Understanding Stealthy BGP Hijacking: The Subtle Threat to Internet Security

Border Gateway Protocol (BGP) hijacking has consistently been one of the most pressing security issues facing global internet infrastructure. BGP hijacking manipulates the routing of internet traffic, potentially diverting data packets to an unauthorized network. While solutions like Resource Public Key Infrastructure (RPKI) and Route Origin Validation (ROV) have been introduced to mitigate these risks, their partial deployment leaves gaps in network security. These gaps allow for a more insidious threat known as ROV-related stealthy BGP hijacking to emerge.

What Is Stealthy BGP Hijacking?

Stealthy BGP hijacking occurs when a malicious autonomous system (AS) diverts network traffic undetected. Unlike traditional BGP hijacking, the attack is masked—even from the routing tables of victim networks. This is because ROV-enabled systems drop invalid route announcements at the control plane, leaving the hijacked network unaware of tampered traffic. Unfortunately, even as routing tables look normal and RPKI checks confirm validity, traffic can still be silently redirected through non-ROV-enabled legacy systems.

A recent real-world example highlights this phenomenon. In the incident, AS17894 maliciously announced a /24 prefix belonging to AS3758’s legitimate /16 prefix. ROV-enabled AS37100 filtered the invalid /24 announcement, leaving its routing tables seemingly unaffected. However, traffic destined for the /24 prefix was diverted through legacy system AS6762, ultimately reaching the hijacker unnoticed. This incident demonstrates how inconsistencies in ROV deployment can render sophisticated hijacking attacks invisible to unsuspecting networks.

Risks and Broader Impact

The risk of stealthy BGP hijacking is magnified by the partial deployment of RPKI and ROV systems across the internet. While ROV filtering protects RPKI-validated routes, it cannot possibly prevent legacy autonomous systems from forwarding invalid routes. This results in a fragmented internet security landscape where some providers have deployed ROV, whereas others continue to rely on outdated routing protocols. As a result, stealthy BGP hijacks can go undetected, endangering data privacy and security.

Beyond individual incidents, large-scale analysis shows a troubling trend. The risk of stealthy BGP hijacking spikes before tapering off as ROV adoption becomes widespread. It is therefore critical to expedite ROV and RPKI adoption on a global scale. Without cooperation and standardization, malicious actors can exploit these security discrepancies to execute covert attacks. This highlights the importance of promoting consistent practices across the networking community.

Strategies for Mitigation and Collaboration

To effectively combat stealthy BGP hijacks, network operators must embrace multiple strategies. First, advancing RPKI and ROV adoption remains paramount. Evidence suggests that as ROV deployment gains momentum, the frequency and success of stealthy hijacks will decline significantly. Investing in secure routing practices ensures long-term protection against surreptitious traffic diversions.

Second, operators should reconsider how they handle dropped invalid routes. Monitoring invalid route announcements, even after they are filtered, can provide valuable clues about potential hijacking attempts. By correlating data from dropped routes, operators might better identify abnormal traffic behavior and mitigate risks in real time.

Finally, collaboration is essential for advancing internet security. Platforms like RouteViews, RIPE RIS, and RIPE Atlas create opportunities for information-sharing and collective insights into routing anomalies. Furthermore, ROV-enabled providers could enhance transparency by sharing ‘dropped route’ digest reports, offering early warnings on suspicious behavior. Broader cooperation fosters a more resilient ecosystem capable of defending against both visible and stealthy threats.

Building a Secure Future

Stealthy BGP hijacking presents a complex challenge for today’s partially secured internet. However, by adopting advanced security measures, monitoring anomalies, and strengthening cross-industry collaboration, it is possible to counter this subtle menace. Wider adoption of RPKI and ROV, alongside improved vigilance, can make these attacks significantly harder to conduct and easier to detect. As the networking community continues to learn from real-world incidents, ongoing collaboration will be key to securing the future of global internet infrastructure.

For a more in-depth analysis of this topic, researchers have published findings in a peer-reviewed paper to be presented at NDSS 2026. Additionally, daily reports on stealthy hijacking incidents are now available on a newly launched monitoring website, helping operators stay informed on emerging threats.