← field notes

BGP Hijacking: How the Internet's Map Gets Quietly Rewritten

On an ordinary afternoon, traffic for a huge service stops behaving. Requests that should travel a few hundred miles to a nearby data center suddenly take a detour, looping through a small network on the other side of the world before coming back. Nothing on the screen looks wrong. The page loads, the app works, the lock icon is still there. But for a few minutes, a slice of the internet quietly went somewhere it was never supposed to go.

No cable was cut. No server was broken into. Somebody, somewhere, simply announced to the rest of the internet that they were the right place to send that traffic, and for a while the internet believed them. That is bgp hijacking, and to understand why it is possible at all, you have to understand that the map the entire internet follows is not enforced. It is agreed to.

The internet has no master map

When you load a website, your request has to find its way across the planet to a specific machine, and there is no master map of the internet that tells it how to get there. No central authority knows every route and hands out directions. The internet is not one network. It is tens of thousands of separate networks that have agreed to carry each other’s traffic.

Each of those networks is run by someone different. An internet provider, a university, a cloud company, a government, a bank. Each controls some block of addresses, the numeric destinations everything online resolves to. Your traffic only reaches the right block if all the networks in between share a constantly updated sense of which network can deliver to which addresses. That shared sense is the map, and nobody owns it. It changes thousands of times a second as networks come and go. What feels like one seamless thing is really a loose federation, held together by every member constantly telling every other member where it can be reached.

Networks that announce themselves

So how does that map get built when no one is in charge of it? The networks tell each other. Each network announces, out loud, which ranges of addresses it can deliver traffic to. It says, in effect, send me anything bound for these destinations and I will get it there. Its neighbors hear that announcement, believe it, and pass it along to their own neighbors.

The protocol that carries these announcements is called the border gateway protocol. There is no grand database. The map is just the sum of all these announcements, propagating outward. It is less like a printed atlas and more like a rumor the whole world keeps repeating until it becomes the truth.

Built almost entirely on trust

Here is the uncomfortable part. For most of the internet’s life, those announcements were taken on faith. When a network said it could deliver to a certain block of addresses, its neighbors did not check whether that was true. There was no built in way to verify the claim. You said it, they believed it.

This was not stupidity. It was how a global system got built fast, by a small group of operators who mostly knew each other and mostly behaved. But the design never really changed, even as the internet grew to carry banking, elections, hospitals, and most of human communication. The core routing of the modern world still runs, to a surprising degree, on everyone agreeing to tell the truth.

What happens when the announcement is wrong

Picture a network announcing a block of addresses that does not belong to it. Maybe by mistake, a fat fingered configuration. Maybe on purpose. Its neighbors hear the announcement and have no built in reason to doubt it. They believe it, they tell their neighbors, and the false claim ripples outward.

Now there are two competing claims about the same addresses. The real owner saying these are mine, and the impostor saying no, send them to me. Routing tends to prefer whatever looks like the more direct or more specific path, and a carefully crafted false announcement can win. When it wins, traffic meant for the real owner gets pulled toward the network that lied. That pull is the hijack, and almost nobody watching their screen will notice.

When a small network swallows a giant

The most famous incidents are not movie villains. They are small mistakes that scaled catastrophically. The classic shape is a tiny network in one country accidentally announcing addresses belonging to a giant global service. One operator makes a configuration error, claims a range that is not theirs, and suddenly a significant chunk of the world’s traffic for that service tries to funnel through a single small network that was never built to carry it.

The result is usually not theft. It is collapse. The service appears to go down across whole regions, because the traffic is being dragged into a place that cannot handle it, and it simply drowns. A giant gets knocked partly offline not by an attack on its own systems, but by a stranger on the far side of the planet quietly claiming to be it. One wrong line in one configuration, repeated faithfully by every neighbor that heard it, because repeating what your neighbors say is the entire job of the protocol.

Dropped, watched, or impersonated

Other incidents are quieter than an outage. Instead of knocking a service offline, the rerouting moves the traffic somewhere it should never have gone, then lets it continue to its real destination as if nothing happened. Data that should have stayed within one region detours through networks in another country entirely. To the user everything still works, but for that window the traffic passed through hands it was never meant to, and anyone sitting on that path is in a position to watch what flows by.

So with traffic pulled toward you, there are broadly three things to do, and they get worse as they go. The first is dropping it, a denial of service where a service goes dark not because it failed but because its mail was redirected to a black hole. The second is watching it in transit. The third, and most serious, is impersonation, standing in for the real destination and answering as if you were it. Encryption is the main thing standing between a hijack and that worst case, because traffic sent to the wrong place is far harder to read or fake convincingly when it is properly protected.

Why it is so hard to see

This is what makes route hijacking so different from the hacking people picture. There is usually nothing broken on your end to notice. Your device did its job perfectly, asking for a destination and following the directions the internet gave it. The problem is that the directions themselves were quietly wrong, several networks away, in a layer you have no window into. The people best placed to catch it are the operators watching the global routing tables, who notice when an announcement appears that should not exist. For everyone else it is invisible by design.

Teaching the internet to check

If the whole problem is announcements taken on faith, why not just check them? That is exactly what the defenses now rolling out are trying to do. The first piece is a way for the real owner of a block of addresses to publish a signed statement saying which network is actually allowed to announce it. A signed route origin, cryptographically tied to the rightful holder.

The second piece is filtering. Networks increasingly check incoming announcements against those signed records and refuse to pass along claims that do not hold up. It is the internet slowly learning to ask for identification before it repeats a rumor, after decades of repeating every rumor it heard.

Neither piece is magic. A signed record proves who is allowed to announce a block of addresses, but it does not watch the whole path traffic takes afterward, which is a harder and still unfinished problem. These defenses also only work as far as they have spread, and adoption is uneven across the tens of thousands of networks that make up the internet. So the internet today sits in an awkward middle. Parts of the map are now verified, and a false announcement there will be caught. Other parts still run on the old honor system, where a confident lie still propagates. Trust is being slowly replaced by proof, network by network, but the gaps are exactly where the next quiet rerouting will find room to happen.

The map is still a promise

Step back and look at what the internet actually is. Not a fixed structure, but a continuous agreement, rebuilt every moment out of announcements that networks make to each other about what they can reach. It works astonishingly well, billions of times a second, almost always carrying your traffic exactly where it should go, mostly because the people running those networks choose to tell the truth.

That is the unsettling thing to sit with. The map the entire internet follows is built on everyone agreeing not to lie about which part of the world is theirs. The cryptography is catching up. But for now, the most fundamental layer of the system we have wired our entire lives into still runs, to a remarkable degree, on faith.

The Hidden Internet takes apart the systems that quietly run the modern web, explained from the inside. No products, just the machinery. Subscribe on YouTube.

watch
The Hidden Internet on YouTube

Every field note starts as a short documentary. Watch the systems in this piece explained on screen.

subscribe →
read on
More field notes

The rest of the series on how the modern internet detects, tracks, and sorts the traffic that reaches it.

browse the archive →