{"id":23051,"date":"2023-09-01T19:55:21","date_gmt":"2023-09-01T19:55:21","guid":{"rendered":"https:\/\/blog.lacnic.net\/?p=23051"},"modified":"2023-09-04T12:30:39","modified_gmt":"2023-09-04T12:30:39","slug":"a-brief-history-of-the-internets-biggest-bgp-incidents","status":"publish","type":"post","link":"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/","title":{"rendered":"A Brief History of the Internet\u2019s Biggest BGP Incidents"},"content":{"rendered":"\n<p><a href=\"https:\/\/blog.lacnic.net\/en\/author\/doug-madory\"><strong>Doug Madory<\/strong><\/a> -Director of Internet Analysis at Kentik<\/p>\n\n\n\n<p>Originally published in <a href=\"https:\/\/www.kentik.com\/blog\/a-brief-history-of-the-internets-biggest-bgp-incidents\/\" target=\"_blank\" rel=\"noreferrer noopener\">Kentik Blog<\/a><\/p>\n\n\n\n<p>Summary<\/p>\n\n\n\n<p>Stretching back to the AS7007 leak of 1997, this comprehensive blog post covers the most notable and significant BGP incidents in the history of the internet, from traffic-disrupting BGP leaks to crypto-stealing BGP hijacks.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><em>In the summer of 2022, I joined a team of BGP experts organized by the&nbsp;<\/em><a href=\"https:\/\/www.bitag.org\/index.php\" target=\"_blank\" rel=\"noreferrer noopener\"><em>Broadband Internet Technical Advisory Group (BITAG)<\/em><\/a><em>&nbsp;to draft a&nbsp;<\/em><a href=\"https:\/\/www.bitag.org\/Routing_Security.php\" target=\"_blank\" rel=\"noreferrer noopener\"><em>comprehensive report<\/em><\/a><em>&nbsp;covering the security of the internet\u2019s routing infrastructure. The section that I was primarily responsible for covered the history of notable BGP incidents, a topic I have written about extensively throughout my career in the internet industry.<\/em><\/p>\n\n\n\n<p><em>Below is an edited version of my take on the internet\u2019s most notable BGP incidents.&nbsp;<\/em><a href=\"https:\/\/henrybirgelee.com\/\" target=\"_blank\" rel=\"noreferrer noopener\"><em>Henry Birge-Lee of Princeton<\/em><\/a><em>&nbsp;was the primary author of a large portion of the section on the attacks on cryptocurrency services.<\/em><\/p>\n\n\n\n<p>BGP routing security incidents in the wild<\/p>\n\n\n\n<p>BGP routing incidents can be problematic for a range of reasons. In some cases, they simply disrupt the flow of legitimate internet traffic while in others, they can result in the misdirection of communications, posing a security risk from interception or manipulation. Routing incidents occur with some regularity and can vary greatly in operational impact. In this blog post, I will address selected specific incidents which have demonstrated the range and gravity of threats to the stability and security of the internet\u2019s routing system.<\/p>\n\n\n\n<p>Disruptions and attacks caused by BGP incidents<\/p>\n\n\n\n<p>In BGP parlance, the term \u201crouting leak\u201d broadly refers to a routing incident in which one or more BGP advertisements are propagated between ASes (Autonomous Systems) in a way they were not intended to. Often these incidents occur accidentally, but malicious actors may also attempt to camouflage intentional&nbsp;<a href=\"https:\/\/www.kentik.com\/blog\/how-kentik-helps-you-mitigate-cyberattacks-faster\/\" target=\"_blank\" rel=\"noreferrer noopener\">attacks under the guise of apparent accidents<\/a>.<\/p>\n\n\n\n<p>In 2016,&nbsp;<a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc7908\" target=\"_blank\" rel=\"noreferrer noopener\">RFC 7908<\/a>&nbsp;introduced a more complex taxonomy of&nbsp;<a href=\"https:\/\/www.kentik.com\/blog\/how-bgp-propagation-affects-ddos-mitigation\/\" target=\"_blank\" rel=\"noreferrer noopener\">BGP routing<\/a>&nbsp;leaks, but in this post, I will employ simply two main categories of error: origination and AS path.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A mis-origination occurs when an AS originates (announces with its ASN as the origin) a new advertisement of a route to an IP address block over which it does not possess legitimate control, consequently soliciting traffic destined to those IP addresses.<\/li>\n\n\n\n<li>An AS path error occurs when an AS inserts itself as an illegitimate intermediary into the forwarding path of traffic bound for a different destination.<\/li>\n<\/ul>\n\n\n\n<p>This distinction is important because the two types of error require different mitigation strategies.<\/p>\n\n\n<section class=\"acf-view acf-view--id--21788 acf-view--object-id--23051\"><div class=\"acf-view__texto_fijo acf-view__row\"><div class=\"acf-view__texto_fijo-field acf-view__field\"><div class=\"acf-view__texto_fijo-choice acf-view__choice\">Additional reading:<\/div><\/div><\/div><div class=\"acf-view__enlace acf-view__row\"><div class=\"acf-view__enlace-field acf-view__field\"><a target=\"_self\" class=\"acf-view__enlace-link acf-view__link\" href=\"https:\/\/bit.ly\/3P4pFWO\">Analysis of 7 BGP Variables in the Region during 2022<\/a><\/div><\/div><\/section>\n\n\n<p>What is the difference between a BGP hijack and a BGP route leak?<\/p>\n\n\n\n<p>Generally the phrase \u201cBGP hijack\u201d often connotes malicious intent, whereas a \u201cBGP route leak\u201d is assumed to be accidental. Complicating matters, there are BGP incidents which involve both intentional and accidental components and some that we simply don\u2019t know whether they were intentional. Experts in this area can hold varying opinions about what constitutes a BGP leak versus a BGP hijack.<\/p>\n\n\n\n<p>BGP origination errors<\/p>\n\n\n\n<p>The&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/AS_7007_incident\" target=\"_blank\" rel=\"noreferrer noopener\">AS7007 incident<\/a>&nbsp;in April 1997 was arguably the first major internet disruption caused by a routing leak. In this incident, a software bug caused a router to announce a large part of the IP address ranges present in the global routing table as if they were originated by AS7007. This origination leak was compounded by the fact that the routes were more-specifics (i.e., smaller IP address ranges) and, therefore, higher priority according to the BGP selection algorithm.<\/p>\n\n\n\n<p>An additional factor contributing to the degree of disruption was the fact that the leaked routes persisted even after the problematic router was disconnected from the internet. During the leak, a large portion of the internet\u2019s traffic was redirected to AS7007, where it overwhelmed its networking equipment and was dropped.<\/p>\n\n\n\n<p>The AS7007 incident was followed soon after by a&nbsp;<a href=\"https:\/\/mailman.nanog.org\/pipermail\/nanog\/1997-October\/123970.html\" target=\"_blank\" rel=\"noreferrer noopener\">massive leak from AS701<\/a>, which was&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/UUNET\" target=\"_blank\" rel=\"noreferrer noopener\">UUNet<\/a>&nbsp;at the time. In this incident, AS701 originated all of the IPv4 space contained in 128.0.0.0\/9 as \/24\u2019s disrupting the flow of traffic to a large portion of the global routing table.<\/p>\n\n\n\n<p>In subsequent years, other similarly large origination leaks have occurred, disrupting internet communications. These incidents include the&nbsp;<a href=\"https:\/\/archive.nanog.org\/meetings\/nanog34\/presentations\/underwood.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Turk Telecom leak of December 2004<\/a>, the&nbsp;<a href=\"https:\/\/www.computerworld.com\/article\/2516953\/a-chinese-isp-momentarily-hijacks-the-internet--again-.html\" target=\"_blank\" rel=\"noreferrer noopener\">China Telecom leak of April 2010<\/a>, and&nbsp;<a href=\"https:\/\/www.bgpmon.net\/massive-route-leak-cause-internet-slowdown\/\" target=\"_blank\" rel=\"noreferrer noopener\">Telecom Malaysia leak of June 2015<\/a>. Each of these disruptions lasted less than an hour and appeared indiscriminate in the address blocks affected.<\/p>\n\n\n\n<p>Large-scale origination leaks like these have become less frequent in recent years due to increases in the automation of router configuration in topologically-central networks. Two competing methodologies, RPSL and RPKI, are used to inform the defensive configuration of routers. In both cases, information pairing IP address blocks with authorized origin ASNs (Autonomous System Numbers) is made public, and is distilled by most large network\u2019s operators into \u201cfilter lists,\u201d which block the assimilation of nonconforming BGP route advertisements into local routing tables.<\/p>\n\n\n\n<p>Origination errors can also include incidents that weren\u2019t completely accidental, more commonly referred to as BGP hijacks. Perhaps the most famous BGP hijack was the&nbsp;<a href=\"https:\/\/www.wired.com\/2008\/02\/pakistans-accid\/\" target=\"_blank\" rel=\"noreferrer noopener\">incident in February 2008<\/a>&nbsp;involving the state telecom of Pakistan, PTCL, and YouTube. In that instance, the government of Pakistan ordered access to YouTube to be blocked in the country due to a video it deemed anti-Islamic.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"640\" height=\"430\" src=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig1-brief-history-of-the-internet-2023.png\" alt=\"\" class=\"wp-image-23026\" srcset=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig1-brief-history-of-the-internet-2023.png 640w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig1-brief-history-of-the-internet-2023-300x202.png 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/figure>\n\n\n\n<p>Diagram of Pakistan Telecom hijack of YouTube in 2008 (<a href=\"https:\/\/dl.acm.org\/doi\/fullHtml\/10.1145\/2668152.2668966\" target=\"_blank\" rel=\"noreferrer noopener\">source<\/a>)<\/p>\n\n\n\n<p>To implement the block, PTCL announced more-specific routes of YouTube\u2019s BGP routes to intentionally hijack Pakistan\u2019s traffic to the video streaming service. Once hijacked, PTCL\u2019s goal was to black hole the traffic, preventing Pakistanis from being able to access Youtube. However, things went downhill when PTCL passed these routes to its international transit providers, who carried the routes around the world, blocking Youtube for a large portion of the global internet.<\/p>\n\n\n\n<p>Since the PTCL-YouTube hijack, there have been other instances of localized traffic manipulation implemented in BGP leaking out to the internet. In 2017, Russian state telecom Rostelecom leaked out a&nbsp;<a href=\"https:\/\/www.bgpmon.net\/bgpstream-and-the-curious-case-of-as12389\/\" target=\"_blank\" rel=\"noreferrer noopener\">curious set of routes<\/a>&nbsp;including those from major financial institutions.<\/p>\n\n\n\n<p>During both the internet crackdown following the&nbsp;<a href=\"https:\/\/www.kentik.com\/blog\/the-russification-of-ukrainian-ip-registration\/\" target=\"_blank\" rel=\"noreferrer noopener\">military coup in Myanmar in 2021<\/a>&nbsp;and the&nbsp;<a href=\"https:\/\/arstechnica.com\/information-technology\/2022\/03\/absence-of-malice-russian-isps-hijacking-%20of-twitter-ips-appears-to-be-a-goof\/\" target=\"_blank\" rel=\"noreferrer noopener\">Russian crackdown of social media<\/a>&nbsp;following its invasion of&nbsp;<a href=\"https:\/\/www.kentik.com\/blog\/the-russification-of-ukrainian-ip-registration\/\">Ukraine<\/a>&nbsp;in 2022, telecoms in each of these countries attempted to block access to Twitter using a BGP hijack to black hole traffic. In each case, the intentionally hijacked BGP route was&nbsp;<em>unintentionally<\/em>&nbsp;propagated onto the internet affecting Twitter users outside of the originating countries.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"980\" height=\"584\" src=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig2-brief-history-of-the-internet-2023.png\" alt=\"\" class=\"wp-image-23029\" srcset=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig2-brief-history-of-the-internet-2023.png 980w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig2-brief-history-of-the-internet-2023-300x179.png 300w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig2-brief-history-of-the-internet-2023-768x458.png 768w\" sizes=\"(max-width: 980px) 100vw, 980px\" \/><\/figure>\n\n\n\n<p>Kentik visualization of Russian BGP hijack of Twitter in February 2022 (<a href=\"https:\/\/storage.googleapis.com\/site-media-prod\/meetings\/NANOG86\/4493\/20221017_Madory_Internet_Impacts_Due_v1.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">source<\/a>)<\/p>\n\n\n\n<p>In 2008, researchers outlined how&nbsp;<a href=\"https:\/\/www.wired.com\/2008\/08\/revealed-the-in\/\" target=\"_blank\" rel=\"noreferrer noopener\">BGP could be manipulated<\/a>&nbsp;to conduct a man-in-the-middle attack over the internet. The first documented case of a BGP-based man-in-the-middle attack like the one outlined in 2008 was&nbsp;<a href=\"https:\/\/www.wired.com\/2013\/12\/bgp-hijacking-belarus-iceland\/\" target=\"_blank\" rel=\"noreferrer noopener\">discovered in 2013, originating in Belarus<\/a>&nbsp;and targeting the networks of major US credit card companies and governments worldwide.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"497\" src=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig3-brief-history-of-the-internet-2023-1024x497.webp\" alt=\"\" class=\"wp-image-23032\" srcset=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig3-brief-history-of-the-internet-2023-1024x497.webp 1024w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig3-brief-history-of-the-internet-2023-300x146.webp 300w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig3-brief-history-of-the-internet-2023-768x372.webp 768w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig3-brief-history-of-the-internet-2023-1536x745.webp 1536w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig3-brief-history-of-the-internet-2023.webp 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Diagram of traffic misdirection due to BGP-based MITM in 2013 (<a href=\"https:\/\/www.wired.com\/2013\/12\/bgp-hijacking-belarus-iceland\/\" target=\"_blank\" rel=\"noreferrer noopener\">source<\/a>)<\/p>\n\n\n\n<p>During a 6-day period in August 2013, spyware service provider&nbsp;<a href=\"https:\/\/arstechnica.com\/information-technology\/2015\/07\/hacking-team-orchestrated-brazen-bgp-hack-to-hijack-ips-it-didnt-own\/\" target=\"_blank\" rel=\"noreferrer noopener\">Hacking Team conducted BGP hijacks<\/a>&nbsp;on behalf of the Special Operations Group of the Italian National Military Police, according to leaked documents revealed during a breach of Hacking Team\u2019s network.<\/p>\n\n\n\n<p>And finally, in 2018, a security company Backconnect&nbsp;<a href=\"https:\/\/mailman.nanog.org\/pipermail\/nanog\/2016-September\/087902.html\" target=\"_blank\" rel=\"noreferrer noopener\">publicly defended a BGP hijack&nbsp;<\/a>they admitted to performing in order to regain control of a botnet server responsible for&nbsp;<a href=\"https:\/\/www.kentik.com\/kentipedia\/ddos-detection\/\" target=\"_blank\" rel=\"noreferrer noopener\">DDoS attacks<\/a>.&nbsp;<a href=\"https:\/\/krebsonsecurity.com\/2016\/09\/ddos-mitigation-firm-has-history-of-hijacks\/\" target=\"_blank\" rel=\"noreferrer noopener\">Researchers subsequently found&nbsp;<\/a>that the DDoS mitigation firm had been involved in numerous prior BGP hijacks and had been utilizing a DDoS-for-hire service to drum up business.<\/p>\n\n\n\n<p>BGP AS path errors<\/p>\n\n\n\n<p>Not all routing incidents involve the perpetrator specifying its own ASN as the origin of the erroneous route. In November 2018, MainOne, a large telecommunications company in Nigeria,&nbsp;<a href=\"https:\/\/www.internetsociety.org\/blog\/2018\/11\/route-leak-caused-a-major-google-outage\/\" target=\"_blank\" rel=\"noreferrer noopener\">leaked routes received from a number of its peers<\/a>, including major content delivery networks, to its upstream transit providers.<\/p>\n\n\n\n<p>One of MainOne\u2019s transit providers, China Telecom, failed to filter these incoming erroneous announcements, integrated them into its own routing tables, and proceeded to propagate them onward to its many customers and peers. Consequently, a significant portion of internet traffic bound for the victim networks was misdirected through China. Shortly afterwards,&nbsp;<a href=\"https:\/\/twitter.com\/Mainoneservice\/status\/1062321496838885376\" target=\"_blank\" rel=\"noreferrer noopener\">MainOne confirmed the leak&nbsp;<\/a>was caused by their mistaken router configuration. Despite the error, misdirected traffic could still have been subject to interception or manipulation.<\/p>\n\n\n\n<p>In June 2019,&nbsp;<a href=\"https:\/\/blog.cloudflare.com\/how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-today\/\" target=\"_blank\" rel=\"noreferrer noopener\">Allegheny Technologies leaked thousands of routes<\/a>&nbsp;learned from one transit provider (DQE Communications) to another, Verizon. The routes that Allegheny leaked included many more-specifics that had been generated by a route optimizer employed by DQE. The result was that these leaked more-specific routes propagated throughout the internet and misdirected substantial amounts of internet traffic to Allegheny, causing a severe disruption.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"425\" src=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig4-brief-history-of-the-internet-2023-1024x425.png\" alt=\"\" class=\"wp-image-23035\" srcset=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig4-brief-history-of-the-internet-2023-1024x425.png 1024w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig4-brief-history-of-the-internet-2023-300x125.png 300w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig4-brief-history-of-the-internet-2023-768x319.png 768w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig4-brief-history-of-the-internet-2023-1536x637.png 1536w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig4-brief-history-of-the-internet-2023.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Diagram of the Allegheny Technologies BGP leak of June 2019 (<a href=\"https:\/\/blog.cloudflare.com\/how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-today\/\" target=\"_blank\" rel=\"noreferrer noopener\">source<\/a>)<\/p>\n\n\n\n<p>And finally, for a period lasting more than two years,&nbsp;<a href=\"https:\/\/arstechnica.com\/information-technology\/2018\/11\/strange-snafu-misroutes-%20domestic-us-internet-traffic-through-china-telecom\/\" target=\"_blank\" rel=\"noreferrer noopener\">China Telecom leaked routes from Verizon\u2019s Asia-Pacific network<\/a>&nbsp;that were learned through a common South Korean peer AS. The result was that a portion of internet traffic from around the world destined for Verizon Asia-Pacific was misdirected through mainland China. Without this leak, China Telecom would have only been in the path to Verizon Asia-Pacific for traffic originating from its customers in China. Additionally, for ten days in 2017, Verizon passed its US routes to China Telecom through the common South Korean peer causing a portion of US-to-US domestic internet traffic to be misdirected through mainland China.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"800\" height=\"534\" src=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig5-brief-history-of-the-internet-2023.jpeg\" alt=\"\" class=\"wp-image-23038\" srcset=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig5-brief-history-of-the-internet-2023.jpeg 800w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig5-brief-history-of-the-internet-2023-300x200.jpeg 300w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig5-brief-history-of-the-internet-2023-768x513.jpeg 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure>\n\n\n\n<p>Diagram of China Telecom leak of Verizon routes in 2017 (<a href=\"https:\/\/arstechnica.com\/information-technology\/2018\/11\/strange-snafu-misroutes-domestic-us-internet-traffic-through-china-telecom\/\" target=\"_blank\" rel=\"noreferrer noopener\">source<\/a>)<\/p>\n\n\n\n<p>In each of these incidents, the origins of the leaked routes were unaltered, meaning any BGP security mechanism based on verifying route origins would have had no effect.<\/p>\n\n\n\n<p>Since the Allegheny leak involved more-specifics,&nbsp;<a href=\"https:\/\/www.kentik.com\/blog\/how-much-does-rpki-rov-reduce-the-propagation-of-invalid-routes\/\" target=\"_blank\" rel=\"noreferrer noopener\">RPKI Route Origin Validation&nbsp;<\/a>(ROV) could have proved helpful had Verizon employed it for route filtering at the time of the leak. More-specifics have a longer prefix length and would have been rejected because they would have exceeded the maximum length set in RPKI, such as was the case for Cloudflare\u2019s affected routes.<\/p>\n\n\n\n<p>Overall, these types of leaks are harder to mitigate than origination leaks and can only be addressed by analyzing and filtering the AS paths of BGP routes. There are technical proposals such as&nbsp;<a href=\"https:\/\/datatracker.ietf.org\/doc\/draft-ietf-sidrops-aspa-verification\/\" target=\"_blank\" rel=\"noreferrer noopener\">Autonomous System Provider Authorization<\/a>&nbsp;(ASPA) that are in discussion, but no internet-wide mechanism exists presently to eliminate these types of incidents.<\/p>\n\n\n\n<p>Attacks on cryptocurrency services<\/p>\n\n\n\n<p>This section focuses on BGP incidents (all of which were erroneous originations) which were intentional since they enabled larger attacks that successfully stole cryptocurrency, a particularly lucrative target.<\/p>\n\n\n\n<p>In 2014,&nbsp;<a href=\"https:\/\/www.secureworks.com\/research\/bgp-hijacking-for-cryptocurrency-profit\" target=\"_blank\" rel=\"noreferrer noopener\">BGP hijacks were used to intercept<\/a>&nbsp;unprotected communication between Bitcoin miners and mining pools. This allowed an adversary to obtain bitcoin that should have been allocated to the mining pool. While this incident serves as an example of a BGP hijack targeting behind-the-scenes communication of cryptocurrency mining, more recent attacks have used BGP to attack cryptocurrencies with a more direct approach: stealing currency from users of online cryptocurrency wallets.<\/p>\n\n\n\n<p>In 2018, attackers&nbsp;<a href=\"https:\/\/www.theregister.com\/2018\/04\/24\/myetherwallet_dns_hijack\/\" target=\"_blank\" rel=\"noreferrer noopener\">employed a BGP hijack<\/a>&nbsp;that redirected traffic to Amazon\u2019s authoritative DNS service. Having hijacked the DNS traffic, the adversary answered DNS queries for the web-based cryptocurrency wallet \u201cmyetherwallet.com\u201d with a malicious IP address. Users that received this erroneous DNS response were directed to an imposter \u201cmyetherwallet.com\u201d website. Some users entered their login credentials which were then stolen by the adversary, along with the contents of their cryptocurrency wallets.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"294\" src=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig6-brief-history-of-the-internet-2023-1024x294.webp\" alt=\"\" class=\"wp-image-23041\" srcset=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig6-brief-history-of-the-internet-2023-1024x294.webp 1024w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig6-brief-history-of-the-internet-2023-300x86.webp 300w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig6-brief-history-of-the-internet-2023-768x221.webp 768w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig6-brief-history-of-the-internet-2023-1536x442.webp 1536w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig6-brief-history-of-the-internet-2023.webp 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Diagram of the BGP and DNS hijacks targeting myetherwallet.com (<a href=\"https:\/\/www.kentik.com\/blog\/bgp-hijacks-targeting-cryptocurrency-services\/\" target=\"_blank\" rel=\"noreferrer noopener\">source<\/a>)<\/p>\n\n\n\n<p>While more advanced DNS security measures (e.g., DNSSEC) could have prevented this attack, the primary protection in place was the Transport Layer Security (TLS) protocol, which requires all connections to be encrypted. When TLS establishes an encrypted connection, the server must present a valid certificate that vouches for the server\u2019s identity. Because MyEtherWallet did use TLS, users that were directed to the imposter site were presented with a prominent warning that their connection might be under attack. Despite this, many users clicked past the warning, and the adversary amassed&nbsp;<a href=\"https:\/\/www.theverge.com\/2018\/4\/24\/17275982\/myetherwallet-hack-bgp-dns-hijacking-stolen-ethereum\" target=\"_blank\" rel=\"noreferrer noopener\">$17 million in the cryptocurrency Ethereum<\/a>.<\/p>\n\n\n\n<p>While the 2018 attack was quite effective and demonstrated the viability of BGP attacks against cryptocurrency at a large scale, there were some silver linings. In particular, communication was still (at least in theory) protected by the TLS protocol, which led to the security warning. In the majority of cases, the proper behavior for a TLS connection when it gets an untrusted certificate is to abort the connection, and newer versions of Firefox&nbsp;<a href=\"https:\/\/support.mozilla.org\/en-%20US\/questions\/1175070\" target=\"_blank\" rel=\"noreferrer noopener\">do not allow users to click past<\/a>&nbsp;TLS certificate warnings. Additionally, had the website used DNSSEC to secure its DNS traffic, the attack would not have succeeded.<\/p>\n\n\n\n<p>However, both of these security technologies were completely bypassed in an attack in 2022 on the Korean cryptocurrency exchange KLAYswap. As&nbsp;<a href=\"https:\/\/henrybirgelee.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Henry Birge-Lee of Princeton<\/a>&nbsp;described in his&nbsp;<a href=\"https:\/\/freedom-to-tinker.com\/2022\/03\/09\/attackers-exploit-fundamental-flaw-in-the-webs-security-to-steal-2-million-in-cryptocurrency\/\" target=\"_blank\" rel=\"noreferrer noopener\">write-up<\/a>, the attack on KLAYswap exploited several vulnerabilities of KLAYswap\u2019s cryptocurrency exchange web app.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"416\" src=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig7-brief-history-of-the-internet-2023-1024x416.webp\" alt=\"\" class=\"wp-image-23044\" srcset=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig7-brief-history-of-the-internet-2023-1024x416.webp 1024w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig7-brief-history-of-the-internet-2023-300x122.webp 300w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig7-brief-history-of-the-internet-2023-768x312.webp 768w, https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/fig7-brief-history-of-the-internet-2023.webp 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Diagram of KLAYswap attack (<a href=\"https:\/\/www.kentik.com\/blog\/bgp-hijacks-targeting-cryptocurrency-services\/\" target=\"_blank\" rel=\"noreferrer noopener\">source<\/a>)<\/p>\n\n\n\n<p>The adversaries used BGP to hijack the IP address of a server that belonged to Kakao Corp and was hosting a specific piece of javascript code used by the KLAYswap platform. The adversary\u2019s objective was to serve a malicious version of this code file that would ultimately cause users of the KLAYswap platform to unknowingly transfer their cryptocurrency to the adversary\u2019s account.<\/p>\n\n\n\n<p>However, like MyEtherWallet, KLAYswap, and Kakao Corp were using TLS, so without the adversary presenting a valid certificate to complete the TLS connection, the adversary\u2019s code would not be loaded. This did not stop the adversary, as it used&nbsp;<a href=\"https:\/\/www.usenix.org\/conference\/usenixsecurity18\/presentation\/birge-lee\" target=\"_blank\" rel=\"noreferrer noopener\">an attack known in the research community<\/a>&nbsp;where, after launching the initial attack, it approached a trusted certificate authority (or CA, the entities that sign TLS certificates) and requested a certificate for the domain name of Kakao Corp\u2019s server that was hosting the javascript file.<\/p>\n\n\n\n<p>CAs have to operate under guidelines designed to prevent the issuance of malicious certificates, which require the CA to&nbsp;<a href=\"https:\/\/cabforum.org\/baseline-requirements-documents\/\" target=\"_blank\" rel=\"noreferrer noopener\">verify the party requesting the certificate&nbsp;<\/a>has control of the domain names in the certificate. One of the approved verification methods involves contacting the server at the domain through an unencrypted HTTP connection and verifying the presence of a specific piece of content requested by the CA. This cannot be done over an encrypted and authenticated connection, as the party requesting the certificate may be requesting a certificate for the first time.<\/p>\n\n\n\n<p>During the attack, when the CA went to verify the domain ownership, its request was routed to the adversary\u2019s server because of the BGP hijack. This falsely led the CA to believe the adversary was the legitimate owner of the domain and caused it to issue a certificate to the adversary. The adversary then completed the attack by using this certificate to establish an \u201cauthenticated\u201d connection with KLAYswap users and serve its malicious code. Ultimately&nbsp;<a href=\"https:\/\/www.bankinfosecurity.com\/crypto-exchange-klayswap-loses-19m-after-bgp-hijack-a-18518\" target=\"_blank\" rel=\"noreferrer noopener\">$2 million dollars were stolen from KLAYswap users<\/a>&nbsp;over the span of several hours.<\/p>\n\n\n\n<p>This attack is particularly notable because it involves a BGP attack successfully exploiting a system that was compliant with current best security practices. Even more aggressive application-layer defenses like DNSSEC and better TLS certificate error behavior would have been ineffective at preventing this attack because the adversary did not manipulate any DNS responses and served its malicious code over a trusted encrypted connection. In the current web ecosystem, millions of other websites, including those following best practices, are vulnerable to this type of attack.<\/p>\n\n\n\n<p>In August 2022, cryptocurrency service Celer Bridge was&nbsp;<a href=\"https:\/\/www.coinbase.com\/blog\/celer-bridge-incident-analysis\" target=\"_blank\" rel=\"noreferrer noopener\">attacked using a BGP hijack<\/a>&nbsp;that employed fake entries in AltDB, a free alternative to the IRR databases as well as&nbsp;<a href=\"https:\/\/www.kentik.com\/blog\/bgp-hijacks-targeting-cryptocurrency-services\/\" target=\"_blank\" rel=\"noreferrer noopener\">forged BGP announcements<\/a>. By surreptitiously altering the contents of AltDB, the attacker was able to trick a transit provider into believing that a small hosting center in the UK was allowed to transit address space belonging to Amazon Web Services, which hosted Celer Bridge infrastructure. The attacker then forged the AS path of its hijack announcements to include an Amazon ASN as the origin, thereby defeating RPKI ROV. The hijack enabled the attacker to redirect cryptocurrency funds to an account controlled by the attacker.<\/p>\n\n\n\n<p>IP Squatting<\/p>\n\n\n\n<p>The discussion above has focused mainly on the disruptions or security implications of misrouting IP addresses which were actively in use (i.e., routed) at the time of the leak or hijack. However, there are bad actors that announce normally unrouted IP address ranges that don\u2019t belong to them for the purpose of evading IP-based blocklists and complicating attribution. This phenomenon is generally referred to as \u201cIP squatting,\u201d but since it involves unauthorized BGP announcements, it sometimes is also referred to as BGP hijacking.<\/p>\n\n\n\n<p>Since there is no effective legal or technical measure preventing this practice, bad actors can announce previously unused IP ranges belonging to others until networks on the internet take steps to block them for this bad behavior. In July 2018, a network that became known as the \u201c<a href=\"https:\/\/blog.apnic.net\/2018\/07\/12\/shutting-down-the-bgp-hijack-factory\/\" target=\"_blank\" rel=\"noreferrer noopener\">BGP hijack factory<\/a>\u201d was&nbsp;<a href=\"https:\/\/krebsonsecurity.com\/2018\/07\/notorious-hijack-factory-shunned-from-web\/\" target=\"_blank\" rel=\"noreferrer noopener\">removed from the internet<\/a>&nbsp;through a collective effort. However, such a remediation is highly unusual and cannot be counted on to keep the practice at bay.<\/p>\n\n\n\n<p>Closing thoughts<\/p>\n\n\n\n<p>Originally composed for the&nbsp;<a href=\"https:\/\/www.bitag.org\/Routing_Security.php\" target=\"_blank\" rel=\"noreferrer noopener\">BITAG report on routing security<\/a>, the preceding paragraphs discuss only the most notable of many incidents, accidental or otherwise, involving BGP over the years. This extensive list of incidents bolsters the case that networks must take routing security seriously and implement measures to either protect themselves or other parts of the internet.<\/p>\n\n\n\n<p>At a minimum, we recommend using a&nbsp;<a href=\"https:\/\/www.kentik.com\/blog\/bgp-monitoring-from-kentik\/\" target=\"_blank\" rel=\"noreferrer noopener\">BGP monitoring solution<\/a>&nbsp;to make sure you are alerted when an incident such as the ones above affect IP address space belonging to your business or organization. Additionally, we recommend deploying RPKI ROV by both creating ROAs for your IP address space as well as configuring your routers to reject RPKI-invalid routes.<\/p>\n\n\n\n<p>Additional recommended actions for routing security can be found on the website of&nbsp;<a href=\"https:\/\/www.manrs.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">Mutually Agreed Norms for Routing Security (MANRS)<\/a>, which describes itself as a \u201cglobal initiative that helps reduce the most common routing threats.\u201d<\/p>\n\n\n\n<p>We have made&nbsp;<a href=\"https:\/\/www.kentik.com\/blog\/exploring-the-latest-rpki-rov-adoption-numbers\/\">tremendous progress<\/a>&nbsp;over the last decade. For example, we have not experienced a large-scale origination leak in many years, and that is not an accident. Many engineers at many companies have worked to improve overall routing hygiene, and we are all the beneficiaries of such work. However, there is much more to be done before we can say we\u2019ve secured the BGP&nbsp;<a href=\"https:\/\/www.kentik.com\/kentipedia\/bgp-routing\/\" target=\"_blank\" rel=\"noreferrer noopener\">routing protocol<\/a>, so we must continue to make progress on this complex and difficult task.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Doug Madory -Director of Internet Analysis at Kentik Originally published in Kentik Blog Summary Stretching back to the AS7007 leak of 1997, this comprehensive blog post covers the most notable and significant BGP incidents in the history of the internet, from traffic-disrupting BGP leaks to crypto-stealing BGP hijacks. In the summer of 2022, I joined [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":23023,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[919],"tags":[1280],"archivo":[1345],"taxonomy-authors":[1418],"tipo_autor":[],"class_list":["post-23051","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-routing","tag-routing","archivo-editions","taxonomy-authors-doug-madory-en"],"acf":{"author":"","related_notes":""},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>LACNIC Blog | A Brief History of the Internet\u2019s Biggest BGP Incidents<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"LACNIC Blog | A Brief History of the Internet\u2019s Biggest BGP Incidents\" \/>\n<meta property=\"og:description\" content=\"Doug Madory -Director of Internet Analysis at Kentik Originally published in Kentik Blog Summary Stretching back to the AS7007 leak of 1997, this comprehensive blog post covers the most notable and significant BGP incidents in the history of the internet, from traffic-disrupting BGP leaks to crypto-stealing BGP hijacks. In the summer of 2022, I joined [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/\" \/>\n<meta property=\"og:site_name\" content=\"LACNIC Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/facebook.com\/lacnic\" \/>\n<meta property=\"article:published_time\" content=\"2023-09-01T19:55:21+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-09-04T12:30:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/bgp-blog-lacnic.png\" \/>\n\t<meta property=\"og:image:width\" content=\"680\" \/>\n\t<meta property=\"og:image:height\" content=\"330\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Gianni\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@lacnic\" \/>\n<meta name=\"twitter:site\" content=\"@lacnic\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/\"},\"author\":{\"name\":\"Gianni\",\"@id\":\"https:\/\/blog.lacnic.net\/#\/schema\/person\/1338d9cfdb0137e8bc5581f3771f39ab\"},\"headline\":\"A Brief History of the Internet\u2019s Biggest BGP Incidents\",\"datePublished\":\"2023-09-01T19:55:21+00:00\",\"dateModified\":\"2023-09-04T12:30:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/\"},\"wordCount\":3117,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\/\/blog.lacnic.net\/#organization\"},\"image\":{\"@id\":\"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/bgp-blog-lacnic.png\",\"keywords\":[\"Routing\"],\"articleSection\":[\"Routing\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/\",\"url\":\"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/\",\"name\":\"LACNIC Blog | A Brief History of the Internet\u2019s Biggest BGP Incidents\",\"isPartOf\":{\"@id\":\"https:\/\/blog.lacnic.net\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/bgp-blog-lacnic.png\",\"datePublished\":\"2023-09-01T19:55:21+00:00\",\"dateModified\":\"2023-09-04T12:30:39+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/#primaryimage\",\"url\":\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/bgp-blog-lacnic.png\",\"contentUrl\":\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/bgp-blog-lacnic.png\",\"width\":680,\"height\":330},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Portada\",\"item\":\"https:\/\/blog.lacnic.net\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A Brief History of the Internet\u2019s Biggest BGP Incidents\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.lacnic.net\/#website\",\"url\":\"https:\/\/blog.lacnic.net\/\",\"name\":\"LACNIC Blog\",\"description\":\"En el Blog de LACNIC encontrar\u00e1s art\u00edculos t\u00e9cnicos vinculados al desarrollo de Internet en la regi\u00f3n de Am\u00e9rica Latina y el Caribe.\",\"publisher\":{\"@id\":\"https:\/\/blog.lacnic.net\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.lacnic.net\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/blog.lacnic.net\/#organization\",\"name\":\"LACNIC Blog\",\"url\":\"https:\/\/blog.lacnic.net\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.lacnic.net\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/03\/lacnic-blog.svg\",\"contentUrl\":\"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/03\/lacnic-blog.svg\",\"caption\":\"LACNIC Blog\"},\"image\":{\"@id\":\"https:\/\/blog.lacnic.net\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/facebook.com\/lacnic\",\"https:\/\/x.com\/lacnic\",\"https:\/\/www.instagram.com\/lacnic\/?hl=es-la\",\"https:\/\/uy.linkedin.com\/company\/lacnic\",\"https:\/\/www.youtube.com\/user\/lacnicstaff\",\"https:\/\/www.lacnic.net\/podcast\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.lacnic.net\/#\/schema\/person\/1338d9cfdb0137e8bc5581f3771f39ab\",\"name\":\"Gianni\",\"url\":\"https:\/\/blog.lacnic.net\/en\/author\/gianni\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"LACNIC Blog | A Brief History of the Internet\u2019s Biggest BGP Incidents","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/","og_locale":"en_US","og_type":"article","og_title":"LACNIC Blog | A Brief History of the Internet\u2019s Biggest BGP Incidents","og_description":"Doug Madory -Director of Internet Analysis at Kentik Originally published in Kentik Blog Summary Stretching back to the AS7007 leak of 1997, this comprehensive blog post covers the most notable and significant BGP incidents in the history of the internet, from traffic-disrupting BGP leaks to crypto-stealing BGP hijacks. In the summer of 2022, I joined [&hellip;]","og_url":"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/","og_site_name":"LACNIC Blog","article_publisher":"https:\/\/facebook.com\/lacnic","article_published_time":"2023-09-01T19:55:21+00:00","article_modified_time":"2023-09-04T12:30:39+00:00","og_image":[{"width":680,"height":330,"url":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/bgp-blog-lacnic.png","type":"image\/png"}],"author":"Gianni","twitter_card":"summary_large_image","twitter_creator":"@lacnic","twitter_site":"@lacnic","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/#article","isPartOf":{"@id":"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/"},"author":{"name":"Gianni","@id":"https:\/\/blog.lacnic.net\/#\/schema\/person\/1338d9cfdb0137e8bc5581f3771f39ab"},"headline":"A Brief History of the Internet\u2019s Biggest BGP Incidents","datePublished":"2023-09-01T19:55:21+00:00","dateModified":"2023-09-04T12:30:39+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/"},"wordCount":3117,"commentCount":2,"publisher":{"@id":"https:\/\/blog.lacnic.net\/#organization"},"image":{"@id":"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/bgp-blog-lacnic.png","keywords":["Routing"],"articleSection":["Routing"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/","url":"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/","name":"LACNIC Blog | A Brief History of the Internet\u2019s Biggest BGP Incidents","isPartOf":{"@id":"https:\/\/blog.lacnic.net\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/#primaryimage"},"image":{"@id":"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/bgp-blog-lacnic.png","datePublished":"2023-09-01T19:55:21+00:00","dateModified":"2023-09-04T12:30:39+00:00","breadcrumb":{"@id":"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/#primaryimage","url":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/bgp-blog-lacnic.png","contentUrl":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/bgp-blog-lacnic.png","width":680,"height":330},{"@type":"BreadcrumbList","@id":"https:\/\/blog.lacnic.net\/en\/a-brief-history-of-the-internets-biggest-bgp-incidents\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Portada","item":"https:\/\/blog.lacnic.net\/en\/"},{"@type":"ListItem","position":2,"name":"A Brief History of the Internet\u2019s Biggest BGP Incidents"}]},{"@type":"WebSite","@id":"https:\/\/blog.lacnic.net\/#website","url":"https:\/\/blog.lacnic.net\/","name":"LACNIC Blog","description":"En el Blog de LACNIC encontrar\u00e1s art\u00edculos t\u00e9cnicos vinculados al desarrollo de Internet en la regi\u00f3n de Am\u00e9rica Latina y el Caribe.","publisher":{"@id":"https:\/\/blog.lacnic.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.lacnic.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/blog.lacnic.net\/#organization","name":"LACNIC Blog","url":"https:\/\/blog.lacnic.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.lacnic.net\/#\/schema\/logo\/image\/","url":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/03\/lacnic-blog.svg","contentUrl":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/03\/lacnic-blog.svg","caption":"LACNIC Blog"},"image":{"@id":"https:\/\/blog.lacnic.net\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/facebook.com\/lacnic","https:\/\/x.com\/lacnic","https:\/\/www.instagram.com\/lacnic\/?hl=es-la","https:\/\/uy.linkedin.com\/company\/lacnic","https:\/\/www.youtube.com\/user\/lacnicstaff","https:\/\/www.lacnic.net\/podcast"]},{"@type":"Person","@id":"https:\/\/blog.lacnic.net\/#\/schema\/person\/1338d9cfdb0137e8bc5581f3771f39ab","name":"Gianni","url":"https:\/\/blog.lacnic.net\/en\/author\/gianni\/"}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/blog.lacnic.net\/wp-content\/uploads\/2023\/09\/bgp-blog-lacnic.png","jetpack_sharing_enabled":true,"wpml_current_locale":"en_US","wpml_translations":[{"locale":"es_ES","id":23021,"post_title":"Breve historia de los mayores incidentes de BGP en Internet","slug":"breve-historia-de-los-mayores-incidentes-de-bgp-en-internet","href":"https:\/\/blog.lacnic.net\/breve-historia-de-los-mayores-incidentes-de-bgp-en-internet\/"}],"_links":{"self":[{"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/posts\/23051","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/comments?post=23051"}],"version-history":[{"count":10,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/posts\/23051\/revisions"}],"predecessor-version":[{"id":23093,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/posts\/23051\/revisions\/23093"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/media\/23023"}],"wp:attachment":[{"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/media?parent=23051"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/categories?post=23051"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/tags?post=23051"},{"taxonomy":"archivo","embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/archivo?post=23051"},{"taxonomy":"taxonomy-authors","embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/taxonomy-authors?post=23051"},{"taxonomy":"tipo_autor","embeddable":true,"href":"https:\/\/blog.lacnic.net\/en\/wp-json\/wp\/v2\/tipo_autor?post=23051"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}