BGP Route Hijacking

What is BGP Route Hijacking?

BGP Route Hijacking, also called prefix hijacking, route hijacking or IP hijacking, is the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables maintained using the Border Gateway Protocol (BGP).

A prefix is announced using BGP with an IPV4 or IPV6 address block and also a path of AS numbers, indicating which ASNs the traffic must pass through to reach the announced address block. By maliciously manipulating BGP IP prefixes, an attacker (hijacker) can reroute traffic in order to intercept or modify traffic.

Internet-level BGP hijacking is performed by configuring an edge router to announce prefixes that have not been assigned to it. If the malicious announcement is more specific than the legitimate one, or claims to offer a shorter path, the traffic may be directed to the hijacker. Bad actors will frequently target unused prefixes to hijack in order to avoid getting identified by the legitimate owner.

By broadcasting false prefix announcements, the compromised router may poison the Routing Information Base (RIB) of its peers and could propagate to other peers, to other ASes, and onto the Internet, so identifying route hijacking as soon as possible is critical.