A complete, hands-on simulation of a BGP hijacking attack — covering the full lifecycle from lab setup and route hijacking to live traffic interception, packet analysis, and defense implementation.
BGP (Border Gateway Protocol) is the routing protocol that runs the internet. Designed in 1989 for a small, trusted community, it has no built-in mechanism to verify whether an Autonomous System actually owns the prefixes it announces. That trust is the vulnerability this lab exploits.
The lab simulates three Autonomous Systems in a fully isolated VirtualBox environment:
| Role | AS | Description |
|---|---|---|
| Victim | AS100 | Legitimate network — owns and announces a prefix |
| Transit ISP | AS200 | Passes routing information between peers |
| Attacker | AS300 | Hijacks AS100's traffic via a forged BGP announcement |
The attack requires no system compromise, no stolen credentials, and no exploit code. Two BGP configuration commands are enough to silently redirect traffic away from the legitimate owner — and the victim has no direct visibility into what is happening.
- Establishing eBGP sessions between three Autonomous Systems using FRRouting
- Executing a BGP subprefix hijack — AS300 announces a more specific prefix than AS100, causing AS200 to unconditionally prefer the attacker's route
- Demonstrating live HTTP traffic interception — requests addressed to AS100 land on AS300's server with the victim receiving nothing
- Capturing the BGP UPDATE message carrying the hijacked prefix with tcpdump and analysing it in Wireshark at the attribute level
- Implementing prefix-list filtering on AS200 to reject unauthorised route announcements
- Verifying the attack is completely neutralised after the filter is applied
- Researching RPKI (Resource Public Key Infrastructure) as the global-scale cryptographic defense, and validating both lab and real-world prefixes against Cloudflare's live RPKI database
- Mapping attack techniques to MITRE ATT&CK (T1557, T1498)
- Analysing real Autonomous System routing data from RIPE Stat (AS13335, AS15169)
- Contextualising findings against historical BGP hijacking incidents
AS100 (Victim) ──── bgp-net1 ──── AS200 (Transit ISP)
│ │
bgp-net2 bgp-net3
│ │
└──────────── AS300 (Attacker) ─────────┘
All three VMs run Ubuntu Server 22.04 LTS with FRRouting 8.1, connected via VirtualBox Internal Networks — completely isolated from any real network infrastructure.
| Tool | Version | Purpose |
|---|---|---|
| VirtualBox | 7.x | Hypervisor — runs three isolated Ubuntu VMs |
| Ubuntu Server | 22.04 LTS | Operating system for each router VM |
| FRRouting | 8.1 | BGP daemon — same software used by real ISPs |
| vtysh | — | FRR's interactive configuration shell |
| tcpdump | — | On-VM BGP packet capture |
| Wireshark | — | Packet analysis and BGP UPDATE inspection |
bgp-hijacking-lab/
├── configs/
│ ├── as100-victim.conf # Victim BGP configuration
│ ├── as200-transit.conf # Transit ISP config with defense filters
│ └── as300-attacker.conf # Attacker config with hijack commands
├── screenshots/
│ ├── Before-Hijack.png # Clean routing state before the attack
│ ├── after-hijack.jpg # AS200 routing table during the hijack
│ ├── interception.png # Live HTTP traffic landing on attacker
│ ├── wireshark-capture.png # BGP UPDATE packet carrying fake prefix
│ ├── defense.jpg # Routing table after filter applied
│ ├── rpki-unknown.jpg # Lab prefix — unregistered, no ROA
│ └── rpki-valid.jpg # Cloudflare prefix — RPKI protected
├── captures/
│ └── bgp-capture.pcap # Raw Wireshark capture of the hijack
└── report/
└── BGP_Hijacking_Lab_Report.pdf
AS200 holds a single legitimate route pointing to AS100. Everything is normal.
Network Next Hop Path
10.10.0.0/24 10.0.12.1 100 i
AS300 announces a more specific prefix. AS200 unconditionally prefers it — the victim's traffic is now being routed to the attacker.
Network Next Hop Path
10.10.0.0/24 10.0.12.1 100 i
*> 10.10.0.0/25 10.0.23.2 300 i ← BGP selects this
A request to AS100's IP address returns the attacker's page. AS100 receives nothing.
The BGP UPDATE message captured at the moment of the hijack. AS_PATH shows only 300 — the legitimate owner is absent entirely.
Type: UPDATE Message (2)
AS_PATH: 300
NEXT_HOP: 10.0.23.2
NLRI prefix: 10.10.0.0/25
Prefix-list filtering on AS200 drops AS300's announcement silently. The attack is neutralised.
Network Next Hop Path
10.10.0.0/24 10.0.12.1 100 i
| Technique | ID | How It Applies |
|---|---|---|
| Adversary-in-the-Middle | T1557 | AS300 intercepts traffic destined for AS100 by forging BGP route announcements |
| Network Denial of Service | T1498 | AS100 effectively loses access to its own announced address range |
A complete technical report is available in /report/. It covers lab architecture, FRRouting configuration, full attack methodology, Wireshark packet analysis, defense implementation, RPKI research, lab limitations, and MITRE ATT&CK mapping.
This lab runs entirely within an isolated VirtualBox environment using private address space. No real internet infrastructure, public IP space, or external BGP peers were involved at any point. This project is strictly for educational and portfolio purposes.
This project is licensed under the MIT License.
You are free to use, copy, modify, and distribute this project for any purpose, with or without modification, provided that the original copyright notice and this permission notice are included. This project is provided as-is, without warranty of any kind.
See the LICENSE file for the full license text.