BGP hijacking mitigations

BGP hijacking remains a critical threat to global internet routing. Below are practical mitigations, focusing on RPKI, BGPsec, real-time monitoring, and ISP cooperation.

Technique Effectiveness Deployment difficulty
RPKI (ROAs) High (origin validation) Medium (RIR coordination)
BGPsec Very High (path validation) Low (limited support)
Prefix Filtering (IRR) Medium Easy (manual effort)
BGP Monitoring (ARTEMIS) High (auto-mitigation) Medium (setup required)
MANRS Compliance High (industry cooperation) Medium (policy change)

Deploy RPKI (Resource Public Key Infrastructure)

RPKI cryptographically validates that an AS (Autonomous System) is authorized to announce specific IP prefixes. How to Implement RPKI

For Network Operators (AS Owners)

Create ROAs (Route Origin Authorizations)

Use a RIR portal (ARIN, RIPE, APNIC) to authorize the prefixes.

Example (RIPE NCC):

Prefix: 192.0.2.0/24  
Max Length: 24  
ASN: AS12345 

Publish ROAs in the RPKI repository to ensure global validation.

For ISPs & transit providers

Enable RPKI Validation on BGP Routers

Cisco IOS-XR:

router bgp 65000
 rpki server 203.0.113.1
  port 323
 address-family ipv4 unicast
  rpki origin-as validation enable

BIRD (Linux):

roa4 table r4;
protocol rpki {
  roa4 { table r4; };
  remote "203.0.113.1" port 323;
}
protocol bgp {
  ipv4 {
    import where roa_check(r4, net, bgp_path.last) = ROA_VALID;
  };
}

FRRouting (RPKI-Validator):

rpki
 rpki cache 203.0.113.1 323
!
address-family ipv4 unicast
 rpki validation

Limitations of RPKI:

  • Does not prevent path hijacks (only origin validation).

  • Adoption is still incomplete (~40% of routes are RPKI-validated as of 2024).

Use BGPsec (Path Validation)

BGPsec extends RPKI to validate the entire AS path (not just origin).

  • Currently limited support (Cisco, Juniper, BIRD).

  • Requires all ASes in the path to support it (rare in practice).

Example (Cisco IOS-XR):

router bgp 65000
 bgpsec
  address-family ipv4 unicast
   bgpsec enable

Implement Prefix Filtering & IRR (Internet Routing Registry)

  • Filter invalid prefixes at peering edges.

  • Use IRRDB (Internet Routing Registry Database) to automate filtering.

Example (BGP Peering Filter):

ip prefix-list PL_ACCEPTED_ROUTES seq 10 permit 192.0.2.0/24 le 24
route-map RM_PEER_IN permit 10
 match ip address prefix-list PL_ACCEPTED_ROUTES
!
router bgp 65000
 neighbor 203.0.113.2 route-map RM_PEER_IN in

Monitor BGP in Real-Time

BGP Monitoring Tools

Tool Purpose
BGPStream (RIS/Live) Detects hijacks in real-time.
ARTEMIS (NVIDIA) Automated hijack mitigation.
Cloudflare Radar Tracks routing anomalies.
RIPE Stat Historical BGP data.

Detect Anomalies via RTT & TTL

  • Round-Trip Time (RTT) changes → Possible hijack.

  • Unexpected TTL jumps → Suspicious path alteration.

  • Script Example (Python + scapy):

from scapy.all import *
def detect_ttl_anomaly(pkt):
    if IP in pkt and pkt[IP].ttl != expected_ttl:
        print(f"TTL anomaly detected from {pkt[IP].src}")
sniff(filter="ip", prn=detect_ttl_anomaly)

Collaborate with MANRS (Mutually Agreed Norms for Routing Security)

Join MANRS to:

  • Commit to anti-spoofing filters.

  • Enable RPKI validation.

  • Share real-time incident reports.

Deploy automated mitigation

ARTEMIS (Open-Source)

  • Automatically withdraws hijacked routes.

  • Integrates with RPKI/IRRDB.

Cloudflare magic transit

Dynamically reroutes traffic during hijacks.

ISP best practices

For Large ISPs:

  • Mandate RPKI for all customers.

  • Filter invalid prefixes at edges.

For Small ISPs:

  • At least implement prefix-lists (manual IRR filtering).

  • Patch BGP routers (e.g., Junos, IOS vulnerabilities).