Skip to main content

How does BGP hijacking occur, and how can you prevent it?

 BGP hijacking is a serious network security threat where an attacker injects false BGP routes into the global routing system, diverting traffic to malicious destinations, blackholing it, or enabling man-in-the-middle (MITM) attacks.

How does BGP hijacking occur, and how can you prevent it?

🚨 How BGP Hijacking Occurs

BGP (Border Gateway Protocol) works on trust — any Autonomous System (AS) can announce prefixes without built-in validation. BGP hijacking exploits this:

πŸ”§ Common Types of BGP Hijacks:

  1. Prefix Hijack

    • An AS announces a prefix it doesn’t own (e.g., AS64500 advertises 192.0.2.0/24).

    • If upstream providers accept and propagate this, traffic destined to the real owner is rerouted to the hijacker.

  2. Subprefix Hijack

    • Hijacker announces a more specific prefix (e.g., 192.0.2.0/25 instead of 192.0.2.0/24).

    • Since BGP prefers longer matches, this overrides the legitimate route.

  3. AS Path Manipulation

    • Hijacker spoofs an AS path to appear as a legitimate route.

    • Can be used to hide the origin or manipulate routing decisions.

  4. Man-in-the-Middle (MITM)

    • Traffic is rerouted through the attacker, observed or modified, then forwarded to the correct destination.

πŸ›‘️ How to Prevent BGP Hijacking

1. Use RPKI (Resource Public Key Infrastructure)

  • Validates that an AS is authorized to originate specific prefixes.

  • Uses ROAs (Route Origin Authorizations) to cryptographically bind IP prefixes to AS numbers.

  • Routers can be configured to drop "invalid" routes.

RPKI is the most effective tool to prevent prefix hijacking today.

2. Prefix Filtering (by ISPs and peers)

  • Only allow customers to announce prefixes they own.

  • Maintain prefix-lists or use IRR databases (e.g., RADb) to validate announcements.

ISPs must implement filtering for their customers to avoid propagating hijacks.

3. Max Prefix Limits

  • Prevents a peer or customer from announcing an unexpected number of routes (helps detect hijacks or leaks).

4. BGP Session Security

  • Use MD5 authentication to secure BGP sessions (prevents session hijacking).

  • Deploy TTL Security Hack (GTSM) to protect against spoofed BGP packets.

5. BGP Monitoring and Detection

  • Use tools and services like:

    • BGPMon

    • RIPE RIS

    • ARIN's Route Origin Validation

    • Cloudflare's BGPStream

  • Set up alerting for unexpected changes in your prefix announcements.

6. Route Dampening and Filtering

  • Apply route dampening to suppress unstable prefixes.

  • Filter bogon IP space and suspicious AS paths.

🌐 Global Coordination

  • Work with Regional Internet Registries (RIRs) and participate in MANRS (Mutually Agreed Norms for Routing Security).

  • Join RPKI validator communities and route collector projects.

✅ Summary Table

Prevention MethodBenefit
RPKIValidates prefix origins
Prefix FilteringStops invalid announcements
Max Prefix LimitsLimits large leaks or attacks
BGP MD5/TTL SecurityProtects session integrity
Monitoring ToolsDetects and alerts on hijacks
Routing PoliciesEnforce route control

Popular posts from this blog

How does BGP prevent routing loops? Explain AS_PATH and loop prevention mechanisms.

 In Border Gateway Protocol (BGP), preventing routing loops is critical — especially because BGP is the inter-domain routing protocol used to connect Autonomous Systems (ASes) on the internet. πŸ”„ How BGP Prevents Routing Loops The main mechanism BGP uses is the AS_PATH attribute . πŸ” What is AS_PATH? AS_PATH is a BGP path attribute that lists the sequence of Autonomous Systems (AS numbers) a route has traversed. Each time a route is advertised across an AS boundary, the local AS number is prepended to the AS_PATH. Example: If AS 65001 → AS 65002 → AS 65003 is the route a prefix has taken, the AS_PATH will look like: makefile AS_PATH: 65003 65002 65001 It’s prepended in reverse order — so the last AS is first . 🚫 Loop Prevention Using AS_PATH ✅ Core Mechanism: BGP routers reject any route advertisement that contains their own AS number in the AS_PATH. πŸ” Why It Works: If a route makes its way back to an AS that’s already in the AS_PATH , that AS kno...
Read more

What’s the impact of BGP full routes on router memory and performance?

Receiving full BGP routes (i.e., the full global BGP routing table) has a significant impact on a router's memory and performance. Here's a breakdown of the key impacts: πŸ”§ 1. Memory Usage (RAM) A full BGP table typically contains ~1 million IPv4 routes and growing (~200k+ IPv6 routes). Each BGP route consumes tens to hundreds of bytes of memory, depending on attributes (AS path, communities, etc.). This translates to hundreds of megabytes to several gigabytes of RAM just for storing the BGP RIB (Routing Information Base). The FIB (Forwarding Information Base) , which is installed into the router's hardware or kernel for actual packet forwarding, also consumes memory (especially in TCAM for hardware routers). ❗ Example A router might require 4–8 GB of RAM (or more) to comfortably handle full BGP routes with headroom for growth and stability. 🧠 2. CPU Utilization High CPU load during: Initial BGP session establishment (parsing all rout...
Read more

Explain the OSPF LSDB (Link State Database) and how SPF (Shortest Path First) algorithm works.

OSPF (Open Shortest Path First) is a link-state routing protocol , and the LSDB (Link-State Database) and SPF (Shortest Path First) algorithm are core to how OSPF calculates the best paths . Let’s break them down. 🧠 What is the OSPF LSDB (Link-State Database)? The LSDB is a map of the entire OSPF network area — each router stores a complete topology of its area. πŸ” Details: Built from LSAs (Link-State Advertisements) exchanged between routers. Contains info about: Routers and their interfaces Network segments Neighbor relationships Each OSPF router maintains an identical LSDB within the same area. ✅ Key Characteristics: Feature Description Scope One LSDB per OSPF area Source Built from received LSAs Consistency All routers in an area have identical LSDBs Purpose Used as input for SPF algorithm to calculate best paths ⚙️ How the SPF Algorithm Works in OSPF OSPF uses Dijkstra’s Shortest Path First (SPF) algorithm to compute the shortest (lowest-cost)...
Read more