Skip to main content
EP Cybertools Logo
BGP & Security

BGP Hijack Monitor

Understand BGP hijacks and route leaks. Check ASN update activity for anomalies and explore historical incident data.

Advertisement · Anuncio

ASN Update Activity (7 days)
Monitoring Resources
BGPMON — Real-time BGP monitoring BGPStream — CAIDA BGP data analysis RIPE Stat — Routing data and analysis Cloudflare RPKI — Route origin validation
About BGP Hijacking

What is a BGP Hijack?

A BGP hijack occurs when a malicious or misconfigured router announces prefixes (IP address ranges) that belong to another autonomous system. Because BGP lacks built-in authentication, other routers may accept these false announcements and route traffic to the wrong destination — potentially allowing interception, redirection, or black-holing of internet traffic.

Route Leaks vs. Hijacks

A route leak is an accidental propagation of routing announcements beyond their intended scope — for example, a customer re-advertising transit routes to other providers. A hijack is typically intentional. Both can cause widespread disruptions, as seen in high-profile incidents affecting major internet services.

RPKI: The Modern Defense

Resource Public Key Infrastructure (RPKI) is a security framework that cryptographically validates that an ASN is authorized to announce specific IP prefixes via Route Origin Authorizations (ROAs). When RPKI validation (ROV — Route Origin Validation) is deployed, routers can automatically reject invalid BGP announcements, significantly reducing hijack risk.

  • Origin hijack: An AS announces a prefix it doesn't own with a shorter or equal prefix length.
  • Subprefix hijack: More specific prefix announced, attracting traffic due to longest-prefix-match routing.
  • Route leak: Routes redistributed to unintended peers, causing traffic redirection.
  • AS path manipulation: Inserting fake ASNs in the AS_PATH to bypass loop prevention or influence routing decisions.

BGP Security: Understanding Hijacks, Route Leaks, and RPKI

BGP (Border Gateway Protocol) was designed for trust between networks, not security. Since BGP has no built-in authentication for route origins, malicious or misconfigured routers can announce prefixes they don't control. Notable historical incidents include the 2010 China Telecom hijack of 15% of global internet traffic, the 2008 Pakistan Telecom YouTube blackout, and the 2018 MyEtherwallet BGP hijack that redirected cryptocurrency traffic.

Modern mitigation strategies include RPKI (Resource Public Key Infrastructure), which assigns cryptographic certificates to IP address blocks and ASNs through Regional Internet Registries (RIRs). Route Origin Authorizations (ROAs) specify which ASNs are authorized to originate which prefixes. When deployed with Route Origin Validation (ROV), BGP routers can automatically reject "Invalid" route origins — those that conflict with existing ROA records.

Additional defenses include IRR (Internet Routing Registry) filtering, MANRS (Mutually Agreed Norms for Routing Security) adoption, BGPsec (which signs the full AS_PATH), and monitoring tools like BGPmon, RIPE Stat, and BGPstream that provide real-time alerts for routing anomalies. The AS_PATH length, update frequency, and prefix specificity are key indicators of potentially suspicious routing behavior.

RPKI Validation Commands

Check ROA for a prefix

curl "https://stat.ripe.net/data/rpki-validation/data.json?resource=AS13335&prefix=104.16.0.0/12"
curl "https://rpki-validator.ripe.net/api/v1/validity/AS13335/104.16.0.0/12"

Monitor BGP updates (requires bgpdump)

bgpdump -m updates.gz | grep "^BGP4MP|" | awk '{print $7}' | sort | uniq -c | sort -rn | head -20