+420-602-558-144 I'm under attack Log in Sign Up
DDoS
DNS
BGP monitoring
General

What is BGP hijacking?

BGP hijacking definition

BGP hijacking is an illegitimate BGP announcement from a malicious or misconfigured autonomous system (AS) that causes the redirection of Internet traffic to an unintended AS. In essence, the offending AS, either intentionally or by mistake, reroutes traffic destined for other recipients to its own network, creating serious cybersecurity risks.

BGP hijacking incidents can result in the interception of sensitive data, the redirection of users to malicious websites, data loss, service disruptions, and other serious issues. The fundamental flaw that makes BGP hijacking possible is the trust-based nature of the Border Gateway Protocol (BGP), which forms the backbone of the modern Internet.

What is Border Gateway Protocol (BGP)

Border Gateway Protocol (BGP) is the Internet’s routing protocol that enables autonomous systems to exchange information about the most efficient data paths from one AS to another. Similar to a ZIP-code system, BGP helps direct traffic across the Internet, continuously optimizing routes based on network conditions and routing efficiency.

An Autonomous System (AS) is a collection of IP networks managed by a single authority under a unified routing policy. Examples of ASes include large Internet service providers (ISPs) and networks belonging to major organisations, such as corporations, universities, and government agencies. Each AS is identified by a unique Autonomous System Number (ASN), which is used in BGP routing to exchange information with other autonomous systems across the Internet.

The modern Internet infrastructure consists of tens of thousands of autonomous systems interconnected in a complex, mesh-like structure. Finding the most efficient path from one AS to another would be impossible without a protocol like BGP, making it essential to the Internet’s operation.

How BGP hijacking works

BGP hijacking occurs when an autonomous system (AS) announces false or illegitimate routes, misleading other ASes into directing Internet traffic through it. This can happen unintentionally, due to misconfiguration, or with malicious intent. The mechanics of such incidents generally boil down to two basic scenarios:

  • Shorter path announcement: BGP prioritizes routes based on the shortest available path. In this scenario, the offending AS falsely announces a shorter route to a specific range of IP addresses than any existing route. Neighboring ASes, trusting the announcement, redirect traffic through the hijacker’s AS.
  • More specific path announcement: BGP also prioritizes more specific IP address ranges over broader ones. If the hijacking AS announces a smaller IP range than the legitimate AS, this route is preferred, and traffic is directed through the hijacker’s AS.

How BGP hijacking works

Both scenarios exploit the lack of validation in the Border Gateway Protocol (BGP), making BGP hijacking a serious threat to network security and stability. By default, BGP operates on trust, accepting route announcements without verification. This allows malicious or misconfigured ASes to introduce false routes.

Consequences of BGP hijacking

BGP hijacking can lead to a wide range of consequences, with severity ranging from moderate to critical, depending on the nature of the attack and the targeted systems. Here’s a breakdown of some of the most common outcomes:

  • Increased latency: When traffic is rerouted through an unintended path, it can significantly increase the time it takes for data to reach its destination. This can lead to slow loading times, degraded performance for critical online services, and a poor user experience, especially for real-time applications like video conferencing, online gaming, or financial trading.
  • Blackholing: BGP hijacking can result in “blackholing,” where traffic is dropped before it reaches its intended destination. This can cause partial or complete service outages, as users are unable to access websites or online services, effectively making them unreachable.
  • Traffic monitoring: BGP hijacking can be used for passive attacks where traffic is rerouted through the attacker’s network without the users' knowledge. This allows the attacker to monitor and analyze sensitive data, potentially gathering information on user behavior, IP addresses and so on.
  • Traffic interception: In more malicious cases, hijackers can actively intercept and manipulate data while it passes through their network. This could lead to data breaches, unauthorized access to confidential information, intellectual property theft, or tampering with the data in transit.
  • Redirection to malicious websites: Hijackers can use BGP hijacking to redirect traffic to malicious websites, which host malware or phishing pages. This can lead to users unknowingly downloading harmful software or giving away sensitive information like login credentials.

Each of these consequences highlights the critical need for robust security measures to mitigate the risks posed by BGP hijacking. Without proper protections in place, organizations risk severe operational, financial, and reputational damage.

Real-world examples of BGP hijacking

The issue of BGP hijacking is by no means theoretical: hundreds of such incidents happen globally on a daily basis. Let's take a look at some of the most spectacular cases.

  • KLAYswap cryptocurrency hijack (2022): On February 3, 2022, attackers hijacked BGP routes to the KLAYswap cryptocurrency platform, rerouting traffic and serving malicious scripts to the platform's users, which led to the theft of some $1.9 million worth of cryptocurrency.
  • IBM Cloud outage (2020): On June 9, 2020, IBM Cloud suffered a global outage affecting its data centers worldwide, causing major service disruptions. The issue was traced to a BGP routing misconfiguration by an external provider, which disrupted traffic to IBM Cloud services for several hours.
  • Amazon Route 53 / MyEtherWallet hijack (2018): This is a classic example of BGP hijacking. On April 24, 2018, attackers hijacked the BGP routes associated with AWS Route 53 DNS service and redirected traffic intended for the cryptocurrency website MyEtherWallet to a phishing page. The incident resulted in the theft of over $150,000 worth of cryptocurrency from MyEtherWallet users.

As these examples show, whether intentional or accidental, BGP hijacking can lead to substantial financial losses and widespread service disruptions, highlighting the significant risks that BGP vulnerabilities pose to the security and operational stability of critical online services.

BGP hijacking prevention and mitigation

Unfortunately, due to the inherent nature of BGP, it’s impossible for the victims of BGP hijacking to fully protect themselves. The core issue is that BGP was designed to operate on trust, meaning that when an offending autonomous system announces a false route, neighboring ASes accept it without verifying its legitimacy. Since BGP hijacking occurs in transit, there is little a victim can do to prevent it from happening.

Certain security measures have been introduced to improve the reliability of BGP, including BGP route filtering, BGP neighbor authentication, and more recently, Resource Public Key Infrastructure (RPKI) and Route Origin Authorization (ROA). While RPKI and ROA have already proven to be effective, they work similarly to vaccines: for them to be fully effective, they need widespread adoption among the majority of ASes, and we’re not quite there yet.

As a result, BGP vulnerabilities persist, and global Internet traffic remains at constant risk. This makes it essential for network engineers to actively monitor for BGP incidents to promptly address any issues that arise.

One of the most effective tools for this task is Qrator.Radar, an advanced real-time routing data collector and network anomaly detector. Qrator.Radar provides detailed analytics and incident notifications to help secure networks by quickly identifying BGP hijacks and other routing-related threats affecting them.

Previous article Next article
Article’s content
BGP hijacking definition What is Border Gateway Protocol (BGP) How BGP hijacking works Consequences of BGP hijacking Real-world examples of BGP hijacking BGP hijacking prevention and mitigation
Qrator Labs uses cookies to improve your experience, deliver personalized content and analyze our traffic. By clicking “Accept All” you agree to the storing of cookies on your device to enhance website navigation and analyze usage, assisting in our marketing efforts and improving user experience. You may modify your cookies settings at any time, as explained in our Cookie notice.

Cookies Preference Center

Strictly Necessary Cookies

Always Active

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Detailed information about this category of cookies can be found in the Cookie Policy.
Performance/Analytics Cookies
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance. Detailed information about this category of cookies can be found in the Cookie Policy.
Targeting/Marketing Cookies
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. You may opt out of Targeting/Marketing cookies through the "Cookie settings" button. Detailed information about this category of cookies can be found in the Cookie Policy.
Functionality Cookies
These cookies enable the Website to provide enhanced functionality and personalization. Company sets some functionality cookies, while third party providers whose services Qrator Labs added to the website set the rest of these cookies. If you do not allow functionality cookies, then services relying on functionality cookies may not function properly.
Your subscription successfully activated
To main page
Type
Name
Email
Phone Number
Write your message