Skip to content

CONCEPT Cited by 1 source

Forged AS_PATH

A forged AS_PATH is a BGP AS_PATH attribute that has been intentionally manipulated to contain ASNs that do not reflect the actual forwarding path of the route. Unlike AS path prepending (where an operator legitimately adds copies of their own ASN), forging inserts or removes other parties' ASNs to deceive receivers.

Techniques

  1. Complete path fabrication — the attacker constructs an entirely fictional AS_PATH using unused or third-party ASNs, omitting their own ASN entirely. This conceals the attacker's identity and can make the route appear to originate from a legitimate AS.

  2. Path shortening — the attacker removes their own ASN (and possibly others) to make the route appear shorter, winning BGP best-path selection on AS_PATH length.

  3. Path lengthening of competitors — less common; adds hops to competing paths to steer traffic away from them.

Detection signals

  • Implausible AS relationships: e.g. an unused French ASN buying transit from Mexican ISPs, then upstreaming to a global CDN—this violates expected valley-free topology.
  • ASN inclusion without adjacency: Cloudflare confirmed their AS13335 appeared in forged paths with no actual peering relationship to the origin.
  • Discrepancy between control plane and data plane: traceroute shows traffic never actually traverses the ASes listed in the forged path.

(Source: sources/2026-06-03-cloudflare-enforcing-the-first-as-in-bgp-as-paths)

Mitigations

  • concepts/first-as-enforcement — catches forgeries at the immediate neighbor level
  • ASPA — catches valley violations deeper in the path (but not when the forged path is structurally valid)
  • ROV — catches only when the forged origin doesn't match a ROA

Seen in

Last updated · 542 distilled / 1,571 read