How to Secure BGP Infrastructure — Internet Routing Protection

Why BGP is critical and vulnerable

Border Gateway Protocol (BGP) is the routing protocol connecting the internet — it determines how traffic flows between networks. The problem: BGP was designed in an era of trust and lacks built-in verification mechanisms. Any operator with a BGP session can announce any prefixes — and the internet will believe it. BGP hijacking enables: redirecting traffic through attacker’s network (data interception, MitM), denial of service through blackholing, IP address theft for spam distribution. In 2025, over 14,000 BGP incidents were recorded globally.

Types of BGP attacks

BGP hijacking (prefix hijacking)

Attacker announces someone else’s IP prefixes as their own. Traffic intended for the victim goes to the attacker. Can eavesdrop, modify, or block traffic.

Route leak

Unintentional or deliberate propagation of routes to incorrect peers. Can redirect traffic through networks with insufficient bandwidth.

BGP session hijacking

Taking over BGP sessions between routers via TCP injection. Allows routing table manipulation.

AS path manipulation

Falsifying AS path in BGP announcements to route traffic through a chosen network.

Deliberate more-specific prefix announcement

Announcing more specific prefixes (/25 vs /24) which always win in BGP selection.

BGP security methods

1. RPKI (Resource Public Key Infrastructure) — cryptographic verification of prefix announcement rights. ROA (Route Origin Authorization) confirms which AS can announce a given prefix. RPKI validation on edge routers rejects invalid announcements.

2. BGP prefix filtering — filtering announcements based on IRR (Internet Routing Registry). Accepting only prefixes matching registered route objects.

3. MANRS (Mutually Agreed Norms for Routing Security) — set of routing security practices: filtering, anti-spoofing, coordination, global validation.

4. BGP session security — MD5/TCP-AO session authentication, TTL security (GTSM), maximum prefix limits per session.

5. BGP monitoring — tools like RIPE RIS, BGPStream, custom announcement monitoring. Alerts on unauthorized announcements of our prefixes.

6. BGP Flowspec — dynamic traffic filtering rules propagated via BGP. DDoS defense at the routing level.

7. Peering redundancy — multiple BGP sessions with different upstream providers reduce the impact of a single hijack.

Cybersecurity for Your Industry

Learn more about cybersecurity in your industry:

• Cybersecurity for Telecommunications

Best practices for implementation

Effective implementation requires several key steps:

1. Risk assessment and inventory — identify assets, threats, and vulnerabilities specific to your organization.
2. Policy development — document requirements, roles, and responsibilities.
3. Technical controls — deploy tools and configurations proportionate to identified risks.
4. Training and awareness — engage employees in protecting organizational security.
5. Monitoring and continuous improvement — regularly verify effectiveness and adapt to the evolving threat landscape.