Enforcing the First as in BGP AS_PATHs
2 days ago
- #Route Hijacking
- #Network Protection
- #BGP Security
- Route hijacks exploit unused Autonomous System Numbers (ASNs) to forge AS_PATHs, misdirecting traffic and hiding identities.
- Spamhaus reports detail hijacks where fake AS_PATHs led to implausible relationships, such as an unused French AS appearing downstream from Mexican ISPs.
- Attackers bypass security by stripping AS_PATH information, pretending to be the origin of BGP prefixes to intercept traffic, which can't be prevented by ASPA alone.
- First AS checking—verifying that the first AS in an AS_PATH matches the peer's AS—is a simple yet effective defense against these hijacks, as outlined in RFC 4271 and 7606.
- Cloudflare's stress test on Tier 1 networks revealed that half do not enforce First AS rules, making them vulnerable to hijacks, with vendor defaults varying in security.
- BGP implementations differ by vendor; some enforce First AS by default (e.g., Cisco, FRR) while others do not (e.g., Juniper, Arista), impacting network security.
- Internet Exchange (IX) route servers are a valid exception to First AS enforcement, but most networks should enable it on all other EBGP sessions to prevent attacks.
- Network operators are urged to enforce First AS on routers to protect against forged-origin hijacks, complementing RPKI and ASPA for a safer Internet.