IPv4 Security in 2025: BGP Hijacks, Route Leaks, and RPKI
BGP security incidents continue to demonstrate why RPKI matters. This post covers actual incidents from 2024-2025, what they reveal about routing vulnerabilities, and what IPv4 holders should do.
Major BGP Incidents: 2024-2025
June 2025: Root Server Hijack
On June 20, 2025, routes for multiple DNS root server prefixes were hijacked. AS35168 (TNS-Plus, Kazakhstan) announced unauthorized routes that propagated through AS28910 (Uzbektelekom). Eight root servers were affected (a, b, c, f, g, h, j, m), with bogus routes remaining active for approximately 90 minutes.
This is believed to be the first documented BGP hijack of root server prefixes. DNS queries from the affected region were diverted to unauthorized servers during this period. RPKI Route Origin Validation could have prevented this, but AS28910 did not implement it at the time.
June 2024: Cloudflare DNS Hijack
On June 27, 2024, Cloudflare’s 1.1.1.1 DNS resolver was hijacked. Eletronet S.A. (AS267613) announced a more-specific route (1.1.1.1/32), causing traffic blackholing across 300 networks in 70 countries. Simultaneously, Nova Rede (AS262504) leaked the broader 1.1.1.0/24 prefix upstream.
The hijack lasted approximately 2 hours; the route leak persisted for over 8 hours.
October 2025: Multi-AS Route Leak
On October 29, 2025, a significant route leak originated from AS23470 (ReliableSite) and propagated through major Tier 1 providers including Cogent, Tata, NTT, GTT, and Lumen. The incident persisted for over 10 hours, affecting routing across North America, Latin America, Europe, and Asia.
September 2024: Uztelecom Route Leak
On September 26, 2024, Uztelecom (AS28910) leaked over 3,144 routes through Rostelecom (AS12389), misdirecting traffic from a dozen countries for approximately 40 minutes.
What These Incidents Reveal
The pattern is clear:
- RPKI adoption is uneven. Networks that don’t validate RPKI propagate hijacked and leaked routes. The root server hijack succeeded because AS28910 didn’t validate.
- More-specific routes win. The Cloudflare hijack used a /32 to override the legitimate /24. RPKI with maxLength settings can prevent this.
- Tier 1 networks aren’t immune. Major providers propagated the October 2025 route leak for hours.
- Duration matters. These incidents lasted minutes to hours—long enough to intercept traffic, break services, and cause real harm.
RPKI: From Optional to Expected
RPKI adoption has crossed a threshold. Major networks validate RPKI; RIRs provide free tools for ROA creation. The incidents above show what happens when RPKI is missing.
If you buy IPv4, set up RPKI and ROA as part of the handover. Log in to your RIR portal, create a ROA for your prefix and ASN, and publish it. Our how to buy IPv4 guide walks through acquisition; RPKI is the next step for protecting your block.
What Holders and Buyers Should Do
Create a ROA for every block you hold. If you haven’t done it, do it now. BGP hijack risk drops when your block has a valid ROA and networks validate RPKI.
Set maxLength appropriately. If you announce a /24, don’t allow a maxLength of /32 in your ROA unless you actually announce those more-specifics. This prevents attackers from hijacking with more-specific routes.
Monitor your routes. Services like BGPStream, RIPE RIS, and commercial monitoring tools can alert you to unexpected announcements of your prefixes.
If buying, include RPKI in handover. The seller should update or remove their ROA; you should add yours promptly. Coordinate timing to avoid gaps.
Bottom Line
BGP security incidents in 2024-2025 are concrete reminders: hijacks affect real services including DNS root servers and major CDN infrastructure. RPKI and ROA are the defense. Holders and buyers who secure their blocks with valid ROAs reduce hijack risk and ensure their routes are accepted by validating networks.