Skip to content

CLOUDFLARE 2026-06-03 Tier 1

Read original ↗

Enforcing the First AS in BGP AS_PATHs

Summary

Cloudflare examines a wave of BGP route hijacks (flagged by Spamhaus) where attackers forged complete AS_PATHs—omitting their own ASN entirely—to impersonate legitimate origins and redirect traffic. The article demonstrates that even RPKI ROV and ASPA cannot fully prevent these attacks when the forged path is structurally valid. The mitigation is simple and already specified in RFC 4271 §6.3: enforce that the leftmost AS in the AS_PATH matches the configured peer AS. Cloudflare stress-tested all Tier 1 networks by intentionally violating First AS and found that half of Tier 1 networks do not enforce it, largely due to vendor defaults.

Key Takeaways

  1. Forged-origin hijacks bypass RPKI+ASPA: Attackers strip their own ASN from AS_PATHs entirely, leaving only the spoofed origin. ASPA cannot invalidate a path where there's no valley to detect—e.g. a two-hop path "64502 64506" may look valid. (Source: Examples 1 & 2 in post)

  2. First AS enforcement is the correct mitigation: RFC 4271 §6.3 specifies that eBGP speakers MAY verify the leftmost AS in AS_PATH equals the peer's configured ASN. If it doesn't match, the path is malformed. RFC 7606 updates error handling to use treat-as-withdraw (drop the route, keep the session alive). (Source: RFC 4271 §6.3, RFC 7606)

  3. Cloudflare's measurement methodology: They advertised prefixes to Tier 1 neighbors with a non-13335 Cloudflare-owned ASN (AS402542) prepended as First AS. Networks enforcing the rule silently dropped the route; networks not enforcing accepted and propagated it. (Source: Measurement section)

  4. Half of Tier 1 networks fail First AS enforcement: Of ~14 Tier 1 networks tested, 7 enforced (Cogent, Arelion, GTT, PCCW, Orange, Tata, AT&T) and 7 did not. The failing networks' identities were redacted in the post but their existence proven via route views. (Source: Results table)

  5. Vendor defaults drive insecurity: Most Tier 1 networks failing the test run Juniper routers, which do NOT enforce First AS by default. Cisco IOS-XR, Nokia SR-OS, and FRRouting all enforce by default. The Juniper/OpenBGPD/BIRD implementations require explicit operator configuration. (Source: Vendor table)

  6. IX route servers are the only valid exception: Internet Exchange route servers are transparent (don't insert their ASN into AS_PATH), so First AS enforcement must be disabled on those specific sessions. In practice, networks have far more non-IX sessions than IX sessions. (Source: IX section)

  7. Continuous testing was unsafe: Some networks still implement pre-RFC 7606 behavior (resetting the entire BGP session on malformed AS_PATH instead of treat-as-withdraw), which would disrupt production traffic to Cloudflare. (Source: Measurement section)

  8. The ASPA draft explicitly calls out First AS enforcement as a prerequisite: ASPA verification cannot protect against attacks where the AS_PATH is too mangled for path semantics to apply—First AS enforcement is the necessary complement. (Source: draft-ietf-sidrops-aspa-verification-25 §5)

Architecture & Operational Numbers

  • Attack pattern: Hijacker → forge AS_PATH (strip own ASN) → advertise to upstream that skips First AS check → forged path propagates globally
  • Test prefixes: 162.159.82.0/24 (IPv4), plus an IPv6 prefix (unspecified)
  • Probe ASN: AS402542 (Cloudflare-owned, non-primary)
  • Normal propagation baseline: 1.1.1.0/24 directly reachable from all Tier 1 adjacencies
  • Forged probe propagation: dramatically fewer Tier 1 networks accepted it—proving enforcement is partial

Vendor Default Enforcement Status

Vendor/Implementation Enforces by default?
Cisco IOS-XR Yes
Nokia SR-OS Yes
FRRouting Yes
Juniper Junos No
OpenBGPD No
BIRD No

Caveats

  • The names of Tier 1 networks failing the test are redacted in the IPv4 results (some visible in the topology diagram).
  • Testing was limited to Tier 1 networks only; non-Tier 1 enforcement is likely worse.
  • Continuous monitoring was abandoned due to session-reset risk from non-RFC 7606-compliant peers.
  • The article focuses on eBGP; iBGP sessions and confederations aren't discussed.

Source

Last updated · 542 distilled / 1,571 read