As with other protocols, BGP is set out in a standard from the Internet Engineering Task Force (IEFT) called RFC 4271.
Those that provide access to the Internet have a reasonably complex relationship with each other. There are different "tiers" starting with operators of the largest networks as Tier 1 (eg Google, Microsoft, et al) down to Tier 3 providers who might well be those who ultimately provide access to you as a home user.
Some relationships are direct between peers but some interconnectivity is also provided by a global network of Internet Exchanges such as the London Internet Exchange (LINX).
How traffic is directed through the Internet can be thought of in two parts:
- The way in which data is routed within an Autonomous System (AS), which is a part of the network that is under the control of a single organisation. It uses protocols such as Open Shortest Path First (OSPF).
- The interconnections between the AS's. This is where BGP is used, and it advertises a network within an AS to it's peers. It doesn't say how data will be routed within the AS but it does says how it is connected to other networks, including those IP addresses it uses.
However, all of this information is shared between networks using a set of "routing tables" but these tables are updated and exchanged on the basis of trust between peers. All of the routers under the control of a particular ISP rely upon the data it receives from another ISP. And there's the rub.
If someone were able to corrupt these routing tables then they could spoof IP addresses ie they could have data intended for a particular address sent to them. Not a trivial a task. Not something for those lacking in technical ability. But, if someone were able to gain control of a router run by an ISP it could be done.
So, how easy is it to gain control of a router? Not surprisingly the ISPs have been making it more difficult over time, and they guard access, so it is not trivial. However, there are many ISPs (estimates are up to 40,000) running very many routers so it's not unknown for some to be left with default passwords, or even for back doors to emerge that allow remote access. Hence, whilst not easy the effect of it happening across swathes of the Internet are profound.
BGP spoofing is very difficult to defend against. There are ways to mitigate attacks but no universal defence exists (that I know of).
The outstanding question is how prevalent are such attacks? I'm not sure anyone really knows. It's certainly an area worthy of further research. It is a topic that has not been discussed as widely as other attacks, primarily because other forms of attacks are considered more damaging. However, I can't help thinking that BGP spoofing could be used as a means of delivering the more damaging attacks and as such it really needs to be understood better.