SMIP
All articles
networkingadvancedisp

What is BGP, and how do route hijacks happen?

BGP is how networks tell each other where to send packets. It's the routing fabric of the entire internet — and also one of its most fragile pieces. Here's how it works, why it occasionally fails spectacularly, and what's being done about it.

May 6, 20266 min read

In 2008, Pakistan tried to censor YouTube within its borders by announcing a small chunk of YouTube's IP address space as belonging to Pakistan Telecom. The announcement leaked beyond Pakistan, was accepted by major upstream providers, and within minutes traffic for YouTube globally was being routed to a black hole in Karachi. YouTube was offline worldwide for almost two hours.

The protocol that made that possible — and that runs every routing decision on every network on the public internet — is BGP, the Border Gateway Protocol. Most users have never heard of it. Network engineers think about it every day.

The two-line summary

BGP is how independent networks tell each other "I can reach these IP ranges." Every network on the internet runs BGP at its edge, learning routes from neighbors and announcing its own. The full BGP routing table — about 950,000 IPv4 routes and 220,000 IPv6 routes in 2026 — is the map of the internet.

Without BGP, networks couldn't agree on how to forward each other's traffic. With BGP, they coordinate continuously, with surprisingly few problems given the scale.

How BGP works

The internet is a network of networks. Each separately-administered network is an Autonomous System (AS) with a unique ASN. ASes connect to each other at "peering points" — direct cross-connects, internet exchange points (IXPs), or transit relationships.

At each connection between two ASes, BGP routers exchange routes. A route is, simply: "I can reach this IP range, via this path of ASes."

"I am AS65000.
 I can reach 203.0.113.0/24 via path: AS65000 → AS65001 → AS15169."

The receiving router stores this in its routing table along with thousands of other route entries. When it needs to forward a packet whose destination falls in 203.0.113.0/24, it looks up the table, picks the best matching route, and forwards the packet to the next hop.

"Best" is a complex calculation involving:

  • Prefix length — more specific routes win. A /24 is preferred over a /16 for the same destination.
  • Local preference — the network operator's policy choices.
  • AS path length — fewer ASes in the path is generally preferred.
  • Other tiebreakers — MED, origin, IGP cost, router ID.

Every BGP router on every network applies these rules continuously. Aggregated, this is how packets find their way across the internet.

What gets announced

A network announces:

  • IP ranges it owns (allocated by RIRs).
  • IP ranges of customers paying it for transit.
  • Sometimes IP ranges of partners, depending on peering policy.

What you announce determines who'll send you traffic. Announce wrong and traffic that should've gone elsewhere ends up at you.

How BGP "trust" works (and doesn't)

Here's the part that sounds wild: BGP runs on trust.

Historically, when a router received a route announcement from a peer, it just believed it. There was no cryptographic verification. There was no central authority enforcing "you actually own this IP range." If your router said "I can reach 8.8.8.8/24," neighboring routers would consider it.

This is the system that has run for 30+ years. It works because the operators are professionals who set policies carefully and police bad behavior socially. But the inherent vulnerability is obvious: a misconfigured or malicious announcement can disrupt routing globally.

That's a route hijack.

Famous route hijacks

Pakistan / YouTube (2008)

Already mentioned. Pakistan Telecom announced YouTube's /24 as its own. Their upstream (PCCW) accepted the announcement and propagated it. Routers around the world preferred the more specific Pakistani route. YouTube → black hole.

Resolved by YouTube announcing more-specific routes (/25s) of their own to claw back traffic, and PCCW filtering Pakistan's leak.

China Telecom (2010)

For 18 minutes, China Telecom (AS4134) advertised paths for around 50,000 IP prefixes — about 15% of the internet at the time — including major US government and commercial sites. Traffic for many destinations was briefly routed through China Telecom's backbone before reaching the actual destination.

Likely a misconfiguration. Possible deliberate intelligence-gathering. The full story was never fully clarified.

MyEtherWallet (2018)

Attackers compromised a small ISP's BGP and announced specific Amazon Route 53 prefixes (the DNS service hosting MyEtherWallet's domain). Users querying DNS for MyEtherWallet were routed to the attacker's servers, which served a malicious version of the wallet site. Users lost cryptocurrency.

This was a deliberate attack — coordinated with DNS hijacking on the resolver side — and shows the impact possible when BGP and DNS combine into a single trust failure.

Google (2017, multiple)

Google's traffic to its own services has been hijacked or accidentally rerouted by Russian, Chinese, and Nigerian networks at various times. Each incident lasted minutes to hours; each was resolved by Google announcing more-specific routes or coordinating with upstreams.

How hijacks get noticed

In 2026, a coalition of monitoring services watch global routing in real time:

  • BGPmon (now part of Cisco), OONI, RIPE RIS, RouteViews — collect BGP feeds from hundreds of vantage points.
  • Cloudflare Radar, Kentik, Catchpoint — provide dashboards and alerting.
  • NLNOG RING — gives operators traceroutes from around the world to verify routing.

A serious hijack triggers automatic alerts within minutes. Network operators on call respond: contact the misbehaving network's NOC, ask the network's upstream providers to filter, escalate to incident response.

What's being done to fix BGP

Three layered improvements have been rolling out for years.

1. RPKI (Resource Public Key Infrastructure)

The big one. RPKI lets IP block holders cryptographically declare "AS X is authorized to announce IP range Y." Routers can validate received announcements against published RPKI records and drop ones that don't check out (called "ROV" — Route Origin Validation).

In 2026, RPKI ROV is widely deployed but not universal. Major networks (Cloudflare, Google, AT&T, NTT, many large ISPs) drop invalid routes by default. Smaller networks lag. The ecosystem keeps tightening.

2. AS-PATH validation (BGPsec)

A more ambitious cryptographic scheme that signs the entire AS path of a route, not just its origin. Stops a wider class of attacks. Adoption has been slower because it requires new router hardware and software in the path.

3. Mutually Agreed Norms for Routing Security (MANRS)

A community initiative — networks that join MANRS commit to filtering, anti-spoofing, valid contact info, and global validation. It's the social engineering side of routing security: peer pressure on operators to behave well.

What this means for users

Almost nothing, day to day. BGP is invisible. You don't configure it; your home network doesn't run it; your apps don't see it.

What you can do:

  • Use HTTPS for everything. A BGP hijack can route your traffic to an attacker, but HTTPS prevents them from reading or modifying it (the attacker won't have a valid TLS cert for the domain).
  • Use DNSSEC-validated DNS. Combined with HTTPS, this prevents the DNS-hijack-plus-BGP-hijack combo from succeeding.
  • For high-value sites, consider monitoring. If you run a site whose IP range routing matters, sign up for BGP monitoring alerts.

Quick FAQ

Can I run BGP at home? Technically yes — you'd need an ASN, a public IP block, and a router that speaks BGP. Practically no, for a home user. BGP is for organizations with multi-homed networks.

Why don't routers just verify announcements? They are starting to, via RPKI ROV. The deployment has been slow because BGP is decades old and the global router fleet is hard to update. We're maybe 70% of the way there in 2026.

Are BGP hijacks intentional or accidental? Both. Most are misconfigurations. A meaningful minority are deliberate — for censorship, intelligence gathering, or theft.

Does my ISP do anything to protect against this? Quality ISPs do — they filter customer announcements (so customers can't accidentally announce others' IPs), implement RPKI ROV, and monitor their network. Lower-tier ISPs vary. The big-three transit providers (Lumen/Centurylink, GTT, NTT) have all implemented filtering at scale.

Is there a successor to BGP? Various academic proposals (SCION, RINA) try to design a routing protocol with cryptographic guarantees from the ground up. None have meaningful adoption. BGP is the routing protocol; the work is making it incrementally better.

TL;DR

  • BGP is how networks tell each other where to send packets.
  • It runs on trust; routes are accepted unless filtered.
  • Hijacks happen — sometimes accidentally, sometimes deliberately.
  • RPKI is the main defense, gradually being deployed globally.
  • For users: HTTPS plus DNSSEC defends against most hijack-derived attacks.

The next time you read about an "internet outage" affecting one specific service or region, BGP is the most likely cause. The protocol that quietly runs the entire internet is also the one most likely to fail in the open.