← DNS SecurityThreat / Critical

BGP Hijacking of DNS

Routing infrastructure attacks that divert traffic meant for DNS servers to attacker infrastructure — a silent attack that can affect millions of users across entire TLDs.

Background

The Internet's Routing Foundation

BGP (Border Gateway Protocol) is the routing protocol that determines how data travels across the internet. Autonomous Systems (ASes) — networks operated by ISPs, cloud providers, and large organizations — use BGP to announce which IP address ranges they own and how to reach them.

BGP was designed for trust: originally, any AS could announce any IP prefix. If an attacker announces a more-specific route to an IP range that includes a DNS server, routers on the internet will prefer that route — sending traffic for those IPs to the attacker instead of the legitimate destination. This is BGP hijacking.

When DNS infrastructure is targeted, the impact is catastrophic: DNS queries for millions of domains can be silently intercepted, redirected, or modified — affecting all users whose traffic transits the affected routes.

Why BGP Is VulnerableBGP was designed in an era of trusted peering between a small number of networks. It has no built-in cryptographic authentication of route announcements. Any AS can (accidentally or maliciously) announce routes for IP prefixes it does not own, and other routers will believe it.
90K+
Active ASes globally
1M+
BGP prefixes in routing table
History

Notable BGP Hijacking Incidents

2010

China Telecom BGP Leak

China Telecom accidentally (or intentionally) advertised ~40,000 IP prefixes belonging to US military, government, and major corporations. Traffic was routed through China for ~18 minutes, including DNS queries destined for major nameservers.

2018

MyEtherWallet / AWS Route 53 Hijack

Attackers hijacked BGP routes for Amazon's Route 53 DNS infrastructure and redirected cryptocurrency wallet DNS queries to a phishing server with a valid TLS certificate. ~150,000 users were exposed for ~2 hours; ~$150K in ETH stolen.

2019

Sea Turtle DNS Hijacking Campaign

Nation-state attackers used a combination of BGP manipulation and registrar compromise to redirect DNS for government agencies, telecoms, and ISPs across the Middle East and North Africa over ~2 years before discovery.

2022

Cloudflare BGP Anomaly

A configuration error at a transit provider caused Cloudflare's IP prefixes to be briefly advertised by another AS. Cloudflare's DNS service (1.1.1.1) experienced elevated latency for affected geographic regions.

Defense

Protecting Against BGP Hijacking

RPKI — Resource Public Key Infrastructure

RPKI allows IP address holders to cryptographically sign Route Origin Authorizations (ROAs) — attestations that say "AS 12345 is authorized to announce prefix 203.0.113.0/24." Routers that implement Route Origin Validation (ROV) can reject invalid BGP announcements. RPKI has reached ~60% adoption among major networks.

# Check if a prefix has a valid ROA # (uses RIPE RPKI validator or similar) curl https://rpki-validator.ripe.net/api/v1/\ validity/AS13335/1.1.1.0%2F24
BGP Monitoring Services

Real-time BGP monitoring services alert when your IP prefixes are announced by unauthorized ASes. Services like Cloudflare Radar, RIPE RIS, Routeviews, and Kentik track global routing tables and can detect anomalies within minutes.

# Monitor BGP announcements for your prefix # RIPE RIS BGP looking glass: # https://www.ripe.net/analyse/internet-measurements # bgpstream.com — real-time BGP event feed # Tracks hijacks, leaks, and outages
DNSSEC (Independent of BGP)

DNSSEC validates DNS response integrity cryptographically. Even if a BGP hijack redirects your DNS traffic to attacker nameservers, those servers cannot forge valid DNSSEC signatures for your zone without the private key. Validating resolvers will return SERVFAIL, making the attack visible rather than silent.

Anycast DNS Distribution

Anycast DNS (used by Cloudflare, Google, Route 53) distributes nameservers across hundreds of IP addresses and locations. An attacker would need to hijack all anycast nodes simultaneously to intercept DNS traffic globally. Partial hijacks affect only the geographic regions near the hijacked routes.

RPKI Deep Dive

Route Origin Validation in Practice

RPKI works by issuing Resource Certificates from a hierarchy of Certificate Authorities rooted at the Regional Internet Registries (ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC). IP address holders use these certificates to sign ROAs.

Routers that implement ROV use a local RPKI cache (e.g., Routinator, OctoRPKI, FORT) to validate BGP announcements against published ROAs. Announcements that are "invalid" (wrong origin AS) or "not found" (no ROA exists) can be filtered.

  • ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC all operate RPKI Certificate Authorities
  • ROAs specify: IP prefix, authorized origin AS, and max prefix length
  • Cloudflare, Google, AWS, and most major ISPs now drop RPKI-invalid routes
  • The MANRS (Mutually Agreed Norms for Routing Security) initiative tracks global ROV adoption
  • BGPSEC (RFC 8205) extends RPKI to secure the full AS path, not just origin — still limited deployment
; RPKI ROA summary (from RIPE NCC) ; For IP prefix 203.0.113.0/24 ROA: Prefix: 203.0.113.0/24 Max Length: 24 Origin AS: AS64496 Trust Anchor: RIPE NCC Not Before: 2024-01-01 Not After: 2025-01-01 Status: VALID ; BGP announcement validity states: ; VALID — announcement matches a ROA ; INVALID — wrong origin AS or too-specific prefix ; NOT FOUND — no ROA exists for this prefix ; ; Most ROV-enabled networks: ; VALID → accept ; NOT FOUND → accept (permissive) ; INVALID → drop

Related Topics

DNS Hijacking

Compromised nameservers are a common goal of BGP-level DNS traffic redirection.

Cache Poisoning

BGP hijacks can intercept resolver traffic and inject poisoned responses at scale.

Recursive Resolver

DNSSEC validation means resolvers can detect forged responses even after a BGP-level redirect.