BGP Security: Protecting Your Internet Routing

/ Network Security / By

The backbone of internet communication relies on a protocol that operates on trust — a design philosophy that made sense in the early days of the internet but has become a critical vulnerability in our interconnected world. Border Gateway Protocol (BGP) serves as the postal system of the Internet, determining how data travels between networks globally. Yet, this fundamental protocol remains inherently vulnerable to attacks that can redirect traffic, intercept communications, or cause widespread outages affecting millions of users.

Understanding BGP: The Internet’s Routing Foundation

The Border Gateway Protocol (BGP), originally defined in RFC 1163 and later updated in RFC 1267, was developed to enable independently operated networks, known as autonomous systems (AS), to exchange reachability information. This capability allows each AS to advertise the IP prefixes it can route to, along with the path of AS numbers used to reach those destinations. These early BGP standards laid the foundation for today’s global inter-domain routing system. When a BGP router advertises its reachability (IP prefix) to neighboring routers, this information propagates across the Internet, creating the complex topology that connects networks worldwide.

The protocol’s design is fundamentally based on trust among systems. BGP advertisement messages are generally accepted by routers without means to verify their origin or integrity, and announcements are often unencrypted. This trust-based model, while efficient, creates significant security vulnerabilities that threat actors can exploit.

The Current Threat Landscape

According to IBM Security’s analysis of BGP incidents, “BGP internet routing: What are the threats?1, these attacks have remained a persistent threat for over a decade. While the rate of BGP internet routing attacks has not increased significantly in recent years, the threat remains considerable because it puts the stability of the entire internet at risk. BGP incidents can be categorized into three primary types:

1. BGP Hijacking

This occurs when malicious actors announce IP prefixes they don’t own, redirecting traffic intended for legitimate networks to their infrastructure. High-profile incidents include the 2008 global YouTube outage caused by a BGP hijack and multiple incidents throughout 2017 that highlighted the protocol’s vulnerabilities as analysed in “YouTube Hijacking (February 24th 2008) Analysis of BGP Routing Dynamics.”2

2. BGP Route Leaks

These happen when networks inadvertently announce routes they shouldn’t, often due to misconfigurations. Google experienced a massive BGP route leak in August 2017 that significantly impacted internet routing stability globally.

3. Path Manipulation

Attackers can manipulate BGP path information to influence routing decisions, potentially causing traffic to take suboptimal or malicious routes.

Statistical Analysis of BGP Incidents

According to data analyzed by the OECD in “Routing Security: BGP Incidents and Mitigation Techniques,”3 using Cisco’s BGPStream platform, monthly BGP hijack incidents have consistently ranged between approximately 150 and 230 per month in recent years. While these figures fluctuate from month to month, the overall frequency has not shown a significant upward trend. This suggests that although BGP hijacking remains a persistent threat, the rate of occurrences has remained relatively stable over time.

The geographic distribution of BGP incidents shows that major internet hubs and regions with high network density experience more frequent disruptions, highlighting the interconnected nature of internet routing vulnerabilities.

RPKI: The Cryptographic Solution

Resource Public Key Infrastructure (RPKI) represents the most promising solution for securing BGP routing. As Google’s network security team explains, RPKI is a distributed public database of cryptographically signed records that allows operators to securely register routing information about their networks.

How RPKI Works

RPKI creates a cryptographic method of signing records that associate BGP route announcements with the correct originating AS number. Each Regional Internet Registry (RIR) maintains a root certificate and can generate signed certificates for autonomous systems within their region. This creates a chain of trust that enables:

  • Origin Validation: Networks can verify that route announcements come from legitimate sources
  • Cryptographic Authentication: Digital signatures ensure the integrity of routing information
  • Scalable Deployment: The distributed nature allows for global implementation

Current RPKI Adoption

Google has achieved over 99% route registration in RPKI as of November 2020, demonstrating industry leadership in routing security according to its “Expanding our commitment to secure Internet routing.”4 Major Internet Service Providers including AT&T, NTT, Telia, and Cogent have announced deployment of RPKI origin validation, indicating growing industry adoption.

Australian Regulatory Framework

The Australian Signals Directorate (ASD) and Australian Cyber Security Centre (ACSC) have recognized the critical importance of routing security. The ACSC has issued specific guidance on gateway security, including Border Gateway Protocol route security measures, as can be seen in the Gateway security guidance package: Overview5. This guidance forms part of Australia’s comprehensive cybersecurity strategy, emphasizing the need for robust routing security practices in critical infrastructure.

The Mutually Agreed Norms for Routing Security (MANRS) initiative has noted that while Australia and New Zealand have made progress in routing security, implementation remains a work in progress. The ACSC’s gateway security guidance package provides detailed recommendations for organizations responsible for gateway operations and management.

Implementation Strategies for Organizations

1. RPKI Deployment

Organizations should prioritize RPKI implementation by:

  • Registering all IP prefixes in the appropriate Regional Internet Registry
  • Implementing origin validation to reject invalid routes
  • Coordinating with upstream providers to ensure comprehensive coverage

2. Route Filtering

Implementing comprehensive route filtering involves:

  • Maintaining accurate Internet Routing Registry (IRR) information
  • Deploying prefix-based filtering to accept only valid announcements
  • Establishing peer-locks with major transit providers

3. Monitoring and Detection

Effective BGP security requires continuous monitoring:

  • Implementing BGP monitoring tools to detect anomalous announcements
  • Establishing alerting mechanisms for potential hijack attempts
  • Maintaining incident response procedures for routing security events

4. Peer Coordination

Working with network peers enhances overall security:

  • Sharing routing information through standardized databases
  • Coordinating filtering policies with peering partners
  • Participating in industry security initiatives like MANRS

Technical Implementation Challenges

Despite the clear benefits of BGP security measures, implementation faces several challenges:

Complexity and Resource Requirements

BGPSec, an extension of BGP that provides additional security, can potentially result in increased complexity in routing updates and may require additional hardware to compute cryptographic signatures. This represents a significant infrastructural change with many unknowns for network operators.

Coordination Requirements

The distributed nature of internet routing means that security measures are most effective when widely adopted. Individual networks implementing RPKI or other security measures provide limited protection if their peers haven’t implemented corresponding validation mechanisms.

Performance Considerations

Cryptographic validation of routing information introduces computational overhead that must be balanced against network performance requirements. Organizations must carefully plan capacity and processing requirements when implementing security measures.

Global Collaboration Efforts

The Internet Engineering Task Force (IETF), National Institute of Standards and Technology (NIST), and Department of Homeland Security (DHS) have collaborated to develop the Secure Inter-Domain Routing (SIDR) framework, as can be seen in the NIST published “New Network Security Standards Will Protect Internet’s Routing.”6 This framework focuses on three key components:

  1. Resource Public Key Infrastructure (RPKI)
  2. BGP Origin Validation
  3. BGP Path Validation (BGPSec)

These standardization efforts provide a unified approach to BGP security that organizations can implement with confidence in interoperability and effectiveness.

Future Considerations and Emerging Threats

As the internet continues to evolve, BGP security faces new challenges:

Cloud and CDN Integration

The rise of cloud computing and content delivery networks creates new routing security considerations. Major providers like Google are working to establish consistent security practices across the industry, but smaller organizations may struggle to implement comprehensive security measures.

IoT and Edge Computing

The proliferation of Internet of Things devices and edge computing infrastructure creates additional attack surfaces that malicious actors could exploit through BGP manipulation.

Nation-State Threats

State-sponsored actors have demonstrated sophisticated capabilities in manipulating internet routing for espionage and disruption purposes, requiring enhanced security measures and international cooperation.

Recommendations for Australian Organizations

Based on Australian Cyber Security Centre guidance and international best practices such as “Gateway security guidance package: Gateway operations and management7 and Information Security Manual (ISM)8, organizations should:

Immediate Actions

  1. Conduct BGP Security Assessment: Evaluate current routing security posture and identify vulnerabilities
  2. Implement Basic Filtering: Deploy prefix-based filtering for immediate protection
  3. Register with RPKI: Begin the process of registering IP prefixes with the appropriate authorities

Medium-term Objectives

  1. Deploy Origin Validation: Implement RPKI origin validation on border routers
  2. Enhance Monitoring: Deploy comprehensive BGP monitoring and alerting systems
  3. Establish Peer Relationships: Work with network peers to implement coordinated security measures

Long-term Strategic Goals

  1. Full RPKI Implementation: Achieve comprehensive RPKI coverage for all network resources
  2. Industry Participation: Engage with industry initiatives like MANRS to advance routing security
  3. Continuous Improvement: Regularly assess and update routing security practices

Cost-Benefit Analysis

While implementing BGP security measures requires significant investment, the potential costs of routing security incidents far exceed implementation expenses. Consider that major BGP incidents can:

  • Cause widespread service outages affecting millions of users
  • Enable man-in-the-middle attacks on sensitive communications
  • Damage organizational reputation and customer trust
  • Result in regulatory penalties in critical infrastructure sectors

The proactive implementation of routing security measures provides a substantial return on investment through risk reduction and enhanced network resilience.

Conclusion

BGP security represents one of the most critical challenges facing the Internet infrastructure today. While the protocol’s trust-based design served the early internet well, the current threat landscape demands a more robust security approach. Organizations that proactively implement RPKI, comprehensive filtering, and monitoring capabilities will be better positioned to protect their networks and contribute to overall internet security.

The collaborative efforts of major technology companies, government agencies, and international standards bodies provide a clear roadmap for securing internet routing. However, success requires broad industry participation and sustained commitment to implementing and maintaining security measures.

As the internet continues to evolve and support increasingly critical applications, the importance of routing security will only grow. Organizations that invest in BGP security today will build the foundation for a resilient, secure network infrastructure that can support future growth and innovation.

References and Sources

  1. IBM, “BGP internet routing: What are the threats?”, 2017 https://www.ibm.com/think/x-force/bgp-internet-routing-what-are-the-threats ↩︎
  2. IBM, “BGP internet routing: What are the threats?”, 2017 https://www.ibm.com/think/x-force/bgp-internet-routing-what-are-the-threats ↩︎
  3. Organisation for Economic Co-operation and Development (OECD), “Routing Security: BGP Incidents and Mitigation Techniques,” 2022 https://www.oecd.org/content/dam/oecd/en/publications/reports/2022/10/routing-security_15b121f7/40be69c8-en.pdf ↩︎
  4. Google Cloud, “Expanding our commitment to secure Internet routing”, 2020 https://cloud.google.com/blog/products/networking/how-google-is-working-to-improve-internet-routing-security ↩︎
  5. Australian Signals Directorate (ASD), “Gateway security guidance package: Overview”, 2022 https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/gateway-hardening/gateway-security-guidance-package-overview ↩︎
  6. National Institute of Standards and Technology (NIST), “New Network Security Standards Will Protect Internet’s Routing”, 2017 https://www.nist.gov/news-events/news/2017/10/new-network-security-standards-will-protect-internets-routing ↩︎
  7.  Australian Cyber Security Centre (ACSC), “Gateway security guidance package: Gateway operations and management”, 2022 https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/gateway-hardening/gateway-security-guidance-package-gateway-operations-management ↩︎
  8. Australian Cyber Security Centre (ACSC), “Information Security Manual (ISM)”, 2025 https://www.cyber.gov.au/sites/default/files/2025-03/Information%20security%20manual%20%28March%202025%29.pdf ↩︎

At Christian Sajere Cybersecurity and IT Infrastructure, we understand that BGP security is fundamental to protecting your organization’s digital infrastructure. Our expert team specializes in implementing comprehensive routing security solutions, from RPKI deployment to advanced monitoring systems. Let us secure your network’s foundation and ensure reliable, protected internet connectivity.

Related Blog Posts

  1. Managed Security Services: When to Outsource
  2. Security Architecture Review Processes: A Comprehensive Guide to Modern Cybersecurity Assessment
  3. Public Key Infrastructure (PKI) Design and Management: A Comprehensive Guide for Modern Organizations
  4. APRA CPS 234: Compliance Guide for Financial Institutions
  5. SOC 2 Compliance: Preparation and Audit Process
  6. Azure Security Best Practices for Australian Businesses: A Comprehensive Guide for 2025
  7. Tabletop Exercises: Testing Your Incident Response Plan