Back to all articles
BGPRoutingSecurityLayer 3

BGP Hijacking: How to Steal a Country's Internet

Chris VanceAugust 7, 2024

The internet is not a single, unified entity. It is a loose, chaotic federation of tens of thousands of independent networks—ISPs, universities, tech giants, and governments—all stitched together.

To make this patchwork function, these networks must talk to each other and share directions. They do this using BGP (Border Gateway Protocol).

BGP is the protocol that makes the global internet possible. It is also horrifyingly insecure by design, leading to a phenomenon known as BGP Hijacking.

The Honor System of the Internet

To understand how BGP can be hijacked, you have to understand how BGP routes traffic.

Imagine a network—let's say a major telecom in Europe—plugs into the global internet. The telecom configures its core routers to announce a message via BGP to all of its neighbors: *"Hello, I am AS12345, and I own the IP address blocks X, Y, and Z. Send any traffic for those IPs to me."*

The neighboring routers (maybe AT&T and Level3) receive this message. They update their internal maps and pass the message along to their neighbors. Within minutes, every router on the planet knows that the best way to reach those specific IP addresses is to route traffic toward Europe.

Here is the fatal flaw in BGP: There is no built-in verification.

When AS12345 announces that it owns those IP addresses, the neighboring routers just *believe them*. BGP was designed in the 1980s by a small group of researchers who all knew and trusted each other. They didn't build cryptographic authentication into the protocol because they couldn't fathom a scenario where a network operator would maliciously lie about what IPs they owned.

The Hijack

Because BGP operates on the honor system, any network operator connected to the internet can theoretically claim to own any IP address on earth.

Suppose a rogue ISP in Eastern Europe decides to launch a BGP hijack against a major US bank. The US bank legitimately owns the IP address block `203.0.113.0/24`.

The rogue ISP configures its BGP routers to broadcast a fake announcement to the world: *"Hello, I am actually the best, most direct path to reach 203.0.113.0/24."*

BGP routers use several metrics to choose the best path, but the primary metric is the "AS Path length"—essentially, how many network hops it takes to get there. If the rogue ISP announces a more specific, direct route than the legitimate owner, a large portion of the global internet will automatically update their routing tables.

Suddenly, if a customer in Asia tries to log into the US bank, their internet provider's routers look at the BGP map and send the traffic directly to the rogue ISP in Eastern Europe instead of the real bank in New York.

What Happens Next?

Once the rogue ISP has stolen the traffic, they have several options:

1. The Black Hole: The simplest attack. They just drop all the traffic. The bank is effectively knocked offline for millions of users. This is a massive Denial of Service.

2. The Imposter (Phishing): The rogue ISP routes the traffic to a fake server they control that looks exactly like the bank's website. If the users ignore SSL warnings (or if the attackers manage to spoof certificates), they can steal usernames and passwords.

3. The Man-in-the-Middle (Espionage): This is the most dangerous. The rogue ISP receives the traffic, quietly records a copy of it, and then uses a hidden, secondary connection to forward the traffic back to the real US bank. The connection still works. The user logs in successfully. Neither the user nor the bank realizes that their traffic just took a massive detour through a hostile country and was completely wiretapped.

Famous Incidents

BGP Hijacks happen constantly. Some are malicious, while others are just catastrophic typos by tired engineers.

  • **The YouTube Pakistan Incident (2008):** As mentioned in previous posts, Pakistan attempted to censor YouTube internally by creating a fake BGP route to a black hole. They accidentally leaked that route to the global internet, and the entire world's YouTube traffic was sucked into Pakistan, knocking YouTube offline globally.
  • **The MyEtherWallet Heist (2018):** Hackers managed to hijack the BGP route for Amazon's Route 53 DNS service. By stealing Amazon's traffic, they redirected users trying to log into a cryptocurrency wallet (MyEtherWallet) to a fake server in Russia, stealing roughly $150,000 in cryptocurrency before the hijack was stopped.
  • **State-Sponsored Routing:** Cybersecurity firms routinely observe massive chunks of US and European internet traffic inexplicably taking detours through state-owned telecoms in China or Russia for brief periods of time, strongly suggesting state-sponsored espionage via BGP manipulation.

    • Fixing the Flaw: RPKI

    Engineers are desperately trying to fix BGP using a system called RPKI (Resource Public Key Infrastructure).

    RPKI adds cryptographic signatures to BGP announcements. When a router receives an announcement claiming ownership of an IP block, it checks a secure global database to verify the cryptographic signature. If the signature is fake or missing, the router rejects the announcement.

    While RPKI is the definitive solution to BGP hijacking, adoption is entirely voluntary. As of 2024, only about half of the global internet actively enforces RPKI. Until that number approaches 100%, the internet will remain vulnerable to anyone willing to stand up and confidently lie to a router.