BGP: How Internet Routing Works — and Why Route Leaks Can Take Down Major Services

BGP is why the internet has no single authority — and why a routing mistake can take down Netflix for two hours

The Border Gateway Protocol (BGP) is the routing protocol that connects the internet's roughly 80,000 autonomous systems — ISPs, cloud providers, universities, enterprises — into a single network. It's over 30 years old, runs on critical global infrastructure, and has a trust model built on manual configuration and informal agreements that was designed for a more cooperative era.

Understanding BGP explains why internet routing is fundamentally fragile, how anycast CDNs work, and what happens when someone makes a routing mistake.

What BGP does

The internet isn't one network — it's tens of thousands of independent networks (autonomous systems, or ASes) connected to each other. Each AS is assigned an Autonomous System Number (ASN) by regional internet registries.

BGP is how these networks share routing information: "I can reach these IP address ranges, and here's the path to get there."

BGP routing decisions: when an AS has multiple paths to a destination, it selects the best path based on attributes:

• AS path length: fewer hops is generally preferred
• Next hop: which peer is offering the route
• Local preference: administratively configured preference for routes from specific peers
• MED (Multi-Exit Discriminator): hints to neighboring ASes about preferred entry points

The "best" path isn't always the lowest latency path — BGP optimises for policy compliance and stability, not pure performance.

BGP incidents: when routing goes wrong

Route leaks

A route leak occurs when an AS re-advertises BGP routes it has learned from one peer to another peer in a way not intended by routing policy. The receiving AS accepts the "leaked" route and may start sending traffic through the leaking AS.

The 2010 China Telecom incident: China Telecom inadvertently advertised approximately 50,000 route prefixes that it didn't actually serve, making it look like China Telecom was the preferred path for networks including major US ISPs, military networks, and government agencies. Traffic from many parts of the world briefly routed through China before reaching its intended destination. Duration: approximately 18 minutes.

The 2019 Verizon/Cloudflare incident: A misconfigured BGP router at a small ISP (AS33154, DQE Communications) leaked routes learned from Cloudflare to Verizon. Verizon accepted these routes and began routing significant portions of internet traffic through a 10 Mbps link that couldn't handle the volume. Major portions of the internet (including Cloudflare services, Amazon, and Facebook) were unreachable for approximately 2 hours.

BGP hijacking

More deliberate: an AS announces ownership of IP address blocks it doesn't actually own, attracting traffic to its infrastructure. Used for traffic interception, DDoS, spam, or financial fraud.

The 2018 BGP hijack of Amazon Route 53: attackers hijacked IP addresses belonging to Amazon's DNS service. For approximately 2 hours, DNS queries for several cryptocurrency platforms were redirected to attacker-controlled DNS servers, enabling theft of approximately $152,000 in cryptocurrency.

Why BGP is vulnerable

BGP's trust model is "announce it and it will be believed." There is no cryptographic verification that an AS legitimately owns the prefixes it announces. The system relies on:

• Routing policies configured by network operators
• Peer relationships and commercial agreements
• Community norms and informal communication

RPKI (Resource Public Key Infrastructure): the partial fix. RPKI allows IP address block holders to cryptographically sign route origin authorization (ROA) records, linking specific IP prefixes to the ASNs authorised to announce them. Routers that validate RPKI can reject invalid BGP announcements.

RPKI adoption has been growing — major networks including Cloudflare, Apple, Amazon, and many ISPs now validate RPKI. But adoption is not universal; invalid routes that reach non-validating routers can still be accepted.

Anycast: one IP, many locations

Anycast is a routing architecture where the same IP address is announced from multiple geographic locations simultaneously. The internet's routing (via BGP) delivers each packet to the "nearest" instance of that IP, as determined by BGP path selection.

How CDNs use anycast: Cloudflare's 1.1.1.1 DNS resolver is announced from hundreds of points of presence worldwide. A query from London reaches a Cloudflare server in London; a query from Singapore reaches a Singapore server. Same IP, different physical destinations.

Advantages:

• Automatic geographic load distribution
• Resilience: if one location fails, BGP withdraws its announcement, and traffic automatically routes to the next closest location
• DDoS mitigation: attack traffic distributed across many PoPs rather than overwhelming one

How CDNs use anycast for web traffic: Cloudflare, Fastly, Akamai, and similar CDNs announce their anycast ranges from global PoPs. HTTP traffic destined for a CDN-served domain reaches the nearest PoP, where it's served from cache or proxied to the origin.

Reading a traceroute through the BGP lens

Understanding BGP makes traceroute output more legible:

1  192.168.1.1       1ms   (your router)
2  100.64.0.1        8ms   (ISP CPE)
3  ae1.edge1.lon.net 12ms  (ISP edge, London)
4  ae2.core1.nyc.net 85ms  (transatlantic link, New York)
5  ae1.peer1.nyc.net 87ms  (peering point, New York)
6  192.168.100.1     90ms  (destination AS, New York)

Hop 3 to 4 is the BGP handoff from European to North American AS — visible as the 73ms latency jump (transatlantic propagation). Hop 5 is a peering exchange where two ASes exchange traffic under a BGP peering arrangement.

Internet exchange points (IXPs)

Internet Exchange Points are physical facilities where multiple networks interconnect and exchange BGP routes directly. The largest:

• AMS-IX (Amsterdam): one of the world's largest, 1000+ members
• DE-CIX (Frankfurt): largest globally by throughput, 1000+ connected networks
• LINX (London)
• Equinix exchanges: global facilities hosting numerous peering relationships

Connecting to an IXP allows a network to peer directly with many other networks, reducing the cost and latency of transit (paying a third party to carry your traffic).

How to use the Traceroute tool on sadiqbd.com

BGP-aware traceroute reading:

1. Look for the latency jumps — each large jump typically represents a geographic boundary or inter-AS handoff
2. Look at hop hostnames — operators often encode location information (lon for London, ams for Amsterdam, nyc for New York)
3. Identify peering points — hostnames containing peer, ix, or exchange point names
4. Note AS transitions — consecutive hops with very different hostnames suggest an AS boundary

Frequently Asked Questions

Can I see BGP routing tables? Yes — route views (routeviews.org) and RIPE NCC's RIS (Routing Information Service) maintain public BGP route table archives. Looking Glass servers operated by major ISPs allow BGP queries. For real-time BGP visibility, BGPmon, RIPE RIS Live, and similar services provide feed access.

How does BGP affect my latency? Significantly. Two networks with geographic proximity but poor peering may route traffic through a third continent before exchanging packets. The "shortest BGP path" isn't always the geographically shortest path. This is why CDNs and networks with good peering relationships provide better performance than distant origin servers.

Is the Traceroute tool free? Yes — completely free, no sign-up required.

BGP is the protocol that makes the internet one network from many — and its fragility and trust-based model explain why seemingly localised routing mistakes propagate globally. Understanding it turns unexplained internet behaviour (sudden latency spikes, regional outages) from mysteries into diagnosable events.

Try the Traceroute tool free at sadiqbd.com — map the BGP-determined network path to any host and identify AS transitions and geographic boundaries.