Cybersecurity Internet Technology & Innovation
Resources October 5, 2020

BGP incident data

By Justin Sherman

The Border Gateway Protocol communicates potential paths that Internet packets can take from their origin to their destination. It’s the Internet’s “GPS” for traffic and a key part of the Internet’s digital rules. There are multiple physical routes available to send an email from Washington, DC, to a user in Berlin, because the Internet is made up of these meshed Autonomous Systems—constituent networks of which the Internet is composed. But after evaluating potential paths that data could travel across interconnected Autonomous Systems, one of these paths must be picked and used. The BGP allows Autonomous Systems like those operated by ISPs like Verizon, CDNs like Cloudflare, and cloud providers like Amazon and Google to communicate possible routes to each other. Then, for each packet which must be forwarded, each Autonomous System makes a routing decision—selecting a possible path it learned via the BGP from its neighboring Autonomous Systems. These routing decisions typically prioritize the least-expensive or highest-performance routes.

Core to BGP routing is trust. Autonomous Systems using this “GPS” for traffic implicitly trust routing information received from neighboring Autonomous Systems1K. Sriram et al., “Problem Definition and Classification of BGP Route Leaks,” Internet Engineering Task Force, RFC 7908, June 2016, because like many of the Internet’s early protocols, the BGP wasn’t designed for security. Each time a packet moves from one Autonomous System to another (say, Verizon to Amazon), the sender assumes its own routing table (based on information from its neighbors, received via the BGP) reasonably approximates the actual topology of the Internet.2 J. Mauch, J. Snijders, and G. Hankins, “Default External BGP (EBGP) Route Propagation Behavior without Policies,” Internet Engineering Task Force, RFC 8212, July 2017, This blind trust problem explains the BGP’s many malfunctions and exploitations.

This interactive dataset uses data from BGPStream, an open-source BGP monitoring tool, to display malfunctions in and attacks on the Border Gateway Protocol in the first five months of 2020. These kinds of BGP events have impacted major technology firms like Facebook and Google, banking and financial services firms like MasterCard, and even US government agencies like the Department of Defense, a particularly frequent victim of inadvertent hijackings as a consequence of its broad holding of IP addresses. BGP route leaks can also vary in duration. Some last for hours and crash small companies’ websites with misdirected traffic, or they could last for mere minutes but affect millions more people.

The visualization allows for exploration of this BGP incident data pulled from BGPStream.



The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.