toolkit

How BGP Routes the Internet

The protocol that glues the internet together. See how Autonomous Systems exchange routes and what happens when it fails.

BGP Toolkit
Internet Backbone (Autonomous Systems)
AS100 Your ISP
AS200 Tier 2
AS300 Tier 2
AS400 Tier 1
AS500 Google
Origin
Transit
Tier 1
Destination
1 / 10

Autonomous Systems

The building blocks

What Happens

The internet is a network of networks. Each network (ISP, Cloud Provider, Enterprise) is an Autonomous System (AS) with a unique number.

Why

No single entity controls the internet. BGP allows independent networks to exchange routing information.

Technical Detail

AS Numbers (ASN) are 16 or 32-bit integers. Example: Google is AS15169.

Example AS100 (Your ISP) → AS200 (Transit) → AS15169 (Google)

Key Takeaways

Trust-Based

BGP was designed in an era of mutual trust. Security was NOT a priority.

No Central Authority

The internet is a mesh of independent networks cooperating via BGP.

RPKI Adoption

Cryptographic signing is slowly being adopted to prevent hijacking.

Border Gateway Protocol: The Protocol That Holds The Internet Together

If DNS is the internet's phonebook, BGP (Border Gateway Protocol) is its postal service. It is the only protocol capable of managing the routing of packets across the fragmented, decentralized mesh of networks that we call the global internet. BGP is famously built on absolute trust—a design choice from the 1980s that continues to haunt modern cybersecurity.

Part 1: The Autonomous System (AS)

The internet is not one giant network controlled by a central authority. It is a "network of networks." Each independently operated network—whether it belongs to an ISP like Comcast, a tech giant like Google, or a university—is known as an Autonomous System (AS).

Every AS is assigned a globally unique identifier called an Autonomous System Number (ASN) by the Internet Assigned Numbers Authority (IANA). Originally 16-bit integers (allowing for only 65,536 networks), they were later inherently expanded to 32 bits to accommodate the explosive growth of the web.

To illustrate:

  • Google is AS15169.
  • Cloudflare is AS13335.
  • Comcast is AS7922.

Inside an AS, routers use Internal Gateway Protocols (IGPs) like OSPF or IS-IS to instantly figure out the fastest path from Point A to Point B. But IGPs cannot scale to millions of routes globally. When data needs to leave Comcast and reach Google, it must cross the "border." That is exactly where BGP comes in.

Part 2: The BGP Announce and Propagate Mechanism

When Google connects a new data center to the internet, it doesn't ask a central registry to update a master routing table. Instead, it "speaks" BGP.

Google's border routers establish a persistent TCP connection (Port 179) with the border routers of neighboring ISPs (like AT&T and Level 3). They become Peers.

Google sends a BGP UPDATE message: "Hello neighbors. I am AS15169. I own the IP address block 8.8.8.0/24. Send any traffic destined for those IPs to me."

The neighboring ISPs receive this announcement. They add their own ASN to the path, and re-broadcast the message to all their neighbors: "Hello. We are AT&T (AS7018). We know how to reach 8.8.8.0/24. The path is [AS7018, AS15169]."

This ripple effect propagates endlessly until every BGP router on earth has a vast routing table (currently over 900,000 distinct IP prefixes) detailing exactly which sequence of ASNs a packet must traverse to reach any given IP address. This sequence is known as the AS_PATH.

Transit vs. Peering

Not all BGP relationships are equal. Transit is when a small network pays a larger Tier-1 backbone provider (like Lumen or NTT) for access to the entire internet. Settlement-Free Peering is when two large networks (like Google and Netflix) connect their cables directly to each other and exchange user traffic for free, mutually benefiting by bypassing expensive transit providers.

Part 3: The Path Selection Algorithm

The internet is highly redundant. Your home ISP might receive ten different BGP announcements for how to reach Google, taking entirely different routes around the globe. How does the router choose which path to send your packet down?

BGP does not inherently care about speed, latency, or bandwidth. It is a "Path Vector" protocol. It executes a strict, deterministic sequence of tie-breakers to select the best route:

  1. Weight (Cisco specific): Highest weight wins. Locally configured, never leaves the router.
  2. LOCAL_PREF: Local Preference. This is how network engineers manually force traffic out a specific cable (usually because that cable is cheaper). Highest wins.
  3. AS_PATH Length: The shortest path wins. A path of [AS200, AS15169] beat a path of [AS300, AS400, AS500, AS15169]. Fewer network hops is the primary fallback metric.
  4. Origin Type: Prefer routes directly injected (i) over those learned from exterior protocols (e).
  5. MED (Multi-Exit Discriminator): Used when multiple links exist to the same neighboring AS. Lowest MED wins.
  6. eBGP over iBGP: Prefer routes learned from outside the network over routes learned from inside.

Because LOCAL_PREF is evaluated before AS_PATH length, a network administrator can easily force your web traffic to take a slow, 15-hop path around the world simply because that path costs them less money than utilizing the direct, low-latency fiber optic cable. This is why BGP is often described as a policy engine, not a performance engine.

Part 4: The 1989 Trust Fall (BGP Hijacking)

BGP was formalized in 1989 by three engineers jotting notes on a napkin (literally, the "two-napkin protocol"). In 1989, only government researchers and universities were on the internet. Everyone knew everyone. Therefore, BGP was built with zero authentication.

If an AS broadcasts an UPDATE message claiming, "I own the IP for BankOfAmerica.com," the entire internet blindly trusts it, updates their routing tables, and immediately begins sending Bank of America's highly sensitive traffic to the imposter. This is known as a BGP Hijack.

How Hijacks Exploit Routing Logic

Hijackers don't just rely on blind trust; they exploit a fundamental rule of IP routing: The Most Specific Route Always Wins.

If Google announces that they own 8.8.0.0/16 (a large block of 65,000 IPs), and a malicious ISP in another country announces that they own 8.8.8.0/24 (a tiny subset of just 256 IPs), every router on earth will look at a packet destined for 8.8.8.8 and say, "The /24 route is more mathematically specific than the /16 route. I must send the packet to the malicious ISP."

The traffic is swallowed into a "black hole," or worse, intercepted, monitored by a nation-state, and then silently forwarded to the real Google to avoid detection (a Man-In-The-Middle attack). Notable examples include:

  • 2008 Pakistan YouTube Outage: Pakistan Telecom attempted to censor YouTube internally by announcing a highly specific "blackhole" route for YouTube's IPs. They accidentally leaked the route to the global internet via their upstream provider, successfully pulling all of the world's YouTube traffic into Pakistan and knocking the site offline globally for two hours.
  • 2018 Amazon Route 53 Hijack: Attackers hijacked the BGP routes for Amazon's DNS servers. They redirected crypto-currency users to a fake website, stealing $150,000 in Ethereum before anyone noticed.

Part 5: Cryptographic Salvation (RPKI)

For thirty years, the internet operated precisely this way. In recent years, the industry aggressively mobilized to deploy Resource Public Key Infrastructure (RPKI).

RPKI is the HTTPS of routing. It allows the true owner of an IP block to cryptographically sign a document called a Route Origin Authorization (ROA). A ROA states: "Only AS15169 is cryptographically permitted to announce the IP block 8.8.8.0/24."

Modern ISPs download these cryptographic signatures dynamically. During the BGP path selection process, before a router accepts a new route announcement, it checks the cryptographic signature using Route Origin Validation (ROV).

  • If the announcement matches the ROA (Valid), it accepts it.
  • If the announcement contradicts the ROA (Invalid), the router instantly completely drops the route, rendering BGP hijacks ineffective against RPKI-enforcing networks.

Major providers like Cloudflare, AT&T, and Google now categorically drop "Invalid" routes, successfully inoculating large portions of the internet backbone against accidental leaks and malicious nation-state routing interception.

Conclusion: Fragile but Resilient

BGP is a fascinating paradox. It is incredibly brittle—a single typo in a router configuration in Eastern Europe can inadvertently sever the digital connections of millions of simultaneous users across the Pacific. Yet, due to its decentralized path-vector nature, the internet continually heals itself, dynamically rerouting data around severed submarine cables and massive power outages without human intervention.

Glossary & Concepts

Autonomous System (AS)

A collection of IP networks under a single administrative domain. Each AS has a unique ASN (16-bit or 32-bit).

AS_PATH

A list of AS numbers a route has traversed. Used for loop prevention and path selection.

eBGP vs iBGP

eBGP runs between different AS numbers. iBGP runs within the same AS for internal route distribution.

LOCAL_PREF

Local Preference. Used within an AS to prefer certain exit points. Higher is better.

BGP Hijacking

When a malicious or misconfigured AS announces routes it doesn't own, redirecting traffic.

RPKI / ROA

Resource Public Key Infrastructure. Route Origin Authorization (ROA) cryptographically links prefixes to authorized ASNs.

Related Resources

BGP Toolkit (Hurricane Electric)

Lookup ASNs, prefixes, and peering info

BGPStream

Live BGP hijack detection and alerts

Cloudflare BGP Guide

Beginner-friendly BGP explainer

RPKI Documentation

Learn to implement RPKI validation