Poster: Quantifying the Proportion of Hijacked Prefixes Among the Identified Prefix Hijackers

The Border Gateway Protocol (BGP) remains susceptible to prefix hijacks due to its trust-based nature and lack of default robust authentication mechanisms. Prefix hijacks are unintentional or malicious announcements of prefixes allocated to other ASes. Although prefix hijacks are primarily associated with misconfigurations, they remain a significant security threat. For instance, the recent hijacking and route leak incident involving Cloudflare made their DNS resolver unreachable for some networks for about 8 hours. Some ASes perform hijacks frequently and for longer duration. We revisited these “serial hijackers” in 2024 and validated some of the potential serial hijackers with external data. However, neither the original study from 2019 nor ours dug deeper to understand the impact and goal of serial hijackers. This study fills this gap and shows that 22.9% of the announcements were RPKI-invalid, raising new questions about the intent of the hijack. Finally, we show that these invalid announcements still reach many networks on the Internet, demonstrating that many ASes are not doing RPKI route origin validation, thereby compromising the Internet’s stability and security.