eastbaycyber

What Is BGP Hijacking?

Glossary 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

BGP hijacking happens when an autonomous system, or AS, announces IP prefixes it is not authorized to originate. Other networks may accept those announcements and route traffic toward the wrong destination.

BGP hijacking is the unauthorized or incorrect announcement of IP routes on the internet. When a network advertises IP address ranges it should not control, traffic can be diverted, intercepted, misrouted, or blackholed instead of reaching the intended destination. In practical terms, BGP hijacking can break availability even when the application itself is healthy.

Because BGP sits at the internet routing layer, the problem is not usually inside your web app or server. It is in how networks decide where traffic should go. For related background, see what is ddos and what is dns tunneling.

How BGP hijacking works

To understand a route hijack, it helps to start with the role of BGP itself.

BGP exchanges routes between networks

The Border Gateway Protocol (BGP) is the routing protocol large networks use to tell each other which IP prefixes they can reach. Internet providers, cloud networks, CDNs, and major enterprises use BGP to exchange this information.

Routers then decide which paths to prefer based on routing rules and policy. BGP does not inherently verify that every announcement is legitimate. Historically, it has relied heavily on trust between networks.

A network announces a route it should not

A hijack begins when a network advertises reachability for IP space it does not actually own or have authority to originate.

This can happen in a few ways:

  • A malicious actor intentionally announces another network’s prefix
  • A provider or customer makes a routing mistake
  • Upstream networks accept and forward a bad route
  • A more specific prefix is announced to attract traffic

For example, if one network legitimately advertises a /24, another network might falsely advertise the same prefix or a more specific range in order to pull traffic away.

Other networks propagate the bad route

Once the false announcement is accepted by neighboring networks, it may spread to other providers and peers. Routers often choose what appears to be the best path based on BGP decision logic, not whether the route was truly authorized.

A more specific route is often preferred, which is why prefix hijacking can be especially effective.

Traffic is misdirected

When the false route wins, traffic follows the wrong path. The result may be one of several outcomes:

  • Blackholing: Traffic is dropped and the service becomes unreachable
  • Interception: Traffic passes through the hijacker’s network before being forwarded
  • Partial disruption: Some providers or regions are affected while others are not
  • Performance degradation: Users experience latency or instability instead of a full outage

This is why BGP hijacking can be confusing during incident response. Internally, the service may look fine. Externally, users may still be unable to reach it.

Common forms of BGP hijacking

Not every routing incident looks the same.

Prefix hijacking

This is the classic case. A network announces IP space it is not authorized to originate, and traffic to that prefix shifts away from the rightful owner.

More-specific route hijacking

An attacker or misconfigured network announces a more specific prefix than the legitimate one. Because routers often prefer the more specific route, traffic is attracted to the false path.

Route leaks

A route leak is not always the same as a deliberate hijack, but it can create similar disruption. Routes are propagated beyond their intended scope, causing unexpected and sometimes damaging path changes.

Why BGP hijacking matters

BGP hijacking is often described as a networking problem, but it has direct security implications.

Availability impact

The most obvious consequence is service disruption. Websites, APIs, VPNs, SaaS platforms, and other public services can become unreachable even if the systems themselves are working correctly.

Interception risk

In some cases, traffic is not simply dropped. It is routed through infrastructure controlled by the wrong party. That raises the possibility of inspection, manipulation, or surveillance, especially for poorly protected traffic.

Incident response confusion

When routing is the real problem, teams may initially suspect:

  • DDoS
  • DNS problems
  • Firewall issues
  • Application downtime
  • CDN misconfiguration

That can slow troubleshooting if routing telemetry is not part of the investigation.

When you are likely to encounter BGP hijacking

You are most likely to hear about BGP hijacking in environments that depend on internet-facing connectivity and global availability.

Common scenarios include:

  • Public service outages: A site is unreachable from some providers or countries
  • Cloud and CDN incidents: Hosted applications behave inconsistently across regions
  • ISP and network operations: Analysts monitor suspicious route announcements
  • Threat intelligence reporting: Researchers track routing anomalies and prefix abuse
  • Business continuity reviews: Teams assess upstream dependency and routing resilience

Smaller organizations may not manage BGP directly, but they can still be affected by a route hijack involving their hosting provider, cloud platform, CDN, or transit carrier.

How organizations reduce BGP hijacking risk

No single control eliminates internet routing risk, but several practices help.

Route filtering

Providers and peers should filter route announcements based on what customers and neighbors are actually authorized to advertise. Good filtering reduces accidental propagation of bad routes.

RPKI and route origin validation

RPKI helps networks verify which AS is authorized to originate a prefix. When operators enforce Route Origin Validation (ROV), unauthorized announcements are less likely to be accepted.

Monitoring for routing anomalies

Organizations with important public infrastructure often monitor for:

  • Unexpected prefix announcements
  • New origin ASNs
  • Sudden path changes
  • Regional reachability failures

Early detection can shorten the duration of an incident.

Provider diversity and resilience planning

Redundant providers, CDN strategies, and tested failover planning can reduce the business impact of routing issues.

For teams securing public services, strong account security for DNS, registrar, and infrastructure access is also important. A password manager like Try 1Password → can help reduce the risk of administrative account compromise that affects broader internet-facing operations.

If remote administrators regularly access infrastructure from public networks, a VPN such as Check NordVPN pricing → or Try Proton VPN → may improve connection privacy in transit, though it does not prevent BGP hijacking itself.

BGP

BGP is the protocol networks use to exchange routing information across the internet. BGP hijacking is an abuse or failure of that route advertisement process.

Route leak

A route leak is the unintended propagation of routes in violation of routing policy. It is not always malicious, but it can cause similar disruption.

Prefix hijacking

Prefix hijacking is a specific form of BGP hijacking in which unauthorized IP prefixes are announced to attract traffic.

Blackholing

Blackholing means traffic is routed into a path where it is dropped. Some hijacks result in blackholing rather than interception.

RPKI

RPKI is the framework used to validate route origin authorization. It is one of the most important modern controls for reducing successful origin hijacks.

Final takeaway

BGP hijacking is the unauthorized announcement of internet routes that causes traffic to be diverted, intercepted, or dropped. It is fundamentally a routing trust problem, but the consequences show up as security and availability issues for real services.

If your organization depends on public internet reachability, BGP hijacking belongs in your risk model even if you do not run BGP yourself. Good provider hygiene, routing validation, and monitoring help reduce the chance that a route hijack turns into a prolonged outage.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.