Every minute of every day, somewhere on the internet, a router is telling the rest of the network "I can reach IP range 192.0.2.0/24, send those packets to me." That sentence is a BGP announcement, and the entire global routing table is built from them. The problem is that nobody verifies the speaker. If a network announces a prefix it doesn't own — by mistake or on purpose — a chunk of the internet starts sending traffic to the wrong place. That's a BGP hijack.
How a hijack happens
Every ASN (see our ASN explainer) speaks BGP with its peers at internet exchange points and over private links. When a router learns multiple paths to the same destination, it picks the "best" one according to operator-configured rules — typically the shortest AS-path, the most-preferred peer, or the most-specific prefix.
That last detail is the lever attackers pull:
- More-specific hijack. If you own
198.51.100.0/24and an attacker announces198.51.100.128/25(a tighter subnet), routers prefer the more-specific match — even if it came from someone else. - Same-prefix hijack. An attacker announces the exact same prefix from a different origin AS. Some routers will accept either; geographic / policy preferences tilt the split.
- Path manipulation. The attacker doesn't claim to own the prefix, just to be a transit shortcut. Traffic flows through their network, where they can inspect, log, or drop it.
Famous incidents
- Pakistan vs. YouTube, February 2008. Pakistan Telecom announced
208.65.153.0/24(a more-specific cut of YouTube's range) to black-hole the site inside Pakistan. The announcement leaked to PCCW and from there to most of the global table — YouTube was unreachable worldwide for ~2 hours. - Indosat, April 2014. An Indonesian ISP announced 320,000 prefixes it didn't own for about three hours. Likely a misconfiguration, not malice; affected everyone from Akamai to Apple.
- Russia Telecom, December 2017. ~80 prefixes belonging to Mastercard, Visa, and Symantec were briefly routed through AS12389 in Russia. Origin unclear, impact modest, attention massive.
- Cloudflare's Resolver, July 2024. Eletronet (a Brazilian ASN) leaked the more-specific
1.1.1.0/24route; ~6% of resolver traffic went the wrong way for a few hours. Cloudflare publicly attributed it and pushed for wider RPKI deployment.
The defence stack
Three layers work together. None is sufficient on its own; combined, they raise the cost of a successful hijack.
1. RPKI + ROAs (origin validation)
A Route Origin Authorization is a digitally-signed statement: "ASN X is authorised to originate prefix Y at maximum length Z." The five regional registries (ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC) host the trust anchors; networks publish ROAs covering their own resources.
Routers that perform Route Origin Validation drop announcements that conflict with a ROA. As of 2026, the major Tier-1s (Lumen, Cogent, NTT, Telia/Arelion, Tata) and most large CDNs validate. Cloudflare publishes their state at isbgpsafeyet.com.
2. IRR + filtering
Internet Routing Registries (RADb, AltDB, the RIR-hosted ones) hold route objects— older, weaker assertions of "this AS originates these prefixes." Most networks still generate their inbound prefix filters from IRR data because it predates RPKI and covers more of the table. Belt-and-braces with ROV.
3. Path-validation (ASPA, BGPsec)
ASPA (Autonomous System Provider Authorization) is the newest layer, addressing path manipulation rather than just origin. BGPsec — cryptographic path signing — has been on the IETF books since 2017 but has near-zero production deployment because of the per-hop signing cost.
What can you do?
- If you operate an ASN, publish ROAs for every prefix you announce. The RIRs' web tools make this 10-minute work. Don't deploy strict ROV until you're confident your filtering won't black-hole legitimate traffic.
- If you're a customer, ask your ISP whether they validate ROV inbound. Most "RPKI-safe" networks publish their stance.
- Monitor for hijacks against your own prefixes via RIPE Stat or commercial services (BGPmon, NLNOG RING). They'll alert you if a route to your space pops up from somewhere unexpected.
- IPFerret's per-ASN pages surface the currently-announced prefixes from RIPE's view of the global BGP table — useful to sanity-check what the internet thinks about a given network at any moment.