The internet's fundamental routing infrastructure operates on a foundation of trust—a design choice from 1989 that has become one of cybersecurity's most persistent vulnerabilities ^1. Border Gateway Protocol (BGP) hijacking represents a critical threat where malicious actors can redirect internet traffic through unauthorized pathways, enabling surveillance, data theft, and service disruption on a massive scale. As we enter the quantum era, these vulnerabilities take on new dimensions that organizations like SecQuant are actively addressing through post-quantum cryptography solutions.
BGP serves as the internet's postal system, determining how data packets travel between the approximately 74,000 autonomous systems (ASes) that form the internet's backbone. Originally designed for a smaller, more trusted network, BGP operates without built-in security mechanisms to verify the authenticity of routing announcements. This inherent trust model allows any network operator to announce ownership of IP address ranges they don't actually control, creating opportunities for both accidental misconfigurations and deliberate attacks.
The protocol's vulnerability stems from its acceptance of routing announcements at face value, without cryptographic verification of ownership or authorization. When a malicious actor announces a more specific route or claims a shorter path to a destination, other routers across the internet may automatically redirect traffic through the attacker's infrastructure ^20. This redirection can occur within minutes and potentially affect millions of users worldwide.
China has emerged as one of the most concerning actors in state-level BGP manipulation, with researchers documenting systematic patterns of traffic hijacking that extend far beyond simple misconfigurations. The most comprehensive analysis comes from Chris C. Demchak of the US Naval War College and Yuval Shavitt of Tel Aviv University, who studied China Telecom's activities using advanced route-tracing systems.
Their research revealed that China Telecom, leveraging its presence in North American networks through 10 points-of-presence (eight in the United States and two in Canada), has repeatedly hijacked domestic US traffic and cross-US traffic, redirecting data flows through China for extended periods. These incidents occurred over days, weeks, and months rather than the brief durations typical of accidental misconfigurations.
One particularly notable incident occurred in December 2015, when traffic to Verizon APAC was hijacked through China Telecom ^6. The incident was significant enough that two major carriers implemented filters to refuse Verizon routes from China Telecom, demonstrating the severity of the threat. The researchers concluded that the patterns observed suggested "malicious intent, precisely because of their unusual transit characteristics—namely the lengthened routes and the abnormal durations".
The strategic implications of China's BGP activities extend beyond simple traffic interception. By routing traffic through Chinese infrastructure, state actors could potentially conduct large-scale surveillance operations, particularly concerning given reports about quantum-powered cryptanalysis capabilities being developed by various governments.
Russia has been implicated in numerous high-profile BGP hijacking incidents, with Rostelecom, the state-owned telecommunications provider, playing a central role in several major disruptions. The country's approach appears to involve both deliberate operations and incidents that may serve as cover for testing capabilities.
The December 2017 incident stands as one of the most brazen examples of suspected Russian BGP manipulation ^7. During this event, traffic for major technology companies including Google, Apple, Facebook, Microsoft, Twitch, NTT Communications, and Riot Games was routed through a previously unknown Russian internet provider. The hijacking occurred in two distinct windows of approximately three minutes each, affecting 80 separate address blocks.
BGPMon's analysis found the incident suspicious for several reasons: the involvement of an unused Russian Autonomous System (AS 39523), the appearance of new more-specific prefixes not normally seen on the internet, and the precise timing of the attacks. The incident lasted a total of six minutes but was picked up by a large number of peers, suggesting sophisticated coordination.
More recently, in April 2020, Rostelecom conducted what appeared to be a massive BGP hijacking operation that affected over 200 networks, including Google, Amazon, Facebook, and Cloudflare ^4. While officially characterized as accidental, the scale and scope of the incident raised significant concerns among cybersecurity experts. The timing on April 1st led to initial speculation about whether this might be an elaborate April Fool's prank, but the potential for data interception and the geopolitical context made it no laughing matter.
These incidents highlight Russia's demonstrated capability to disrupt global internet infrastructure at will ^5. The combination of state control over telecommunications infrastructure and sophisticated technical capabilities creates a potent threat to international cybersecurity.
The history of BGP hijacking reveals an escalating pattern of incidents that spans from accidental misconfigurations to sophisticated state-sponsored operations.
Understanding these historical cases provides crucial context for current threats and future preparedness.
The February 24, 2008 Pakistan YouTube hijacking remains the most infamous example of how a local censorship attempt can cascade into global internet disruption ^9. Pakistan Telecom (AS17557) was ordered by the government to block access to YouTube due to content deemed anti-Islamic ^12. Instead of implementing a local block, the company announced a more specific route (208.65.153.0/24) for YouTube's IP space to its upstream provider, PCCW Global.
The technical mechanism was devastatingly simple: by announcing a more specific prefix than YouTube's normal 208.65.152.0/22 announcement, Pakistan Telecom exploited BGP's longest prefix match rule ^10. PCCW Global then propagated this announcement globally, causing virtually the entire internet to route YouTube traffic to Pakistan, where it was blackholed ^11.
The incident lasted two hours and affected an estimated two-thirds of the global internet. YouTube's response involved announcing even more specific routes (208.65.153.128/25 and 208.65.153.0/25) to regain control, demonstrating how defensive measures against BGP hijacking often require splitting prefixes into smaller, more specific announcements ^8.
In 2013, researchers from Renesys documented a sophisticated campaign involving 38 distinct BGP hijacking events that redirected traffic from major financial institutions, government agencies, and network service providers through Belarusian and Icelandic infrastructure ^13. These incidents affected entities in the United States, South Korea, Germany, the Czech Republic, Lithuania, Libya, and Iran.
The campaign was particularly concerning because it targeted "major financial institutions, governments, and network service providers," suggesting intelligence gathering rather than simple disruption. The attacks lasted from minutes to days, with approximately 1,500 individual IP blocks hijacked across more than 60 days. The systematic nature and targeting patterns strongly suggested state-level coordination rather than random criminal activity.
Turkey's 2014 BGP hijacking campaign represented an escalation in censorship techniques, combining BGP manipulation with DNS hijacking to circumvent citizen attempts to access blocked social media platforms ^14. When Turkish citizens began using public DNS resolvers like Google's 8.8.8.8 to bypass local DNS blocks, Turkish ISPs responded by hijacking BGP routes to these public DNS servers.
The Internet Society characterized these actions as "an attack not just on DNS infrastructure, but on the global Internet routing system itself". Turkish ISPs effectively performed man-in-the-middle attacks against their own citizens, masquerading as legitimate DNS providers while returning false information. This incident demonstrated how BGP hijacking could be combined with other techniques to create comprehensive censorship and surveillance systems.
The frequency and sophistication of BGP hijacking incidents have increased significantly in recent years, with 2024 seeing a notable spike in reported cases. This escalation coincides with growing geopolitical tensions and the emergence of new threat vectors related to quantum computing capabilities.
January 2024 witnessed a significant incident involving a large European mobile carrier that fell victim to a BGP hijack after their RIPE account was compromised through malware infection. The attack highlighted the interconnected nature of modern cyber threats, where traditional malware can enable routing infrastructure attacks . The incident caused several hours of network service disruptions and demonstrated how even well-established carriers remain vulnerable to sophisticated attacks.
The Cloudflare 1.1.1.1 service outage in June 2024 provided another example of how BGP incidents can affect critical internet infrastructure ^29. Brazilian network AS267613 (Eletronet) began announcing Cloudflare's 1.1.1.1/32 prefix, while AS262504 (Nova) leaked the broader 1.1.1.0/24 prefix upstream. The combination of BGP hijacking and route leaking created a several-hour disruption that affected users globally.
The targeting of cryptocurrency infrastructure represents a particularly lucrative application of BGP hijacking techniques ^19. The 2018 MyEtherWallet attack demonstrated how attackers could combine BGP hijacking with DNS manipulation to steal over $150,000 in cryptocurrency. By hijacking Amazon's authoritative DNS service routes, attackers redirected users to fake MyEtherWallet websites where credentials were harvested.
The 2022 Celer Bridge attack showcased even more sophisticated techniques, involving the manipulation of AltDB entries and forged AS paths to defeat RPKI Route Origin Validation (ROV). The attackers convinced a transit provider that a small UK hosting center was authorized to transit Amazon Web Services address space, enabling them to redirect cryptocurrency funds to attacker-controlled accounts.
The cybersecurity community has developed several defense mechanisms against BGP hijacking, with Resource Public Key Infrastructure (RPKI) emerging as the primary solution ^18. However, current defenses face significant limitations that become more pronounced in the context of emerging quantum threats.
RPKI deployment has accelerated significantly, with 2024 marking several important milestones . More than half of both IPv4 and IPv6 routes in the global routing system are now covered by RPKI Route Origin Authorizations (ROAs), reaching approximately 54% coverage . Additionally, Kentik estimates that around 74% of global internet traffic is now destined for ROA-covered destinations .
The growth statistics for 2024 are particularly encouraging: Route Origin Authorizations increased by 49% to 280,692 total ROAs, while unique Validated ROA Payloads (VRPs) grew by 29% to 639,909 . The number of unique origin ASNs in ROAs increased by 16% to 47,282, indicating broader participation in the RPKI ecosystem .
However, RPKI adoption faces significant barriers, particularly among smaller networks . Research shows that more than 50% of small networks have no RPKI adoption, even when they need to issue only one or two certificates to cover their entire address space . The complexity of RPKI operations makes it challenging for smaller organizations to implement and maintain .
Commercial BGP monitoring solutions have evolved to provide near real-time detection of hijacking incidents ^31. Modern platforms like Kentik's BGP Monitor offer immediate alerts, clean user interfaces, and integration with existing network operations workflows. These tools address common use cases including hijack detection, route leak detection, RPKI status checking, and AS path change tracking.
However, monitoring solutions face fundamental limitations in distinguishing between accidental misconfigurations and deliberate attacks. The terminology itself—"BGP hijack" versus "BGP route leak"—often depends on attributing intent rather than observing technical characteristics. This ambiguity creates challenges for automated response systems and incident classification.
The emergence of quantum computing capabilities introduces a fundamental new threat vector to BGP security that extends far beyond current concerns about route hijacking. As quantum computers develop the ability to break current cryptographic algorithms, the implications for internet routing security become profound.
The combination of BGP hijacking with quantum cryptanalysis capabilities represents a nightmare scenario for cybersecurity professionals. Current encrypted communications, while secure against classical computers, could be vulnerable to quantum-powered decryption techniques. When combined with BGP hijacking's ability to redirect traffic through attacker-controlled infrastructure, this creates opportunities for large-scale surveillance and data theft.
The attack vector is straightforward: malicious actors could use BGP hijacking to route encrypted traffic through quantum-enabled decryption facilities, break the encryption, extract sensitive information, and forward the traffic to its intended destination with minimal detection risk. This approach has reportedly been observed in various situations, though the specific quantum capabilities involved remain classified.
The transition to post-quantum cryptography presents both opportunities and challenges for BGP security. While post-quantum algorithms can protect against quantum cryptanalysis, they often require larger key sizes and more computational resources, potentially affecting the performance and scalability of routing protocols ^28.
Organizations must begin planning for quantum-safe infrastructure now, even though practical quantum computers capable of breaking current encryption may still be 15-30 years away. The complexity and cost of migration make early planning essential, particularly for critical infrastructure components like BGP routing.
As organizations prepare for the post-quantum era, companies like SecQuant play a crucial role in developing and deploying quantum-safe cryptographic solutions. The challenge lies not just in implementing new algorithms, but in ensuring cryptographic agility—the ability to quickly update cryptographic systems as threats evolve.
The BGP security context adds additional complexity to post-quantum transitions ^21. Unlike traditional client-server cryptographic implementations, BGP involves complex multi-party protocols with thousands of participating autonomous systems worldwide. Coordinating a global transition to post-quantum BGP security will require unprecedented cooperation among internet service providers, equipment manufacturers, and standards organizations.
The national security implications of BGP vulnerabilities have gained increasing attention from policymakers, with the White House releasing a comprehensive strategy for internet routing security in 2024. The Border Gateway Protocol security plan calls for immediate adoption of RPKI and establishes implementation councils to promote broader adoption.
CISA has published warnings about foreign adversaries exploiting BGP security holes for espionage and attacks on critical infrastructure ^22. The agency recognizes that BGP hijacks can "expose personal information, enable theft, extortion, and state-level espionage, and disrupt security-critical transactions, including in the financial sector".
The global nature of BGP creates unique policy challenges. Unlike other cybersecurity domains where individual organizations can implement defensive measures independently, BGP security requires coordinated action across international boundaries. The protocol transcends all borders and must remain operational even as security measures are implemented.
The escalating frequency and sophistication of BGP hijacking incidents demand immediate action from organizations across all sectors. Based on current trends and emerging threats, several key recommendations emerge for maintaining internet routing security in the quantum era.
Organizations should prioritize RPKI implementation for their IP address space, regardless of size . While larger networks have higher adoption rates, smaller organizations remain disproportionately vulnerable and often lack the resources for proper implementation . Creating ROAs for all announced prefixes provides immediate protection against origin hijacking attacks .
BGP monitoring capabilities should be implemented to detect anomalous routing behavior. Modern monitoring platforms provide near real-time alerts and can integrate with existing security operations workflows. Organizations should also implement route filtering policies with upstream providers to prevent unauthorized announcements of their address space ^16.
The transition to post-quantum cryptography requires long-term planning that begins immediately. Organizations should inventory their current cryptographic systems and develop phased migration plans prioritizing critical systems. BGP infrastructure should be included in these assessments, particularly for organizations operating autonomous systems.
Cryptographic agility should be built into new systems to enable rapid algorithm updates as quantum threats evolve. This approach will prove essential as the cryptographic landscape continues to change in response to quantum computing developments.
The global nature of BGP security requires unprecedented cooperation between industry and government stakeholders. The White House BGP security strategy provides a framework for this cooperation, but implementation will require sustained effort across multiple years ^32.
International coordination mechanisms should be established to share threat intelligence and coordinate responses to large-scale BGP incidents. The current ad-hoc approach to incident response creates gaps that malicious actors can exploit.
BGP hijacking represents one of the internet's most persistent and evolving security challenges, with state-level actors demonstrating increasingly sophisticated capabilities for traffic manipulation and surveillance. The documented incidents involving China, Russia, and other actors reveal systematic exploitation of BGP's trust-based architecture for geopolitical advantage.
As we approach the quantum era, these vulnerabilities take on new dimensions that require immediate attention. The combination of BGP hijacking with quantum cryptanalysis capabilities could enable unprecedented surveillance and data theft operations. Organizations must begin implementing post-quantum cryptographic solutions now to protect against these emerging threats.
The path forward requires coordinated action across technical, policy, and international dimensions. RPKI deployment must accelerate, monitoring capabilities must improve, and post-quantum cryptographic systems must be developed and deployed before quantum computers become capable of breaking current encryption.
SecQuant's mission to provide cutting-edge post-quantum cryptography solutions addresses a critical component of this challenge. As the internet's routing infrastructure evolves to meet quantum-era threats, the combination of technical innovation, policy coordination, and international cooperation will determine whether the global internet can maintain its security and trustworthiness in the decades ahead.
The stakes could not be higher: the security of the internet's routing infrastructure affects everything from financial transactions to critical infrastructure operations. The time for action is now, before the quantum threat transforms today's theoretical vulnerabilities into tomorrow's exploited weaknesses.
A concise overview of “Harvest Now, Decrypt Later” (HNDL) attacks, explaining how adversaries collec...
Read more about Understanding Harvest Now, Decrypt Later Attacks: The Silent Threat to Your Data Security