BGP hijacking is still breaking the internet — and RPKI is the fix most ISPs haven't deployed yet
Sometime in April 2010, for about 18 minutes, around 15% of the world's internet traffic was rerouted through China Telecom's network. This included traffic from US military, government agencies, and major corporations. China Telecom didn't hack anything. It simply announced that it had better routes to those destinations, and the rest of the internet believed it — because the Border Gateway Protocol, the system that routes all internet traffic, has no way to verify whether a routing announcement is legitimate.
That was 16 years ago. The underlying problem is still not fixed.
The protocol that runs on trust
BGP dates from 1989. It was designed when the internet was a small network of universities and government agencies who knew each other. The protocol operates on the premise that if a network (called an Autonomous System, or AS) announces that it can reach a given block of IP addresses, the announcement is true. There is no cryptographic verification, no authentication, no way to prove you have the right to announce a route. You just announce it, and the internet routes traffic to you.
This matters because BGP is how every packet on the internet finds its destination. When you load a webpage, your ISP's router consults BGP tables to figure out the path to the server. If someone injects a false route, your traffic goes somewhere else — to a network that can read it, modify it, or simply drop it.
BGP hijacks happen regularly. Pakistan Telecom took YouTube offline for two hours in 2008 by accidentally announcing that it had a better route. Rostelecom in Russia briefly intercepted traffic from Amazon, Google, Akamai, and 200 other providers in 2020. A Belarusian ISP hijacked Cloudflare's IP space in 2021. Most incidents are accidental misconfigurations, but state-level actors have demonstrated the capability to do it intentionally.
What RPKI is supposed to fix
Resource Public Key Infrastructure — RPKI — is a cryptographic framework that lets IP address holders sign records called Route Origin Authorizations (ROAs). A ROA says, in cryptographic terms: "AS 64500 is authorized to announce the prefix 198.51.100.0/24." If someone else announces the same prefix, networks with RPKI validation turned on can see that the announcement doesn't match any valid ROA and reject it.
The five Regional Internet Registries — ARIN (North America), RIPE NCC (Europe/Middle East), APNIC (Asia-Pacific), LACNIC (Latin America), and AFRINIC (Africa) — all offer RPKI services. Creating ROAs is free. The cryptographic infrastructure is already built.
The problem is that RPKI requires two steps to actually stop hijacks. First, address holders need to create ROAs. Second, ISPs and network operators need to configure their routers to reject announcements that fail validation (this is called origin validation, or RPKI-ROV). Both halves need to happen for the protection to work.
Where adoption actually stands
As of early 2026, roughly 50–55% of globally routed IPv4 prefixes have valid ROAs — meaning their holders have signed them with RPKI. That's up from around 20% in 2020, which represents real progress. But ROA creation is only half the equation.
Origin validation — the filtering that actually rejects bad routes — is deployed on far fewer networks. NIST estimates that around 30–35% of Tier-1 and Tier-2 networks currently enforce RPKI-ROV. The major US carriers (AT&T, Verizon, Lumen/CenturyLink) have been slow. European carriers, particularly those connected to RIPE NCC, have higher adoption rates. Some major CDNs like Cloudflare and Fastly enforce it. Most regional ISPs and enterprise networks do not.
What this means: even if your ROA says you own a prefix, a significant portion of internet infrastructure will still accept a hijacked announcement of that prefix from someone else. The protection is partial, not universal.
Why it's taking so long
The reasons for slow adoption are mostly operational and economic, not technical. Configuring RPKI-ROV on a carrier's routers requires touching routing policy across every peering point and every border router. A misconfigured ROA can make a legitimate network unreachable — the cure becomes the cause of the outage. Large ISPs that carry hundreds of thousands of routes are understandably nervous about enabling filtering that could inadvertently drop valid traffic.
There's also an incentive gap. The costs of a BGP hijack fall on the victim network. The work of deploying RPKI-ROV falls on every other network. For any individual ISP, the calculus has historically been: the effort is mine, the benefit is diffuse. This is a classic coordination problem.
Regulators are starting to push back. The US Cybersecurity and Infrastructure Security Agency (CISA) and the FCC have published guidance encouraging RPKI deployment among US carriers, and CISA's "Secure by Design" principles call out BGP security explicitly. The EU's NIS2 Directive, which took effect in 2024, requires operators of essential services to implement BGP security measures — though enforcement is still inconsistent across member states.
Beyond RPKI: what's needed to actually secure routing
RPKI-ROV only validates the origin of a route — the first AS that announces it. It doesn't validate the full path a route announcement travels. A more complete solution called BGPsec adds cryptographic signatures to every step of the path, but it requires every AS along the path to support it and has significant performance implications for router hardware. Deployment is essentially zero.
A middle ground called ASPA (Autonomous System Provider Authorization) was standardized by the IETF in 2024. ASPA lets networks sign records that say which ASes are their upstream providers. This makes it possible to detect and reject a class of route leaks that RPKI-ROV misses — specifically, cases where a network accidentally announces its customer routes to its other providers. ASPA is gaining interest but is in very early deployment.
The underlying reality is that internet routing security is a collective action problem. It requires the majority of significant networks to change their operational practices simultaneously to be fully effective. RPKI has made real progress in the last five years — the trajectory is positive — but at the current pace, a determined state actor or a misconfigured Tier-1 router can still redirect global internet traffic. The technical fix exists. The deployment gap is the problem.