What BGP does
The Border Gateway Protocol exchanges reachability information between autonomous systems. DNS can tell a browser which IP address belongs to a service; BGP helps networks decide which path should carry traffic toward that address.
An autonomous system is a network, or group of networks, operated under one routing policy. Each is identified by an autonomous system number and exchanges routes with upstream providers, peers or customers.
How a hijack happens
A BGP hijack begins when an autonomous system announces an IP prefix that it is not authorized to originate. If neighboring networks accept and propagate that route, traffic may be misdirected, intercepted or dropped.
A false announcement can win because the protocol was designed around cooperation and trust. Validation therefore has to be added by operators instead of assumed by default.
- A more-specific prefix normally wins over a broader legitimate announcement, for example when a false /24 is preferred over a legitimate /22.
- When prefix length is equal, a route may still be selected if the advertised AS path appears shorter or otherwise more preferable to neighboring networks.
Internet Routing Registries
Internet Routing Registries allow operators to publish route and policy objects. They remain useful for building filters, but records can be stale, duplicated or insufficiently verified.
That makes IRR data helpful but not sufficient on its own. A route object can guide filtering, but operators still need accurate records and a process for removing outdated objects.
RPKI and route origin authorization
Resource Public Key Infrastructure adds cryptographic authorization. A route origin authorization states which autonomous system may originate a prefix and how specific the announcement may be.
The prefix holder signs this authorization and publishes it through RPKI repositories. Validators collect and verify the signed data, then routers can classify received routes as valid, invalid or not found.
From validation to enforcement
Creating route origin authorizations is only the first step. Networks must also run validators, deliver validated prefix information to routers and apply an origin-validation policy. Deployment should be monitored carefully so configuration mistakes do not become outages.
The Router-to-Router protocol can deliver validated prefix information from validators to routers. In many deployments it runs over TCP, so validator placement, transport security and operational monitoring still matter.
RPKI does not validate the complete AS path, but origin validation removes a large class of accidental and malicious route announcements.
Rostelecom route leak example
One of the original notes referenced a Rostelecom routing incident where routes for more than 200 CDN and cloud providers were announced through an unexpected path for about an hour.
The affected list reported at the time included providers such as Google, Amazon, Facebook, Akamai, Cloudflare, GoDaddy, DigitalOcean, Joyent, LeaseWeb, Hetzner and Linode. The incident is a useful reminder that short-lived route events can still affect thousands of prefixes.
Why this matters
The practical response is wider route filtering, accurate registry data, RPKI signing and route-origin validation. None of those removes every routing risk, but together they make accidental leaks and simple origin hijacks harder to propagate.
Original project media
