BGP Route Server Hijacking in a Nutshell

BGP hijacking (sometimes referred to as prefix hijacking, route hijacking or IP hijacking) is the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables maintained using the Border Gateway Protocol (BGP). In simpler terms, BGP route server hijacking is when attackers maliciously reroute Internet traffic. BGP is used by networkers to exchange reliable information. Any network that is connected to the Internet ultimately relies on BGP to reach other networks. BGP provides directions so that traffic travels from one IP address to another as efficiently as possible. If BGP was not available, traffic would take a huge amount of time to reach its destination or would not reach at all due to inefficient routing.


To exchange information, each router builds a router table and decides to send a packet of data through the shortest route. During the hijack, internet backbone routers redirect traffic not to the intended one but to a different network controlled by the attackers. Such attacks often take place when an attacker wants to gain access to data stored in the targeted network or to take over user accounts hosted on the affected network. BGP Hijacking is not always easy to detect or obvious. As a result of BGP Hijacking, users might face increased latency due to the traffic taking a long route unnecessarily and be redirected to fake websites in order to steal credentials. Spammers use this technique for spamming purposes.

BGP hijacking in the real world:

BGP-related exploitation and the subsequent traffic disturbance often carry significant real-world problems, including Denial of Service (DoS) events. There have been several incidents taking place in recent, BGP Hijack occurred on 12th November 2018 when a Google lost control of several million of its IP addresses for more than an hour where its search and other services were unavailable to many users and also caused problems to music streaming Spotify and other Google cloud customers. While Google denied malicious hijacking attempts, the traffic was misdirected to Chinese and Russian ISPs. Probably the most famous happened in April 2017, involving several financial institutions, most notably Visa and MasterCard. Also, cryptocurrencies have been a target for IP hijacking, in specific, Bitcoin.

BGP Hijacking is generally overlooked in comparison to DDoS attacks but several recent events have turned this unusual method into headlines. This hijacking carries a serious threat to the public Internet especially in the Internet of Things era where more and more devices are getting connected to the Internet each day. The Resource Public Key Infrastructure (RPKI) and BGPsec are quick fix to these problems. RPKI allows network operators to define who is allowed to announce prefixes and verify whether an Autonomous System (AS); is authorized to announce a specific prefix. The BGPsec protocol addresses this problem ensuring that the entire path from the origin AS to the destination is valid.

A wide range of threats exists that can adversely impact the effectiveness of the BGP routing protocolSome threats are malicious in nature, while others may arise from misconfigurations. In either case, trusting the BGP process is critical. Many features and techniques are available to network administrators to reduce the effects of these threats. By BGP configurations, administrators can increase the resilience of the BGP process and improve the reliability of their networks’ data plane.

BGP OR IP hijacking is when an attacker illegally takes over a group of IP addresses that they do not own or control and corrupt them by rerouting the direction of Internet traffic that results in low latency and loss of important credentials in some cases.