BGP Hijacking
What is BGP Hijacking?
BGP HijackingAn attack in which an autonomous system announces IP prefixes it does not legitimately own, attracting and potentially intercepting global Internet traffic.
BGP hijacking exploits the lack of built-in authentication in the Border Gateway Protocol (RFC 4271): each AS trusts its neighbors' prefix announcements. By announcing a victim's prefix (or a more specific one), an attacker can pull traffic toward its AS, blackholing it, inspecting it, or returning forged responses. Notable real-world incidents include the 2008 YouTube/Pakistan Telecom outage caused by a leaked /24 and the 2018 Amazon Route 53 hijack that redirected cryptocurrency users. Defenses combine RPKI Route Origin Validation, ASPA for path validation, BGPsec, prefix filters, max-prefix limits, IRR and PeeringDB hygiene, and continuous monitoring of public route collectors such as RIPE RIS and RouteViews.
● Examples
- 01
In 2008, Pakistan Telecom announced 208.65.153.0/24 and globally blackholed YouTube traffic.
- 02
In 2018, attackers hijacked AWS DNS prefixes via Route 53 and stole Ethereum from MyEtherWallet users.
● Frequently asked questions
What is BGP Hijacking?
An attack in which an autonomous system announces IP prefixes it does not legitimately own, attracting and potentially intercepting global Internet traffic. It belongs to the Network Security category of cybersecurity.
What does BGP Hijacking mean?
An attack in which an autonomous system announces IP prefixes it does not legitimately own, attracting and potentially intercepting global Internet traffic.
How does BGP Hijacking work?
BGP hijacking exploits the lack of built-in authentication in the Border Gateway Protocol (RFC 4271): each AS trusts its neighbors' prefix announcements. By announcing a victim's prefix (or a more specific one), an attacker can pull traffic toward its AS, blackholing it, inspecting it, or returning forged responses. Notable real-world incidents include the 2008 YouTube/Pakistan Telecom outage caused by a leaked /24 and the 2018 Amazon Route 53 hijack that redirected cryptocurrency users. Defenses combine RPKI Route Origin Validation, ASPA for path validation, BGPsec, prefix filters, max-prefix limits, IRR and PeeringDB hygiene, and continuous monitoring of public route collectors such as RIPE RIS and RouteViews.
How do you defend against BGP Hijacking?
Defences for BGP Hijacking typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for BGP Hijacking?
Common alternative names include: Prefix hijacking, BGP prefix hijack.
● Related terms
- network-security№ 093
BGP Route Leak
An unintended BGP propagation in which an autonomous system advertises routes outside the intended business relationship, often steering global traffic into the wrong AS.
- network-security№ 553
IP Address
A numeric identifier assigned to a network interface for routing across IP networks: 32 bits in IPv4 (RFC 791) or 128 bits in IPv6 (RFC 8200).
- network-security№ 168
CIDR Notation
Classless Inter-Domain Routing notation expresses an IP prefix as an address followed by a slash and the number of significant bits, e.g., 10.0.0.0/8.
- attacks№ 338
DNS Hijacking
An attack that redirects DNS resolution to attacker-controlled answers by modifying client settings, router configurations, resolver responses, or authoritative DNS records.
- network-security№ 1136
TCP/IP
The four-layer Internet Protocol Suite that defines how packets are addressed, routed, fragmented, and reliably delivered between hosts across interconnected networks.
- network-security№ 1112
Subdomain Takeover
An attack in which a dangling DNS record (often a CNAME) points to an unclaimed cloud or SaaS resource, letting an attacker register that resource and impersonate the subdomain.