A Leader in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms. Five years running.A Leader in the Gartner® Magic Quadrant™Read the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI Security Portfolio
      Leading the Way in AI-Powered Security Solutions
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly ingest data from on-prem, cloud or hybrid environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Identity Security
    • Singularity Identity
      Identity Threat Detection and Response
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-class Expertise and Threat Intelligence.
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      Digital Forensics, IRR & Breach Readiness
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive solutions for seamless security operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • Partner Locator
      Your go-to source for our top partners in your region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
Background image for Border Gateway Protocol (BGP): A Security-First Guide
Cybersecurity 101/Cybersecurity/Border Gateway Protocol

Border Gateway Protocol (BGP): A Security-First Guide

Border Gateway Protocol controls which networks your traffic traverses before reaching security controls. Learn BGP security best practices and RPKI deployment.

CS-101_Cybersecurity.svg
Table of Contents

Related Articles

  • Model Inversion Attacks: Risks & Defenses Explained
  • Cybersecurity Digital Transformation in the Age of AI
  • Machine Learning in Cybersecurity: Why It Matters Today
  • Information Theft: Risks and Prevention in the AI Age
Author: SentinelOne
Updated: January 21, 2026

What is the Border Gateway Protocol?

BGP controls which networks your traffic traverses before it reaches your security controls, and attackers exploit this routing layer to intercept your data before your firewall security or endpoint detection ever sees it. NIST SP 800-189 defines BGP as the routing protocol enabling different autonomous systems to exchange routing information and determine optimal paths for Internet traffic. An attacker stole roughly $235,000 in cryptocurrency on August 17, 2022 by employing a targeted BGP hijack against Celer Bridge, redirecting traffic to attacker-controlled servers for approximately three hours.

CISA calls BGP "the most important part of the Internet you've probably never heard of." Your firewall protects the perimeter. Your endpoint detection stops malware. But BGP controls which networks your traffic traverses before it reaches those security controls, a foundational layer that sits below most enterprise security defenses.

You're operating on a protocol with a fundamentally insecure trust-based model. RFC 4272 states that BGP is essentially an unsecured protocol. The protocol lacks cryptographic mechanisms to validate whether the announcing autonomous system owns IP prefixes, whether routing paths are authentic, and whether announcements were altered in transit.

How Border Gateway Protocol Relates to Cybersecurity

BGP hijacking lets attackers intercept your traffic before your firewall inspects it, positioning themselves between your users and your perimeter defenses. You monitor authentication failures and hunt for lateral movement, but BGP hijacking happens at the routing layer before your SIEM platforms see the traffic. When you integrate BGP monitoring into platforms like Singularity Data Lake, routing anomalies correlate automatically with authentication failures and data exfiltration indicators.

BGP security matters because a routing layer compromise bypasses your enterprise perimeter security controls and enables man-in-the-middle attacks at Internet scale. CISA warns that BGP hijacking exposes your business information by redirecting traffic through attacker-controlled networks and facilitates state-level espionage. Understanding how attackers exploit BGP requires examining the protocol's core architectural components.

Internal vs External BGP (iBGP vs eBGP)

BGP operates in two distinct modes with different trust models and security implications. External BGP (eBGP) handles routing between autonomous systems, while Internal BGP (iBGP) manages route distribution within a single AS. Your security posture must account for vulnerabilities in both.

eBGP sessions connect routers in different autonomous systems across trust boundaries. These sessions typically run between routers at network edges where your organization peers with ISPs, cloud providers, or other networks. eBGP applies a TTL of 1 by default, meaning peer routers must be directly connected. Attackers target eBGP sessions because compromising these connections enables traffic interception at Internet scale.

iBGP distributes routing information learned from eBGP peers throughout your internal network. iBGP requires full mesh connectivity between all BGP speakers within an AS, or the use of route reflectors and confederations to scale. iBGP sessions don't modify the AS path attribute, which means routes learned via iBGP retain their original AS path for loop prevention.

The security implications differ between these modes:

  • eBGP sessions cross administrative boundaries and require strict filtering policies
  • iBGP assumes a trusted internal environment, creating risk if attackers gain internal network access
  • Route reflector misconfigurations can propagate bad routes throughout your AS
  • iBGP session hijacking enables attackers with internal access to manipulate routing decisions

Your network security strategy should implement MD5 authentication on all BGP sessions regardless of type. The MANRS enterprise primer recommends strict prefix filtering at every eBGP peering point. For iBGP, segment route reflector clusters and monitor for unauthorized BGP speakers within your AS.

Core Components of Border Gateway Protocol

Three architectural elements create the vulnerabilities that attackers exploit in BGP's trust-based design: lack of authentication mechanisms, implicit trust between peers, and the absence of route validation capabilities.

  • Autonomous Systems (AS) represent independent networks under administrative control. Your enterprise network, your ISP, your cloud provider: each operates as an autonomous system with a unique AS number.
  • BGP Peering Sessions establish authenticated connections between routers in different autonomous systems that exchange routing information. These connections organize into provider-customer, peer-to-peer, and customer-provider relationships, each with distinct security implications.
  • Route Announcements advertise IP address prefixes to peer networks. When your AS announces "I have the best route to reach 203.0.113.0/24," neighboring networks update their routing tables accordingly. RFC 4272 confirms that the protocol assumes peers are trusted, with no mechanisms to validate routing information. When you or your peers send syntactically valid route announcements, BGP propagates them throughout the Internet, regardless of whether those announcements are legitimate or malicious.

Understanding these architectural vulnerabilities explains how attackers exploit BGP's route selection process to hijack your traffic.

How Border Gateway Protocol Works

When attackers announce your 203.0.113.0/24 prefix more specifically than your legitimate 203.0.113.0/20 announcement, routers worldwide prefer the attacker's route. This happens because BGP route selection follows an algorithm that prioritizes specificity over authorization, a technique called longest-prefix-match hijacking.

Route authorization protection only works when downstream networks validate routes. If your upstream provider doesn't implement Route Origin Validation, attackers can still hijack your traffic even when you've published valid ROAs.

BGP evaluates routes using criteria including local preference, AS path length, origin type, and multi-exit discriminator. Attackers can manipulate these parameters to hijack traffic. NIST SP 800-189 Rev. 1 confirms that designers created BGP without built-in cryptographic authentication mechanisms.

Common Attack Techniques Exploiting BGP

Attackers exploit BGP's trust-based architecture through several established techniques that your security team must recognize and defend against. The June 2025 root DNS server hijack affecting eight servers simultaneously demonstrates these methods remain effective even against critical infrastructure.

  • Prefix hijacking occurs when an attacker announces IP prefixes belonging to another organization. The attacker's AS originates routes for address space it doesn't own, and networks that don't perform route validation accept these announcements. Traffic destined for the legitimate owner flows to the attacker instead. This technique enables credential theft, data interception, and cryptocurrency theft.
  • Sub-prefix hijacking represents a more targeted variant. Attackers announce more specific prefixes than the legitimate owner. If your organization announces 192.0.2.0/23, an attacker announcing 192.0.2.0/24 wins the route selection because BGP prefers longer prefix matches. The Root Server Operators report confirms attackers consistently exploit this longest-prefix-match behavior.
  • AS path manipulation lets attackers influence route selection by artificially shortening or modifying the AS path attribute. BGP prefers shorter paths, so attackers can prepend fewer ASNs to make their malicious routes more attractive. Some attackers insert legitimate ASNs into fake paths to evade detection.
  • BGP session hijacking targets the TCP sessions underlying BGP peering relationships. Attackers who can inject packets into the session can reset connections, inject false routes, or cause routing instability. TCP sequence number prediction and man-in-the-middle positioning enable these attacks.
  • Route leaks result from misconfiguration rather than malicious intent but create similar security impacts. A network incorrectly propagates routes learned from one peer to other peers, violating expected routing policies. MANRS incident analysis documents how these misconfigurations affected Time Warner Cable, Rogers, and Charter.

Defending against these techniques requires layered controls including RPKI deployment, strict prefix filtering, BGP session authentication, and continuous monitoring for routing anomalies.

Key Benefits of Border Gateway Protocol

BGP provides Internet-scale routing through coordination with independent networks. RFC 4271 explains how autonomous systems exchange routing information and determine best paths for Internet traffic based on relationships between networks.

Path redundancy comes through multiple announcement sources and distributed route selection. When your primary ISP connection fails, BGP converges to backup paths through secondary providers based on route metrics and local policies.

Granular traffic engineering through policy-based routing gives you control over both directions of traffic flow. Adjust AS path prepending to influence inbound traffic, configure local preference settings for outbound traffic, and implement filtering policies to prevent traffic from routing through potentially hostile networks. These routing capabilities come with significant security tradeoffs that require careful management.

Challenges and Limitations of Border Gateway Protocol

BGP's fundamental authentication gap prevents cryptographic verification that the AS announcing routes to your IP space actually owns those addresses. This gap enables every hijack attack you defend against. NIST SP 800-189r1 shows the problem: BGP routers accept routing announcements without cryptographic verification of origin authentication, path validation, or announcement integrity.

Incident frequency continues to accelerate despite increased awareness. Internet2 routing security analysis documented three significant routing security incidents affecting research and education networks in 2024 alone, demonstrating that BGP vulnerabilities continue to disrupt critical infrastructure.

The systemic risk creates dependencies beyond any single organization's control. The Internet Society policy analysis warns that the decentralized and interconnected nature of BGP introduces vulnerabilities that malicious actors can exploit. Routing security depends on thousands of other networks globally, creating a supply chain-like dependency where single BGP misconfigurations cascade internationally. These systemic vulnerabilities manifest in specific operational failures that security teams must recognize and prevent.

Common Border Gateway Protocol Mistakes

Many organizations deploy RPKI validation infrastructure but never progress beyond monitoring to enforcement. The monitoring dashboard shows a prefix being announced from an unauthorized AS. The RPKI validator marks it invalid. But monitoring-only mode, configured months ago, never advanced to enforcement. The traffic gets hijacked while the dashboard displays the problem. NRO RPKI Best Practices requires creating ROAs that exactly match what you are announcing in BGP and nothing more.

Incomplete RPKI deployment creates failures in multiple ways:

  • Creating ROAs for planned-but-not-announced prefixes
  • Setting overly permissive maximum length values
  • Forgetting to update ROAs when BGP announcements change

These ROA misconfigurations leave prefixes vulnerable even when validation infrastructure exists. NDSS Symposium research identifies systematic challenges that prevent operators from moving beyond passive validation to active enforcement.

Inadequate filtering policies enable propagation of attacks. CAIDA's MANRS ecosystem analysis found that RPKI-invalid and invalid-prefix-length BGP announcements propagate through networks despite documented security commitments. Common gaps include accepting prefixes longer than /24 for IPv4, bogon filters not synchronized with current RIR allocations, and missing AS-path sanity checks. These filtering gaps create cascading vulnerabilities across the routing infrastructure.

Insufficient monitoring leaves incidents unfound until after damage occurs. Without alerting on prefix origin AS changes, new more-specific announcements overlapping address space, and RPKI validation state transitions, routing changes remain invisible. Proper incident response processes that integrate BGP telemetry into your security platform are essential. Avoiding these mistakes requires implementing documented best practices for BGP security.

Border Gateway Protocol Best Practices

Resource Public Key Infrastructure deployment should follow NIST SP 800-189 Revision 1. Create Route Origin Authorizations for every IP prefix your organization originates in BGP and deploy at least two RPKI validators for redundancy.

Route Origin Validation works best when implemented in phases following NRO Best Practices:

  • Monitoring mode (30-60 days): Observe RPKI validation results without affecting routing
  • Preference adjustment (60-90 days): Lower local preference for RPKI-invalid routes
  • Full enforcement (90+ days): Drop invalid announcements entirely

Strict prefix filtering at all peering points prevents common attack vectors. Maximum prefix length limits stop more-specific route hijacking attacks, synchronized bogon filters block invalid address space, and AS-path filtering prevents unrealistic path lengths or private ASN leakage.

Route-map policies should encode relationship types clearly. Tag all BGP routes with communities indicating provider, peer, or customer origin.

BGP monitoring integration with your security platform enables threat hunting workflows for routing anomalies. Configure alerts for peer session state changes, prefix origin AS modifications, and RPKI validation state transitions.

ROA configuration validation should be continuous using Regional Internet Registry-recommended tools. Change control processes ensure ROA updates precede BGP announcement modifications where feasible. Document and test response procedures for invalid route detection and establish incident response plans for BGP hijacking scenarios. These best practices prepare your organization to integrate routing security into unified security operations.

Real-World Examples of BGP Incidents

BGP security failures have caused significant real-world damage across critical infrastructure, financial services, and government operations. These incidents demonstrate why routing security requires the same attention as endpoint and network protection.

  • The June 2025 root DNS server hijack represents the most severe recent incident. According to the Root Server Operators incident report, eight root DNS servers (a, b, c, f, g, h, j, and m.root-servers.net) experienced simultaneous BGP hijacking between 19:40 and 21:10 UTC. Three hijacked prefixes had valid ROAs published in RPKI, yet the attack succeeded because downstream networks failed to implement Route Origin Validation.
  • The April 2020 Rostelecom mass hijack affected over 8,000 routes globally. MANRS incident analysis confirms AS12389 announced more specific routes that impacted more than 200 CDN and cloud providers including Cloudflare and Akamai. Analysis attributed this to a BGP optimizer misconfiguration rather than malicious intent.
  • The September 2020 Telstra incident saw AS1221 announce almost 500 prefixes in a mass hijacking event. MANRS documentation shows the incident affected 266 autonomous systems across 50 countries, demonstrating how single misconfigurations cascade globally.
  • The August 2022 Celer Bridge attack targeted cryptocurrency users. Attackers stole $235,000 in cryptocurrency by redirecting traffic through attacker-controlled servers for approximately three hours.

These incidents share common characteristics: they exploited BGP's trust model, affected organizations that had implemented some security measures, and caused damage before defenders could respond. The pattern reinforces why proactive threat detection and continuous BGP monitoring are essential components of enterprise security.

AI-Powered Cybersecurity

Elevate your security posture with real-time detection, machine-speed response, and total visibility of your entire digital environment.

Get a Demo

Key Takeaways

You're defending against routing-layer attacks with infrastructure you don't fully control. Your BGP security depends on thousands of networks implementing validation controls. Start with what you can control: deploy RPKI/ROV in enforcement mode, filter prefixes strictly at every peering point, and integrate BGP monitoring into your SOC workflows. The gap between individual implementation and collective enforcement is where attackers operate.

Border Gateway Protocol (BGP) FAQs

BGP hijacking occurs when an attacker announces IP address prefixes they don't own, causing Internet traffic to route through their network instead of the legitimate destination. 

According to CISA, these attacks can expose business information, enable theft and extortion, and facilitate state-level espionage. This technique enables traffic interception, credential theft, data exfiltration, and denial of service attacks at Internet scale.

BGP controls traffic routing before packets reach your firewalls, endpoint detection, or other security controls. When attackers hijack BGP routes, they position themselves between your users and your defenses, enabling man-in-the-middle attacks that bypass perimeter security entirely. 

Routing security represents a foundational layer that most enterprise security stacks don't monitor.

Organizations find BGP manipulation through continuous monitoring of route announcements, RPKI validation state changes, and prefix origin modifications. 

Deploy RPKI validators to check route legitimacy, subscribe to public route collector feeds from RIPE RIS or RouteViews, and integrate BGP telemetry into your security platform. Alert on unexpected AS origin changes and more-specific prefix announcements overlapping your address space.

BGP hijacking enables credential harvesting through redirected authentication flows, data exfiltration by intercepting sensitive communications, cryptocurrency theft via DNS hijacking chains, surveillance of targeted organizations or individuals, and service disruption through traffic blackholing. 

The Internet Society warns that the decentralized nature of BGP means hijacked routes can affect any organization whose traffic transits the compromised path.

RPKI creates cryptographic certificates linking IP prefixes to authorized origin autonomous systems. When you deploy Route Origin Validation, your routers reject BGP announcements where the origin AS doesn't match the cryptographically signed ROA. 

An attacker announcing your prefixes from unauthorized AS gets dropped. However, protection requires both ROA creation by prefix owners and ROV enforcement by transit networks. Having valid ROAs is insufficient if peer networks don't validate.

BGP hijacking involves deliberately announcing unauthorized IP prefixes to intercept traffic. Route leaks represent a distinct threat where networks incorrectly propagate routes they learned from one peer to other peers. 

While route leaks typically result from misconfiguration rather than malicious intent, their security impact is functionally equivalent because traffic still gets diverted through unintended and potentially hostile networks.

Yes, but with dependencies on upstream providers. If you use provider-assigned address space, coordinate with your ISP to create ROAs under their RIR account. 

Document ROA management responsibilities in writing, particularly that removing a ROA immediately invalidates the authorization globally within minutes. Focus on monitoring, filtering, and validation controls within your operational authority.

RPKI deployment has two parts: publishing Route Origin Authorizations (ROAs) for your prefixes and enforcing Route Origin Validation (ROV) on incoming routes. Many organizations complete the first step but not the second. 

Even when you publish valid ROAs, your traffic remains vulnerable if transit networks between you and your destination don't enforce validation. This collective action problem means BGP security requires coordinated implementation across the routing ecosystem.

Establish a phased approach to BGP security monitoring based on NIST SP 800-189 Rev. 1 guidance. Begin by implementing Route Origin Validation in monitoring-only mode to gain baseline visibility. 

Treat BGP hijacking and unexpected prefix origin changes as high-priority alerts requiring immediate investigation, as these attacks enable man-in-the-middle interception at the routing layer.

Organizations can deploy BGP monitoring through RPKI validators, route collectors, and security platforms that ingest network telemetry. Public resources like RIPE RIS and RouteViews provide global routing visibility. 

For enterprise environments, integrating BGP monitoring data into your security platform enables correlation with endpoint and identity events.

Discover More About Cybersecurity

PII Security in the Age of AI: Best PracticesCybersecurity

PII Security in the Age of AI: Best Practices

Protect PII against AI-enhanced threats including credential stuffing and deepfakes. Learn essential security practices to avoid costly breaches and regulatory penalties in AI environments.

Read More
PCI Data Security Standard: Key Requirements GuideCybersecurity

PCI Data Security Standard: Key Requirements Guide

A complete guide to PCI Data Security Standard (DSS) requirements. Learn detailed compliance challenges and best practices.

Read More
Application Security Standards: Best Practices & FrameworksCybersecurity

Application Security Standards: Best Practices & Frameworks

Application security standards translate security principles into measurable controls. Learn how to choose and implement the right framework for your team.

Read More
Application Security Testing: What it is & Why it's importantCybersecurity

Application Security Testing: What it is & Why it's important

Master Application Security Testing: learn core methods, CI/CD integration, and best practices to catch vulnerabilities before they become breaches.

Read More
Experience the Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Get a Demo
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • English
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use