Why BGP Is an Attractive Target
Border Gateway Protocol decides how traffic moves across the internet.
It was designed for cooperation, not hostility.
BGP assumes that networks advertise routes honestly.
When that assumption breaks, traffic follows the wrong path without complaint.
No malware is required.
No systems need to be breached.
Traffic simply goes where it is told.
What a BGP Attack Looks Like in Practice
BGP attacks rarely cause full outages.
Most are subtle.
1. Traffic slows down but still works
2. Certain regions experience issues, others do not
3. Authentication succeeds, but sessions feel unstable
By the time someone investigates, the route may already be gone.
Attack Type 1: Route Hijacking
This is the most common BGP abuse.
An attacker announces IP prefixes they do not own.
If the announcement looks more attractive, traffic shifts.
Real World Scenario
1. A /24 prefix is advertised instead of a /22
2. Routers prefer the more specific route
3. Traffic is redirected through the attacker’s network
This has been used for:
1. Traffic interception
2. Cryptocurrency theft
3. Session hijacking
Detection Example
whois 203.0.113.0/24
Check whether the announcing AS is actually authorized to originate the prefix.
Attack Type 2: Route Leak
Route leaks are more common than hijacks and often accidental.
A network accidentally advertises routes learned from one provider to another.
Traffic takes long, inefficient paths through unintended networks.
Why Attackers Care
Route leaks can:
1. Enable passive traffic monitoring
2. Create denial-of-service conditions
3. Mask interception attempts as “misconfiguration”
Many high profile incidents started as “mistakes.”
Hunting Example
bgpctl show rib | grep "AS_PATH"
Unexpected long AS paths or unfamiliar transit ASNs are early warning signs.
Attack Type 3: Traffic Interception Without Blackholing
The most dangerous BGP attacks do not break connectivity.
Traffic is:
1. Redirected through attacker infrastructure
2. Inspected or modified
3. Forwarded to the real destination
Users never notice.
TLS helps, but metadata still leaks:
1. Domains accessed
2. Timing patterns
3. Source locations
Real Incident Pattern
1. OAuth tokens captured
2. Session cookies replayed
3. MFA challenges intercepted in real time
The route disappears before forensic teams arrive.
Attack Type 4: Targeted Regional Hijacks
Attackers sometimes hijack routes only in specific regions.
This avoids global visibility and public monitoring alerts.
Common Targets
1. Banking portals
2. Cloud identity providers
3. Government services
4. Mobile carrier infrastructure
Detection Approach
Compare routing views from multiple locations.
curl https://stat.ripe.net/data/bgp-state/data.json?resource=ASXXXX
Different routing paths by region are not always benign.
Tools Used in BGP Attacks
Attackers rarely need exotic tooling.
Commonly observed:
1. BGP configuration access on small ISPs
2. Misconfigured routers
3. Compromised network credentials
4. Legitimate route announcement tools
The protocol itself does the work.
Defender Tooling That Actually Helps
Monitoring matters more than blocking.
Useful tools include:
1. RIPE RIS
2. BGPStream
3. RouteViews
4. Cloud provider routing alerts
Simple Alert Logic Example
if prefix_length < expected_prefix_length:
alert("More specific route detected")
Simple logic catches most hijacks early.
Why These Attacks Are Hard to Attribute
BGP has no built in authentication by default.
Attribution problems include:
1. Short attack duration
2. Shared infrastructure
3. Misconfiguration plausibility
4. Rapid route withdrawal
Many attacks are never publicly confirmed.
Defensive Measures That Reduce Risk
No defense is perfect, but these reduce exposure:
1. Use RPKI and enforce route origin validation
2. Monitor your prefixes continuously
3. Maintain accurate IRR records
4. Alert on any new origin ASN
5. Coordinate with upstream providers in advance
Preparation matters more than reaction.
Key Takeaways
1. BGP attacks redirect trust, not systems
2. Most cause degradation, not outages
3. Interception is more common than disruption
4. Visibility across regions is essential
If traffic feels normal but outcomes are wrong, routing is often involved.
