Most enterprise security tools guard the perimeter. They inspect what enters and exits the network edge — firewalls, IDS signatures, endpoint telemetry. What almost none of them touch is the infrastructure that decides where traffic goes before it ever reaches that perimeter.
The Border Gateway Protocol (BGP) is the routing fabric of the internet. It determines how autonomous systems advertise reachability to one another, which paths traffic takes between carrier networks, and ultimately where packets flow at a global scale. And it is almost completely invisible to conventional security tooling.
That blind spot has consequences. Route manipulation events whether accidental leaks or deliberate injections occur with enough regularity that they represent a persistent, underappreciated attack surface. The challenge has never been that these events don’t leave traces. It’s that the traces live in the routing control plane, a layer most security teams have no instrumentation to observe. The routing control plane is one of the last major attack surfaces that enterprise-class security tooling was never designed to reach.
The Threat Landscape: Between Negligence and Intent
BGP was designed in an era when the internet’s participants were assumed to be cooperative. It has no built-in mechanism to verify that an autonomous system is entitled to announce the prefixes it claims to own. That trust model has been exploited — inadvertently and deliberately — ever since.
Route leaks happen constantly. An AS re-advertises routing information it received from one peer to another in violation of established policy — customer routes leaking to peers, peer routes leaking to providers. Most are misconfigurations: a router policy error, a fat-fingered filter, a vendor default left in place. The QratorLabs Q2 2024 report identified over 3,000 unique leaking ASes in a single quarter. These events are rarely malicious, but they can still redirect significant traffic volumes through unintended paths, creating latency, service disruption, and passive collection opportunities.
Prefix hijacking is the more aggressive variant. An adversary AS announces IP prefixes it has no legitimate claim to, attracting traffic that should have been delivered elsewhere. The 2010 China Telecom incident — in which roughly 15% of global internet routes were briefly redirected through Chinese infrastructure — remains a canonical example. More targeted hijacks have been used against government prefixes, financial infrastructure, and telecommunications providers to intercept traffic, bypass certificate validation, and enable passive collection at scale.
Deliberate route injection is the most operationally dangerous form. An adversary with access to a BGP-speaking router — through carrier infrastructure compromise, a rogue peer, or supply chain access — can inject routes that divert specific destination prefixes through attacker-controlled infrastructure. This is not a theoretical technique. Nation-state actors, including those operating against telecommunications targets, have used BGP-layer manipulation as a component of broader intrusion campaigns.
Misconfiguration vs. Malicious Injection:
Why the Distinction Matters
Security teams dealing with routing anomalies face an immediate triage question: is this an operational mistake, or is someone doing it on purpose? The answer drives the entire response posture — from whether to escalate to an incident response team versus routing operations, to whether to notify regulators, to whether to treat affected traffic as potentially compromised.
The good news is that misconfiguration and deliberate injection look different from a metadata perspective — if you have the right baseline to compare against.
A route leak caused by misconfiguration typically produces a deviation in one dimension: an AS that begins forwarding traffic toward destinations outside its established peering policy. It’s anomalous, but the anomaly is usually singular and explainable. A new peering relationship appears in the routing topology that shouldn’t be there.
Deliberate route injection produces a different pattern. When an adversary injects a malicious route, three routing attributes tend to deviate simultaneously from established baselines: the origin AS for a prefix, the destination AS range being claimed, and the next-hop IP address that traffic is actually forwarded to. Each of those deviations in isolation could plausibly be explained by configuration change or operator error. All three deviating at the same moment, for the same flow, points to a single conclusion.
When all three routing attributes deviate simultaneously — origin, destination, and next hop — the probability of accidental misconfiguration becomes vanishingly small.
This “triple deviation” pattern is the closest thing to a definitive behavioral signature of deliberate BGP route injection. It doesn’t require decrypting traffic, accessing router configurations, or correlating against threat intelligence feeds. It requires a consistent, high-fidelity baseline of what normal routing behavior looks like at the carrier level — and the instrumentation to detect when that baseline breaks.
Three Data Points. No Packet Capture. No Router Access.
The detection framework described above — correlating routing relationships against established peering baselines — runs entirely on metadata. There is no requirement to inspect packet payloads, access router configurations, or maintain inline tap infrastructure at every BGP peering point.
Three observable attributes, captured passively at carrier scale, are sufficient to distinguish a misconfigured router from a deliberate route injection event:
- The autonomous system advertising origin for a given destination prefix range
- The destination AS values that origin system is routing toward
- The next-hop IP address traffic is actually being forwarded to
Against a rolling baseline of observed peering relationships, each of these attributes tells a story. A new AS appearing as origin for a prefix that has never been announced from that AS is a potential hijack. An AS forwarding traffic toward destinations inconsistent with its peering policy is a route leak candidate. A next-hop IP that doesn’t resolve to the expected peer AS for an established peering session is a potential adversary-in-the-middle insertion — the same technique used to silently route traffic through nation-state collection infrastructure while maintaining full forward and return path functionality.
The instrumentation requirement is simpler than most security teams expect: continuous, unsampled BGP flow metadata exported at wire rate, correlated against a maintained baseline of legitimate AS peering relationships. No packet capture. No SPAN ports. No router CLI access. The signal exists entirely in the routing control plane metadata that carriers already have the capacity to observe — if they have the right sensor infrastructure in place.
An AS re-advertises routes to peers that should never have seen them. Usually a misconfiguration — but still redirects live traffic.
An adversary AS announces IP prefixes it doesn't own, attracting traffic meant for someone else — including government and telecom ranges.
A threat actor with BGP access deliberately injects routes to divert specific traffic through attacker-controlled infrastructure.
New AS appearing as origin for a prefix it has never announced
Destination outside that AS's established peering baseline
Next-hop IP not belonging to the expected peer AS infrastructure
Near-definitive indicator of deliberate route injection — not misconfiguration. Treat as P1.