Guides
Last updated
July 6, 2026

BGP Hijacking: How Routes Get Stolen

Nicolas Rios
Nicolas Rios

Table of Contents:

Get your free
IP Geolocation
 API key now
stars rating
4.8 from 1,863 votes
See why the best developers build on Abstract
START FOR FREE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
No credit card required

BGP has no built-in way to verify that a network actually owns the routes it announces. It runs on trust, and BGP hijacking is what happens when that trust is abused: a network announces IP space that belongs to someone else, and part of the internet believes it. This guide covers how hijacks work, the famous cases, and how routing is defended today.

What is BGP hijacking?

BGP hijacking is the announcement of IP prefixes by an autonomous system that has no right to them. Because BGP routers prefer more specific prefixes and shorter paths, a well-placed false announcement can pull traffic away from the legitimate network and toward the hijacker, where it can be dropped, inspected, or redirected.

The origin ASN is the first thing analysts check when routes go wrong. Every announcement carries the ASN that originated it, so a prefix suddenly originating from an unexpected ASN is the classic hijack signature.

How a hijack works

A hijack follows a simple mechanic. The attacker, or a badly misconfigured network, announces either the victim's exact prefix or a more specific slice of it. Neighboring networks that do not filter the announcement accept it and pass it on. Because BGP treats a more specific prefix as the better route, the false announcement wins wherever it propagates, and traffic follows it.

The canonical example is the 2008 incident in which Pakistan Telecom announced a more specific prefix of YouTube's address space while trying to block the site domestically. The announcement leaked to the wider internet and YouTube became unreachable globally for around two hours. The failure mode has repeated many times since, sometimes as an accident, sometimes as theft of traffic or cryptocurrency infrastructure.

Hijack vs route leak

A route leak is the accidental cousin of a hijack. The routes involved are legitimate, but they are propagated beyond their intended scope, for example a customer network re-announcing its two providers' routes to each other and accidentally becoming a path between them. The result is misrouted traffic, congestion, and outages, without malicious intent.

The distinction matters for response: a leak is fixed with a phone call and a filter, while a hijack may be an active attack. From the outside, both start the same way, with routes originating from or passing through an ASN that does not belong there.

Enter an IP address to start
Need inspiration? Try
73.162.0.1
LOCATE
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Checking
5
Results for
ip address
Country:
TEST
Region:
TEST
City:
TEST
Coordinates:
TEST
Zip code:
TEST
Connection:
TEST
Get free credits, more data, and faster results

How the internet defends itself

Three layers of defense exist today. RPKI (Resource Public Key Infrastructure) lets address holders cryptographically state which ASN may originate their prefixes, and networks that enforce route origin validation drop announcements that fail the check. Filtering at network edges and exchanges limits what a peer is allowed to announce. Monitoring services and route collectors watch the global table and alert owners when their prefixes show up somewhere unexpected.

Adoption is real but incomplete: RPKI coverage keeps growing, yet plenty of networks still accept unvalidated announcements, which is why hijacks still happen. You can inspect any route yourself from another network's point of view with a BGP looking glass.

What BGP hijacking means for fraud teams

Most application teams will never fight a hijack directly, but the lesson transfers: on the internet, who operates a network is a security signal. The same ASN data that identifies a hijacked route also identifies whether a login attempt comes from a consumer ISP or a rented server in a data center.

Abstract's IP Intelligence API returns the ASN behind any IP together with flags such as is_hosting, is_vpn, is_proxy, and is_abuse, so network identity becomes a field you can score at signup, login, or checkout. To check a single address by hand, use the free ASN Lookup tool.

Frequently Asked Questions

What is BGP hijacking?

BGP hijacking is when a network announces IP prefixes it does not own, causing other networks to route traffic toward it. It works because BGP has no built-in verification of route ownership.

What is the difference between a hijack and a route leak?

A hijack announces prefixes the network has no right to, often deliberately. A route leak propagates legitimate routes beyond their intended scope by accident. Both misroute traffic; only one is an attack.

Does RPKI stop BGP hijacking?

RPKI with route origin validation blocks the most common form, false origin announcements, on networks that enforce it. Adoption is incomplete and it does not cover every attack variant, so monitoring and filtering still matter.

How do I check who announces an IP prefix?

Query the prefix in a BGP looking glass and read the origin ASN, or enter any IP from the range into an ASN lookup tool to see the operating network instantly.

Why does the origin ASN matter in a hijack?

Every BGP announcement carries the ASN that originated it. A prefix suddenly originating from an unfamiliar ASN is the primary signal that a hijack or leak is underway.

Nicolas Rios
Nicolas Rios

CEO at Abstract API

Get your free
IP Geolocation
key now
See why the best developers build on Abstract
get started for free

Related Articles

Get your free
IP Geolocation
key now
stars rating
4.8 from 1,863 votes
See why the best developers build on Abstract
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
No credit card required