BGP Hijacking: The Hidden Routing Threat to UK Businesses
BGP hijacking redirects internet traffic through unauthorised networks. This guide explains how it works, real-world UK impact, and how VP Pulse monitors for BGP anomalies.
What Is BGP Hijacking?
BGP hijacking occurs when a network operator β either maliciously or through misconfiguration β announces IP address prefixes that belong to another organisation. Because BGP was designed in an era of mutual trust between internet operators, it has no built-in authentication mechanism. A router receiving a hijacked announcement has no way to determine whether the announcement is legitimate without additional validation mechanisms like RPKI.
How BGP Hijacks Happen
Malicious Hijacking
A state actor or criminal group announces a victim's IP prefix from their own ASN. Traffic destined for the victim is routed to the attacker instead. The attacker can intercept traffic, conduct man-in-the-middle attacks, or simply blackhole the traffic (causing a denial of service). This technique has been used for cryptocurrency theft (intercepting traffic to exchange APIs) and intelligence gathering.
Accidental Route Leaks
More commonly, hijacks result from configuration errors. An operator accidentally announces someone else's prefix β perhaps by importing a customer route into a transit peering session. The 2019 incident involving a small US ISP leaking routes through Verizon caused widespread disruption affecting Cloudflare, Amazon, and others for nearly two hours.
Real-World Impact on UK Infrastructure
UK organisations are not immune. UK IP space has been subject to BGP anomalies affecting financial services infrastructure, government IP ranges, and major hosting providers. Most incidents are brief and opportunistic rather than sustained, targeted attacks β but even minutes of BGP misrouting can cause significant damage in financial trading environments.
The NCSC (National Cyber Security Centre) monitors BGP anomalies affecting UK government networks as part of its Active Cyber Defence programme.
RPKI: The Solution
Resource Public Key Infrastructure (RPKI) addresses BGP's authentication gap. Network operators create Route Origin Authorisations (ROAs) β cryptographically signed records stating which ASN is authorised to announce each IP prefix. Routers that validate RPKI can reject invalid announcements before they propagate.
RIPE NCC provides RPKI services for UK networks. As of 2025, RPKI adoption covers a significant majority of UK IP space, but enforcement (dropping invalid routes) remains inconsistent across UK ISPs.
UK ISP RPKI Status
- BT: RPKI origin validation enabled; route origin filtering deployed
- LINX: RPKI filtering available to members
- Cloudflare (AS13335): Full RPKI validation enforced β will not propagate invalid routes
- Many smaller UK ISPs: RPKI validation not enforced
How VP Pulse Monitors BGP
VP Pulse pulls BGP event data from RIPE RIS every few minutes. The BGP Activity tile shows recent routing events affecting UK IP space, including announcements, withdrawals, and events flagged as anomalous by RIPE's monitoring systems.
Significant BGP events β large-scale prefix changes, unusual announcement sources, or routing loops β are reflected in the Internet Weather composite score. Push notification subscribers receive alerts when VP Pulse detects BGP anomalies above normal background levels.
What UK Businesses Should Do
- If you operate a network: create RPKI ROAs for your IP prefixes via RIPE NCC
- Ask your transit providers whether they enforce RPKI validation
- Monitor BGP announcements for your IP space using RIPE NCC's BGPmon or Cloudflare Radar
- For critical applications: use anycast routing or multiple transit providers to reduce single-path exposure
- Subscribe to VP Pulse push notifications for early warning of UK BGP anomalies