How the internet defends itself
Three layers of defense exist today. RPKI (Resource Public Key Infrastructure) lets address holders cryptographically state which ASN may originate their prefixes, and networks that enforce route origin validation drop announcements that fail the check. Filtering at network edges and exchanges limits what a peer is allowed to announce. Monitoring services and route collectors watch the global table and alert owners when their prefixes show up somewhere unexpected.
Adoption is real but incomplete: RPKI coverage keeps growing, yet plenty of networks still accept unvalidated announcements, which is why hijacks still happen. You can inspect any route yourself from another network's point of view with a BGP looking glass.
What BGP hijacking means for fraud teams
Most application teams will never fight a hijack directly, but the lesson transfers: on the internet, who operates a network is a security signal. The same ASN data that identifies a hijacked route also identifies whether a login attempt comes from a consumer ISP or a rented server in a data center.
Abstract's IP Intelligence API returns the ASN behind any IP together with flags such as is_hosting, is_vpn, is_proxy, and is_abuse, so network identity becomes a field you can score at signup, login, or checkout. To check a single address by hand, use the free ASN Lookup tool.
Frequently Asked Questions
What is BGP hijacking?
BGP hijacking is when a network announces IP prefixes it does not own, causing other networks to route traffic toward it. It works because BGP has no built-in verification of route ownership.
What is the difference between a hijack and a route leak?
A hijack announces prefixes the network has no right to, often deliberately. A route leak propagates legitimate routes beyond their intended scope by accident. Both misroute traffic; only one is an attack.
Does RPKI stop BGP hijacking?
RPKI with route origin validation blocks the most common form, false origin announcements, on networks that enforce it. Adoption is incomplete and it does not cover every attack variant, so monitoring and filtering still matter.
How do I check who announces an IP prefix?
Query the prefix in a BGP looking glass and read the origin ASN, or enter any IP from the range into an ASN lookup tool to see the operating network instantly.
Why does the origin ASN matter in a hijack?
Every BGP announcement carries the ASN that originated it. A prefix suddenly originating from an unfamiliar ASN is the primary signal that a hijack or leak is underway.


