC, or AFRINIC).
2. Navigate to 'RPKI' → 'Create ROA'.
3. Enter:
   - IP Prefix: YOUR_PREFIX/24
   - Origin AS: YOUR_ASN
   - Maximum Length: 24 (or /25 if you sub-announce)
4. Publish the ROA.
5. Verify with: curl "https://stat.ripe.net/data/rpki-validation/data.json?resource=YOUR_ASN&prefix=YOUR_PREFIX/24"

Announce a more-specific prefix as a countermeasure

If you cannot remove the hijack via NOC calls, announcing a /25 from your own ASN will win over the hijacker's /24 in longest-prefix-match routing:

# On your router (FRR/Bird2/Juniper)
# Add a more-specific /25 announcement to reclaim traffic
network YOUR_PREFIX_FIRST_HALF/25
network YOUR_PREFIX_SECOND_HALF/25

Set up ongoing BGP monitoring

Register with BGPmon (free for small prefixes) for email alerts on new origin ASNs.
Configure RIPE RIS route collectors to watch your prefix.

Prevention

Publish RPKI ROAs for all your prefixes: This is the single most impactful mitigation — RPKI-validating routers (now >50% of the internet) will automatically reject hijacked announcements of your prefix.
Configure BGP route filtering on all sessions: Use prefix lists and AS-path ACLs on all eBGP peers — only accept announcements for prefixes your peers are authorised to advertise.
Sign up for BGP monitoring: BGPmon, RIPE Stat alerts, or Kentik DDoS Defense provide real-time notification when your prefix is seen from an unexpected ASN.
Implement BGPSEC (where available): BGP path validation via cryptographic signatures prevents AS-path forgery in addition to origin forgery.
Document your IRR (Internet Routing Registry) entries: Keep ARIN/RIPE route objects up to date so filtering tools can validate your advertisements.

Related Protocols

BGP IPV4 IPV6 TCP

Related Terms

bgp-hijack autonomous-system prefix routing rpki bgp

More in Security

Active DDoS Attack Response Advanced Detecting and Responding to Port Scans Intermediate Expired SSL Certificate in Production Beginner IP Address Blacklisted on RBL Intermediate Open DNS Resolver Being Abused Intermediate SSH Brute-Force Attack Detection Intermediate

Scenario Info

Difficulty Advanced

Category Security

Diagnostic Tools

whois-lookup ip-converter

Quick Links

All Scenarios Threat Profiles Glossary