BGP (Border Gateway Protocol) hijacking is an attack where a malicious actor announces illegitimate IP address prefixes through BGP routing, redirecting internet traffic intended for a victim network through attacker-controlled infrastructure. BGP is the protocol that determines how traffic is routed between autonomous systems on the internet, and it was designed without built-in authentication, making it inherently vulnerable to route manipulation.
The attacker, who controls a BGP-speaking router or has compromised one, announces IP prefixes belonging to another organization. Because BGP routers generally trust route announcements from their peers, neighboring autonomous systems propagate the false route. Internet traffic destined for the victim's IP addresses is then routed through the attacker's network. The attacker can intercept, modify, or drop this traffic before optionally forwarding it to the legitimate destination to avoid detection. More sophisticated attacks announce more specific (longer prefix) routes, which BGP prioritizes, ensuring the hijacked route is preferred over the legitimate one. State-sponsored attackers have used BGP hijacking to intercept encrypted traffic, cryptocurrency transactions, and government communications.
BGP hijacking can redirect traffic for entire networks, affecting millions of users. It has been used for cryptocurrency theft, surveillance, and denial of service. Because BGP operates on trust between network operators, mitigation requires adoption of RPKI (Resource Public Key Infrastructure) for route origin validation, BGP route filtering, real-time route monitoring services, and coordination between internet service providers. Organizations should monitor their own prefix announcements and deploy ROV to reject invalid routes.