CONCEPT Cited by 1 source
BGP route hijack¶
A BGP route hijack occurs when an attacker advertises BGP routes for IP prefixes they are not authorized to originate, redirecting traffic away from the legitimate destination. Unlike route leaks (which are typically accidental policy misconfigurations), hijacks are intentional attacks on Internet routing.
Attack taxonomy¶
-
Prefix hijack — advertise someone else's prefix with the attacker's own ASN as origin. Defeated by ROV when the victim has signed a ROA.
-
Sub-prefix hijack — advertise a more-specific prefix (e.g. /25 inside the victim's /24) to attract traffic via longest-prefix-match. Partially mitigated by ROA
maxLengthconstraints. -
Forged-origin hijack — strip the attacker's ASN from the AS_PATH entirely and impersonate the legitimate origin. Bypasses ROV (the origin AS matches the ROA) and can bypass ASPA (no valley to detect). Only mitigated by concepts/first-as-enforcement. (Source: sources/2026-06-03-cloudflare-enforcing-the-first-as-in-bgp-as-paths)
-
Path-shortening hijack — remove intermediate hops to make the attacker's path appear shorter, winning BGP best-path selection. Also mitigated by First AS enforcement if the immediate neighbor's ASN is stripped. (Source: sources/2026-06-03-cloudflare-enforcing-the-first-as-in-bgp-as-paths)
Real-world examples¶
- Spamhaus-reported hijacks (2026-04): An attacker forged complete AS_PATHs through unused ASNs (e.g. AS41128/Orange France), including Cloudflare's AS13335 in fake paths, routing traffic toward Gcore (AS199524) in Chicago. The upstream (Gcore) did not enforce First AS. (Source: sources/2026-06-03-cloudflare-enforcing-the-first-as-in-bgp-as-paths)
Defenses (layered)¶
| Layer | Mechanism | What it stops |
|---|---|---|
| Origin | ROV + ROA | Simple prefix hijacks |
| Path | ASPA | Route leaks, some path manipulations |
| Neighbor | concepts/first-as-enforcement | Forged-origin and path-shortening |
| Community | Peerlock | Peer-level sanity checks |
No single mechanism is sufficient; all four layers are needed for comprehensive routing security.
Seen in¶
- sources/2026-06-03-cloudflare-enforcing-the-first-as-in-bgp-as-paths — forged-origin hijacks and First AS as mitigation
- sources/2026-01-08-cloudflare-a-closer-look-at-a-bgp-anomaly-in-venezuela — route leak (accidental, not hijack) with related BGP security discussion