This work exposes critical security vulnerabilities in machine learning–based BGP hijacking detection systems relying on public BGP data (e.g., DFOH, BEAM): adversaries can evade detection—including post-ROV forged-source hijacks—by injecting a small number of malicious route announcements into globally distributed monitoring points, thereby poisoning both training and inference data. Method: We systematically model adversarial route announcement injection, conduct large-scale BGP simulations, and rigorously evaluate ML robustness under data poisoning attacks. Contribution/Results: We provide the first empirical demonstration that public BGP monitoring data is susceptible to poisoning, challenging the implicit assumption of its inherent trustworthiness. Experiments show that as few as several malicious announcements suffice to degrade or disable state-of-the-art detectors. Beyond revealing a fundamental fragility in anomaly detection paradigms dependent on open network telemetry, our findings motivate the design of robust BGP security mechanisms explicitly resilient to data poisoning threats.

The Border Gateway Protocol (BGP) remains a fragile pillar of Internet routing. BGP hijacks still occurr daily. While full deployment of Route Origin Validation (ROV) is ongoing, attackers have already adapted, launching post-ROV attacks such as forged-origin hijacks. To detect these, recent approaches like DFOH [Holterbach et al., USENIX NSDI '24] and BEAM [Chen et al., USENIX Security '24] apply machine learning (ML) to analyze data from globally distributed BGP monitors, assuming anomalies will stand out against historical patterns. However, this assumption overlooks a key threat: BGP monitors themselves can be misled by adversaries injecting bogus routes. This paper shows that state-of-the-art hijack detection systems like DFOH and BEAM are vulnerable to data poisoning. Using large-scale BGP simulations, we show that attackers can evade detection with just a handful of crafted announcements beyond the actual hijack. These announcements are indeed sufficient to corrupt the knowledge base used by ML-based defenses and distort the metrics they rely on. Our results highlight a worrying weakness of relying solely on public BGP data.