Why BGP hijacking still threatens global networks

24 June 2025

BGP Hijacking.png 714.85 KB

BGP hijacking may be a decades-old problem, but it’s far from solved. In recent years, we’ve seen headline-making incidents that show how this exploit in the internet’s core routing protocol continues to disrupt services and threaten security.

From accidental route leaks to deliberate malicious hijacks, the Border Gateway Protocol (BGP) remains vulnerable — and the fallout can ripple across the globe.

In this article, we explain what BGP hijacking is, why it continues to be a threat to network security in 2024 and 2025, and provide real-world examples of recent BGP hijacks. We also explore why current defenses against BGP hijacking are still insufficient and what actions the internet community can take to improve routing security. Additionally, we discuss how Qrator Labs' services and resources can help protect your network from BGP hijacking attacks and enhance routing security.

What is BGP hijacking and why it’s so dangerous

At its core, BGP hijacking is when an attacker (or sometimes a misconfigured network) illegitimately announces IP address prefixes that belong to someone else, tricking other networks into sending traffic down the wrong path. In essence, the hijacker impersonates the rightful owner of a block of IP addresses on the global routing system. Because BGP is built on trust — assuming that announcements from other networks are truthful — there’s little inherent verification. This means when a bad actor (or careless operator) announces a more attractive route, many routers will believe it.

The consequences are serious: traffic meant for the legitimate network gets rerouted through the hijacker’s network. In the best case, this causes a denial of service or outage for the affected prefix. In worse cases, the hijacker can intercept and inspect the traffic, or even impersonate services. Imagine your data or customers’ requests quietly being siphoned to an attacker’s server — a successful BGP hijack makes this possible. Past incidents have led to interception of sensitive data, redirection of users to malicious sites, and widespread service disruptions.

Attackers have even pulled off massive heists of traffic by placing themselves in the middle of large data flows. In one notorious case, attackers hijacked Amazon’s DNS traffic to redirect cryptocurrency wallet users to a fake website — stealing their money in the process. These examples illustrate that BGP hijacks can be as damaging as any cyberattack, enabling espionage, theft, or simply chaos, all by exploiting the internet’s routing trust model.

The fundamental issue here is that BGP, often called the “glue” that holds the internet together, was not designed with security in mind. It’s like a postal system that trusts anyone with a mailbag — if someone falsely claims “I know the best route for that package,” the system tends to accept it. This lack of built-in validation in BGP makes it possible for malicious route announcements or mistakes to propagate widely. And the more widely a bad route spreads (for example, if it reaches major internet carriers), the more traffic gets misdirected.

Two recent BGP hijacking incidents (2024–2025)

To understand the real-world impact, let’s look at a couple of recent BGP hijack incidents that made waves in the cybersecurity community. These examples from 2024 highlight how even well-defended networks can be caught off-guard:

1. Cloudflare’s 1.1.1.1 DNS hijack (June 2024)

On June 27, 2024, users around the world noticed they could not reach Cloudflare’s popular 1.1.1.1 DNS resolver. The root cause turned out to be a combination of BGP hijacking and a route leak. In this incident, a Brazilian ISP (AS267613) improperly announced the specific IP address 1.1.1.1/32 as if it were its own. Despite Cloudflare having a valid BGP security setup (the prefix 1.1.1.0/24 was properly signed under RPKI), the rogue announcement was accepted by multiple networks — including at least one Tier-1 internet provider. This caused traffic to 1.1.1.1 to be misrouted and essentially blackholed for many users. Over 300 networks in 70 countries were affected to some degree by the hijack, rendering Cloudflare’s DNS service unreachable in those areas. Although the overall percentage of users impacted was relatively small (under 1% in places like the UK and Germany), the incident was a wake-up call. It showed that even a security-conscious company like Cloudflare, an early adopter of route security, can’t fully prevent BGP mishaps on its own when upstream networks don’t enforce protections.

2. Regional research network hijack (July 2024)

In July 2024, a U.S. research & education (R&E) network experienced a severe hijack that disrupted services. A commercial ISP outside the US began announcing IP prefixes belonging to the R&E network — effectively stealing the routes. To make matters worse, the hijacker used a common technique of announcing more specific routes (smaller IP ranges) than the legitimate ones, which BGP naturally prefers. The result was that traffic destined for the R&E network was diverted to the hijacker, knocking offline key applications and connectivity for institutions. The victimized network quickly responded by issuing a Route Origin Authorization (ROA) in the global Resource Public Key Infrastructure (RPKI) system, essentially declaring the legitimate origin of those IPs to the world. This should have stopped the hijack — and indeed many networks rejected the bad routes once the ROA was in place. However, one major cloud provider had not yet implemented RPKI route validation, so their routers kept accepting the bogus announcements, delaying full recovery until engineers could contact that provider directly. This incident not only demonstrates the potency of BGP hijacks in targeting even niche networks, but also shows how inconsistent security adoption (like partial RPKI uptake) can leave holes in our defenses.

Why existing defenses still fall short

If BGP hijacking is such a well-known danger, why haven’t we fixed it by now? The short answer is that securing BGP is hard — both technically and organizationally. Over the years, the internet community has introduced several protections, but each comes with limitations. Here are the challenges and why current mitigation techniques are still insufficient:

1. No built-in authentication. The BGP protocol itself lacks a strong authentication mechanism for route announcements. By default, routers trust what they hear. This means a bogus route can slip through if not caught by external filters. Efforts like BGPsec (which would cryptographically sign routes) exist, but they require a complex overhaul and are not widely deployed. Today, most networks still rely on trust and manual checks, leaving ample room for hijacks caused by either malicious intent or simple misconfiguration.

2. Partial deployment of RPKI Route Origin Authorization/Validation. One of the most promising defenses is the Resource Public Key Infrastructure (RPKI), which allows IP address owners to publish Route Origin Authorizations (ROAs) declaring which AS is allowed to announce their prefixes. When networks enable Route Origin Validation (ROV) using RPKI, they can reject hijacked routes that don’t match the legitimate owner. The catch? RPKI is only as effective as its adoption. As of 2024, about 50% of global IP prefixes were covered by ROAs — a major milestone, but that still leaves half the internet unprotected. Moreover, not all ISPs enforce ROV even when ROAs exist. In the Cloudflare incident, at least one Tier-1 carrier accepted an RPKI-invalid route (the 1.1.1.1/32 announcement), nullifying the protection. Simply put, many networks have not yet done their part in deploying RPKI, so a hijacker can often find a path through non-validating providers.

3. Inconsistent filtering and policies. Best practices for ISPs include setting up strict routing filters — for example, using Internet Routing Registry (IRR) databases and customer route whitelists to ensure only legitimate prefixes are announced. However, not all networks implement these filters diligently, and those that do may not update them in real-time. There are only best-effort safeguards in wide deployment today, like IRR prefix-list filtering, and these are far from foolproof. A small ISP’s mistake can still propagate globally if larger providers aren’t filtering it. In our July 2024 example, one network leaking routes caused major cloud providers to misroute traffic — partly because peers weren’t consistently filtering what they learned. The lack of universal route filtering standards means the chain is only as strong as its weakest link.

4. Slow detection and response. Even with monitors in place, catching a BGP hijack often relies on out-of-band alerts and human intervention. Projects and services exist that monitor BGP announcements globally and can send alerts (for instance, BGPMon, RIPE RIS, or Qrator.Radar’s real-time feeds). These help — operators can be notified within minutes of an anomalous route. But then someone still has to reach out to the offending network to fix it, or implement a countermeasure like announcing more specific routes or updating filters. This process can take time, especially if the hijack is malicious (the attacker won’t cooperate) or if the responsible party is slow to react. During that window, traffic is impacted. In a crisis, every minute counts, and our current reliance on manual coordination (emails, phone calls between network engineers) means mitigation isn’t always fast enough.

5. Emerging solutions not yet widespread. Beyond RPKI, other proposals aim to improve routing security — for example, ASPA (Autonomous System Provider Authorization) to prevent route leaks by verifying upstream relationships, and BGPsec as mentioned for path validation. However, these require broad industry application and upgrades to router software/hardware. As of 2025, they remain in early stages. Network operators are often hesitant to enable new BGP features that might introduce complexity or instability. Thus, the practical defenses available today boil down to RPKI origin validation, manual filtering, and monitoring/alerting. Each of these helps reduce incidents, but none is a silver bullet on its own.

Closing thoughts — strengthening routing security

BGP hijacking isn’t just an abstract protocol vulnerability — it’s a clear and present danger to global networks, businesses, and users. The incidents of the past two years prove that without collective action, we’ll keep reliving these outages and attacks. 

1. Awareness and accountability need to improve. Every network operator, from small regional ISPs to Tier-1 carriers, should treat routing security as mission-critical. That means implementing measures like RPKI and filtering now, not someday. It also means joining industry initiatives (such as MANRS — Mutually Agreed Norms for Routing Security) to share best practices and be part of a community effort.

2. Organizations should equip themselves with the right tools. Continuous monitoring of BGP routes is useful to catch problems early. Services like Qrator.Radar can provide real-time alerts and analytics by leveraging one of the world’s largest collections of BGP data feeds. Such platforms use unique algorithms to detect network incidents in real time, helping network teams pinpoint hijacks or leaks as they happen.

3. Consider partnering with experts who live and breathe internet routing. Qrator Labs, for instance, has spent years researching BGP anomalies and developing solutions to mitigate them. Whether it’s through consulting on best practices, deploying automated filtering systems, or using Qrator’s Anti-DDoS and routing security services, there are ways to reduce your risk.

Don’t let your network become the next cautionary tale. 

Take action to improve routing security. Put protections in place, keep a close eye on your network, and work with partners who can help. This way, you’re not only keeping your organization safe — you’re also helping make the global internet stronger and more secure for everyone. Check out Qrator.net for tools and resources to strengthen your network’s BGP security today.

Get your Report

Full name *
Work email *
Job Title *
Company name *

I acknowledge and agree to the terms and conditions set forth in Qrator Labs’ Privacy Policy.

Survey

Share your experience and expectations regarding DDoS protection. Your answers will help us tailor solutions to meet your cybersecurity needs.

Tell us about your company’s infrastructure and critical systems. This will help us understand the scope of protection you require.

Help us learn about how decisions are made in your company. This information will guide us in offering the most relevant solutions.

Let us know what drives your choices when it comes to DDoS protection. Your input will help us focus on what matters most to you.

1/4. Questions about Awareness and Needs Questions about Infrastructure Questions about Decision-Making Questions about Motivation
Have you encountered DDoS attacks before?
What is your company's average internet traffic volume?
Mb
Who in your company makes decisions about cybersecurity solutions?
What is most important to you when choosing an Anti-DDoS solution? (select multiple options)
What key risks do you want to minimize with DDoS protection?
Does your company have a solution to protect against DDoS attacks?
Which systems are critical for your business to protect? (select multiple options)
When do you plan to consider a solution for DDoS protection?
What is your company’s primary type of activity?
What level of DDoS protection do you consider sufficient?
Team size:
Thank you for completing the survey!
Your participation will help us produce better market analytics.
Thank you for staying with us!
If the document does not load, please click the "Download" button. Help us better understand the market and prepare better analytics, take the survey.
Your subscription successfully activated