BGP Hijacker

Critical Active Attack

BGP hijacking occurs when an autonomous system (AS) maliciously or erroneously announces IP prefixes it does not legitimately own, causing global routing tables to direct traffic through the hijacker's infrastructure instead of the correct destination. This enables man-in-the-middle interception, traffic black-holing, or cryptocurrency theft at internet-scale. Because BGP was designed without authentication, prefix hijacks can propagate globally within minutes and affect millions of users before detection and remediation.

Critical Severity

This threat is classified as critical severity. Immediate action required.

🔍Indicators

Sudden appearance of a new AS originating a previously stable IP prefix
Shorter AS path length from the hijacking AS (BGP prefers shorter paths)
Multiple origin ASes (MOAS) conflict for the same prefix in routing tables
Unexpected geographic shift in traffic routing as observed by traceroute or looking glass tools
RPKI Route Origin Authorization (ROA) validation failures (Invalid state in RPKI validators)
BGP route flapping on previously stable prefixes
Traffic to known IP ranges suddenly traversing unfamiliar ASNs (e.g., a US bank's traffic transiting a foreign AS)

🛡Detection Methods

RPKI validation check

# Check ROA validity for a prefix using Routinator
routinator vrps --format csv | grep "203.0.113.0/24"

# Using bgpq4 to validate prefix ownership
bgpq4 -A AS64496 203.0.113.0/24

BGP looking glass — verify announcement

# Query RIPE RIS looking glass
curl "https://stat.ripe.net/data/bgp-state/data.json?resource=203.0.113.0/24" | \
  jq '.data.routes[] | {origin: .attrs.origin, path: .attrs.path}'

# Monitor BGP updates via BGPmon or RIPE NCC BGPlay
# https://bgplay.massimocandela.com/

Python: detect MOAS conflicts with pybgpstream

import pybgpstream

stream = pybgpstream.BGPStream(
    from_time="2024-01-01 00:00:00",
    until_time="2024-01-01 01:00:00",
    collectors=["route-views2"],
    record_type="updates",
    filter="prefix more 203.0.113.0/24"
)
for elem in stream:
    print(elem)

Snort / Suricata — BGP session anomaly

alert tcp any any -> any 179 \
  (msg:"BGP UPDATE with unexpected prefix origin"; \
   flow:established; \
   content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; \
   classtype:policy-violation; sid:9100020; rev:1;)

✅Mitigation

Deploy RPKI (Resource Public Key Infrastructure) and create ROAs for all your prefixes via your RIR (ARIN, RIPE NCC, APNIC, etc.).
Enable RPKI-based Route Origin Validation (ROV) on your routers: # Cisco IOS-XR example router bgp 64496 bgp bestpath origin-as allow invalid neighbor 192.0.2.1 route-policy RPKI-INVALID-DROP in
Advertise more-specific prefixes (/24 instead of /16) to reduce the impact of prefix de-aggregation hijacks.
Register your prefixes in IRR (Internet Routing Registry) and keep route objects current.
Monitor your prefix announcements continuously using services like Cloudflare Radar, RIPE Stat, or BGPmon.
Implement BGP session security: use MD5 authentication, TTL security (GTSM), and peer filtering with prefix lists.
Coordinate with your upstream ISPs to filter invalid RPKI announcements and enforce IRR-based prefix filters.
Subscribe to BGP hijacking alert services (e.g., Cloudflare Radar Alerts, RIPE NCC BGP hijack detection).

📋Real-World Examples

In April 2018, traffic for 1,300+ IP prefixes — including routes belonging to Google, Apple, Facebook, and Cloudflare — was rerouted through Russia's Rostelecom (AS12389) for approximately 1 hour due to a BGP hijack. In February 2008, Pakistan Telecom (AS17557) accidentally hijacked YouTube's global prefix (208.65.153.0/24) while attempting to block the service domestically, taking YouTube offline worldwide for approximately two hours.

Related Terms

Autonomous System (AS) BGP DNS Firewall