Network engineer with BGP experience here.
Yes. But usually the attack would have been for a larger address block.
Let's say the "good ISP" is assigned to company 18.104.22.168/16. You are a customer of "good ISP" and your home router is a public IP address 22.214.171.124.
"EvilCo" wants you to look bad by downloading … inappropriate … content from 126.96.36.199. You have an unfiltered BGP routing protocol connection to the Internet and advertise 188.8.131.52/32.
This attack fails. While their BGP connection is not filtered (and we are talking about route advertisement filters, not packet filters), Internet ISPs generally do not accept IPv4 routes that are more specific than a / 24.
EvilCo advertises 184.108.40.206/24 in BGP. It works. Both 220.127.116.11/24 and 18.104.22.168/16 exist in the core internet routing table and the more special route wins!
- ISPs generally filter BGP connections to their customers and only accept certain routes, but there are many unfiltered BGP connections out there (I personally had access to one in a previous job … it was so old it was created before ISP tightened their standard configurations).
- Good BGP operators use a "BGP monitoring service" that sends them an email when someone else advertises one of the blocks assigned to them. (BGPmon)
- There is "route registration database" (RADB for example) and some ISPs try to route their routes using police databases, but these databases are generally incomplete.
- Requiring a larger block (/ 24) to attack makes the attack even clearer as it affects multiple people and all BGP updates are reported by multiple organizations.
It is also possible for a rogue operator within "Good ISP" to take special care of your / 32.
It is always possible to send traffic with a source IP of 22.214.171.124 without redirecting the block. However, this does not lead to a complete TCP handshake, so that no downloads take place.