isbgpsafeyet.com Open in urlscan Pro
2606:4700:4400::ac40:956b  Public Scan

Form analysis
0 forms found in the DOM

Text Content

IS BGP SAFE YET? NO.

Border Gateway Protocol (BGP) is the postal service of the Internet. It’s
responsible for looking at all of the available paths that data could travel and
picking the best route.

Unfortunately, it isn’t secure, and there have been some major Internet
disruptions as a result. But fortunately there is a way to make it secure.

ISPs and other major Internet players (Sprint, Verizon, and others) would need
to implement a certification system, called RPKI.

Test your ISP Read FAQ




LATEST UPDATES

 * June 27, 2022 - Orange International Carrier (AS5511) has fully deployed RPKI
   Origin Validation on their global worldwide network. (source)
 * March 15, 2022 - KPN (AS1136), the largest Internet provider in the
   Netherlands, now rejects RPKI-invalid BGP routes on its EBGP edge. (source)
 * June 3, 2021 - NOS Communicações (AS2860), a leading Internet Service
   Provider in Portugal, has signed its prefixes and is dropping invalids.
 * May 20, 2021 - Comcast (AS7922), one of the largest Internet Service Provider
   in the US, has signed its prefixes and is now dropping invalids over all BGP
   sessions. (source)
 * March 26, 2021 - Lumen (AS3356), the largest worldwide transit backbone, is
   now dropping invalids over all BGP sessions. (source)
 * March 15, 2021 - Vocus (AS4826), a leading Australian ISP, has signed its
   prefixes with RPKI and is now dropping invalids. (source)
 * March 1, 2021 - HEANet (AS1213) Ireland's National Research & Education
   Network deploys the RPKI Infrastructure on its IP Network. (source)
 * February 26, 2021 - TDC (AS3292) the main operator in Denmark has implemented
   RPKI Origin Validation and is signing its prefixes. (source)
 * February 1, 2021 - Sprint / T-Mobile (AS1239) now filters all RPKI Invalid
   routes from settlement-free peers. (source)
 * January 14, 2021 - Amazon Web Services (AS16509) has signed their prefixes
   and deployed RPKI Origin Validation. (source)
 * December 14, 2020 - Belnet (AS2611) NREN and first Belgian ISP to implement
   RPKI and drop invalid routes. (source)
 * December 1, 2020 - RETN (AS9002) has deployed RPKI-based BGP route origin
   validation. (source)
 * September 14, 2020 - HOPUS (AS44530) is now filtering all eBGP sessions using
   RPKI ROV. (source)
 * September 2, 2020 - Netflix has deployed RPKI globally and is dropping
   invalids prefixes. (source)
 * September 1, 2020 - Swisscom is fully dropping RPKI invalids since end of
   July. (source)
 * August 26, 2020 - Google is currently deploying RPKI. The network operator
   signed more than 90% of its prefixes.
 * August 7, 2020 - HKIX, an Internet Exchange in Hong Kong deployed RPKI
   validation on all its member sessions and is now dropping RPKI invalids on
   their route servers. (source)
 * July 24, 2020 - Telstra AS1221, Australia’s leading telecommunications and
   technology company, now filters RPKI invalids. (source)
 * July 13, 2020 - Chilean Government Network (Red de Conectividad del Estado)
   at AS17147 succesfully deployed RPKI filtering and drops invalid prefixes.
   (source)
 * July 6, 2020 – GR-IX, the Greek Internet Exchange, is now dropping RPKI
   invalids on their route servers (source)
 * June 16, 2020 – Hurricane Electric AS6939, a major transit provider deployed
   RPKI filters (source)
 * June 16, 2020 - AnacondaWeb AS265656, an ISP and hosting provider from Temuco
   (Chile), successfully deployed RPKI signing and filtering. (source)
 * June 5, 2020 – Cogent AS174, the 3rd largest transit provider, now filters
   all RPKI invalids
 * June 1, 2020 – Mobicom, the main transit provider in Mongolia, deployed RPKI
   (source)
 * May 18, 2020 – Dhiraagu, a Maldivian ISP deployed RPKI (source)
 * May 10, 2020 – Terrahost, a Norwegian dedicated and cloud server provider
   deployed RPKI (source)
 * May 7, 2020 – LINX, an Internet Exchange based in the United Kingdom drops
   RPKI invalids (source)
 * May 7, 2020 – MIXP, an Internet Exchange based in Mauritius signed and drops
   RPKI invalids (source)
 * May 6, 2020 – Asergo, a Danish cloud provider deployed RPKI (source)
 * May 5, 2020 – GTT is now filtering all their sessions (source)
 * May 5, 2020 - WorldStream, a cloud provider is working on RPKI implementation
   (source)
 * May 4, 2020 – Cablenet Cyprus deployed RPKI
 * April 27, 2020 – Acorus/Volterra is deploying RPKI (source)
 * April 24, 2020 – Kapsi, a Finnish ISP, deployed RPKI (source)
 * April 24, 2020 – Cyta, a Cyprus ISP, deployed RPKI
 * April 23, 2020 – Jaguar Networks, deployed RPKI (source)
 * April 22, 2020 – Scaleway, a cloud provider, deployed RPKI in March 2020
   (source)
 * April 20, 2020 – Gigabit ApS, a Danish ISP, deployed RPKI (source)
 * April 20, 2020 – USI Fiber currently working on RPKI implementation (source)
 * April 19, 2020 – Aussie Broadband plans to support RPKI “shortly” (source)

＋ Show all



STATUS

Displaying 30 major operators

＋ Show all ＋ Show ASN column

NameTypeDetailsStatusASN ? Lumen transit signed + filtering safe 3356 Arelion
(Formally Telia) transit signed + filtering safe 1299 Cogent transit signed +
filtering safe 174 NTT transit signed + filtering safe 2914 Hurricane Electric
transit signed + filtering safe 6939 GTT transit signed + filtering safe 3257
TATA transit signed + filtering safe 6453 PCCW transit signed + filtering safe
3491 RETN transit partially signed + filtering safe 9002 Orange transit signed +
filtering safe 5511 Comcast ISP signed + filtering safe 7922 T-Mobile transit
filtering safe 1239 KPN transit signed + filtering safe 286 Vocus Communications
transit signed + filtering safe 4826 Core-Backbone transit signed + filtering
safe 33891 Swisscom ISP signed + filtering safe 3303 Cox Communications ISP
signed + filtering safe 22773 G8 transit signed + filtering safe 28329 Telstra
transit signed + filtering safe 1221 GEANT ISP signed + filtering safe 20965
Softdados Telecom transit signed + filtering safe 52873 Next Layer GmbH transit
signed + filtering safe 1764 TELUS Communications ISP signed + filtering safe
852 OpenX transit signed + filtering safe 263444 Vocus Retail ISP signed +
filtering safe 9443 Jaguar Network ISP signed + filtering safe 30781 HiNet ISP
signed + filtering safe 3462 ITS Telecom transit signed + filtering safe 28186
Acorus Networks ISP signed + filtering safe 35280 Virgin Media UK ISP signed +
filtering safe 5089 TDC ISP signed + filtering safe 3292 Ensite Telecom transit
signed + filtering safe 28263 Telenor ISP signed + filtering safe 2119 ANEXIA
Internetdienstleistungs GmbH transit signed + filtering safe 47147 Biznet
Networks ISP signed + filtering safe 17451 RCN ISP signed + filtering safe 6079
Devoli ISP signed + filtering safe 45177 NTS Workspace AG ISP signed + filtering
safe 15576 MNET ISP signed + filtering safe 8767 Spectrum ISP safe 11351 Inferno
Communications transit signed + filtering safe 207841 Brisanet ISP signed +
filtering safe 28126 Hydra Communications cloud signed + filtering safe 25369
KPN-Netco ISP signed + filtering safe 1136 Spectrum ISP safe 12271 HOPUS transit
signed + filtering safe 44530 Persis Telecom ISP signed + filtering safe 14282
ViewQwest ISP signed + filtering safe 18106 QuadraNet cloud safe 8100 CYTA ISP
signed + filtering safe 6866 Obenetwork ISP signed + filtering safe 3399 NOS
COMUNICACOES ISP signed + filtering safe 2860 Altibox ISP signed + filtering
safe 29695 Bredband2 ISP signed + filtering safe 29518 UltraWave Telecom ISP
signed + filtering safe 262659 noris network AG ISP signed + filtering safe
12337 UKServers cloud signed + filtering safe 42831 Cablenet Cyprus ISP signed +
filtering safe 35432 Claranet ISP safe 8426 Mobicom transit filtering safe 55805
Terrahost cloud signed + filtering safe 56655 Belwue ISP signed + filtering safe
553 SpaceNet ISP signed + filtering safe 5539 CESNET ISP signed + filtering safe
2852 Belnet ISP signed + filtering safe 2611 A2B Internet ISP signed + filtering
safe 51088 Cloudflare cloud signed + filtering safe 13335 WOBCOM ISP signed +
filtering safe 9136 HostDime.com Inc cloud safe 33182 xs4all cloud signed +
filtering safe 3265 Netwerkvereniging ColoClue ISP signed + filtering safe 8283
Aussie Broadband ISP signed + filtering safe 4764 Dhiraagu ISP signed +
filtering safe 7642 APIK Media cloud signed + filtering safe 58820 EdgeUno cloud
signed + filtering safe 7195 EOLO ISP signed + filtering safe 35612 Amazon cloud
signed + filtering safe 16509 Gis Telecom ISP signed + filtering safe 264130
Atria Convergence ISP signed + filtering safe 24309 HEAnet ISP signed +
filtering safe 1213 Via Radio Dourados transit signed + filtering safe 61785 ACT
Fibernet ISP signed + filtering safe 18209 Get (Telia Norway) ISP signed +
filtering safe 41164 Netflix cloud signed + filtering safe 2906 EBOX ISP signed
+ filtering safe 1403 Aura Fiber ISP safe 204274 DELTA Fiber ISP signed +
filtering safe 15435 komro GmbH ISP signed + filtering safe 29413 VoiceHost ISP
signed + filtering safe 31472 Neptune Networks cloud signed + filtering safe
397143 Gigabit DK ISP signed + filtering safe 60876 Iver Norge AS ISP safe 49409
Clearfly Communications ISP signed + filtering safe 27400 Tech Futures ISP
signed + filtering safe 394256 DK Hostmaster cloud signed + filtering safe 39839
Wikimedia Foundation cloud signed + filtering safe 14907 Stellar Technologies
cloud signed + filtering safe 14525 Scaleway cloud signed + filtering safe 12876
Turksat ISP signed + filtering safe 47524 Datapark ISP safe 21040 PROMAX ISP
safe 31423 ASERGO cloud signed + filtering safe 30736 Inter Connects Inc cloud
safe 46805 Redder ISP signed + filtering safe 33986 Freethought Internet Limited
cloud signed + filtering safe 41000 Green Mini host cloud signed + filtering
safe 205668 Kviknet DK ISP signed + filtering safe 204151 TL Group cloud safe
263812 Nutrien ISP signed + filtering safe 393891 Powerhosting Cloud signed +
filtering safe 60422 AnacondaWeb ISP signed + filtering safe 265656 WhiteHat ISP
signed + filtering safe 51999 andrewnet ISP signed + filtering safe 211562
Chilean Government Network (Red de Conectividad del Estado) ISP signed +
filtering safe 17147 Bristol Bay Telephone Coop ISP signed + filtering safe
397388 Telstra International transit signed partially safe 4637 AT&T ISP signed
+ filtering peers only partially safe 7018 Liberty Global transit signed +
filtering peers only partially safe 6830 IIJ transit signed + filtering peers
only partially safe 2497 Vivacom ISP signed partially safe 8866 Equinix Metal
Cloud signed + filtering peers partially safe 54825 Janet ISP partially signed +
filtering partially safe 786 CDN77 cloud signed partially safe 60068 Ziggo ISP
signed partially safe 33915 Digital Energy Technologies Limited (Global) cloud
signed + filtering peers partially safe 61317 ColoCrossing cloud filtering
partially safe 36352 Google cloud signed partially safe 15169 Worldstream ISP
signed partially safe 49981 Microsoft cloud signed partially safe 8075 Triolan
ISP filtering partially safe 13188 LeapSwitch Networks cloud filtering partially
safe 132335 DigitalOcean cloud filtering peers only partially safe 14061 GTHost
cloud filtering partially safe 63023 EE ISP filtering partially safe 12576
Plusnet ISP filtering partially safe 6871 volumedrive cloud filtering partially
safe 46664 MadeIT cloud filtering partially safe 54455 Pacswitch ISP filtering
partially safe 55536 Sparkle transit started unsafe 6762 Zayo transit unsafe
6461 Vodafone transit unsafe 1273 Telefonica/Telxius transit unsafe 12956 PJSC
RosTelecom transit unsafe 12389 TransTelecom transit unsafe 20485 Verizon ISP
unsafe 701 SingTel transit unsafe 7473 Deutsche Telekom ISP started unsafe 3320
Algar Telecom transit unsafe 16735 Globenet transit unsafe 52320 Telefonica Vivo
transit unsafe 10429 Internexa transit unsafe 262589 Angola Cables transit
unsafe 37468 China Telecom transit unsafe 4809 Oi ISP unsafe 7738 Vivo GVT ISP
unsafe 18881 Embratel transit unsafe 4230 Telekom Hungary ISP signed unsafe 5483
Eletronet transit unsafe 267613 Windstream Communications ISP unsafe 7029 TIM
Brasil ISP unsafe 26615 MOB Telecom transit unsafe 28598 Optus transit unsafe
7474 Seabras transit unsafe 13786 SK Broadband ISP unsafe 9318 TPG ISP unsafe
7545 Durand transit unsafe 22356 Bell Canada ISP unsafe 577 Optimum ISP unsafe
6128 RCS&RDS ISP unsafe 8708 Commcorp transit unsafe 14840 Superloop Australia
transit unsafe 38195 TurkTelekom ISP unsafe 9121 Shaw Communications ISP unsafe
6327 M247 cloud unsafe 9009 A1 Telekom Austria ISP unsafe 8447 Wave Broadband
ISP unsafe 11404 W I X NET DO BRASIL cloud unsafe 53013 Init7 (Schweiz) AG ISP
started unsafe 13030 Telecom Argentina ISP unsafe 7303 Fastweb ISP unsafe 12874
American Tower Brasil transit unsafe 23106 Vogel transit unsafe 25933 TIM ISP
unsafe 3269 AAPT Limited ISP unsafe 2764 TELY transit unsafe 53087 Rogers ISP
started unsafe 812 British Telecommunications ISP unsafe 2856 Vodafone España
ISP unsafe 12430 Sunrise Communications AG ISP unsafe 6730 SIA Tet ISP unsafe
12578 PLDT ISP unsafe 9299 VNPT cloud unsafe 45899 Forte Telecom transit unsafe
263009 Alta Rede transit unsafe 28260 Vodafone DE ISP unsafe 3209 Nianet A/S ISP
signed unsafe 31027 Globe Telecom ISP unsafe 4775 HKBN ISP unsafe 9269 Claro
Argentina ISP unsafe 11664 Copel Telecom transit unsafe 14868 Vocus Group NZ ISP
unsafe 9790 ACONET transit started unsafe 1853 Wirelink transit unsafe 28368 SFR
ISP unsafe 15557 TASCOM transit unsafe 52871 WOW! ISP unsafe 12083 Hutchison
Drei Austria ISP unsafe 25255 K2 Telecom transit unsafe 53181 NFOrce cloud
signed unsafe 43350 Psychz Networks cloud unsafe 40676 SuddenLink ISP unsafe
19108 Delta Telecom cloud unsafe 29049 Kyivstar ISP unsafe 15895 Cogeco ISP
unsafe 7992 DNA Oyj ISP unsafe 16086 Silknet ISP signed unsafe 35805 NIB India
ISP unsafe 9829 Elisa Finland ISP unsafe 719 Reliance Jio ISP signed unsafe
55836 Volia cloud unsafe 25229 Taiwan Fixed Network ISP signed unsafe 9924
Beltelecom ISP unsafe 6697 Hetzner Online cloud signed unsafe 24940 eww ag
transit unsafe 21013 Videotron ISP unsafe 5769 ASAP Telecom transit unsafe
264144 G-Core Labs cloud unsafe 199524 Blix Solutions AS cloud unsafe 50304
Telenet ISP unsafe 6848 2degrees ISP unsafe 23655 NetCologne ISP unsafe 8422
Vodafone IT ISP unsafe 30722 Shentel ISP unsafe 4922 Proximus ISP unsafe 5432
FasterNET ISP unsafe 28580 MásMóvil ISP unsafe 15704 Turknet ISP unsafe 12735
iiNet Limited ISP unsafe 4739 Siminn ISP unsafe 6677 IBM Cloud cloud unsafe
36351 PenTeleData ISP signed unsafe 3737 Selectel Ltd cloud unsafe 49505 Total
Server Solutions cloud unsafe 46562 Vodafone Idea ISP unsafe 55410 IP Converge
Data Services Inc. cloud unsafe 23930 xneelo cloud unsafe 37153 HotNet Internet
Services ISP unsafe 12849 Pakistan Telecom Company Limited ISP unsafe 45595
Radore Veri Merkezi Hizmetleri cloud unsafe 42926 SaskTel ISP signed unsafe 803
A1 Belarus ISP unsafe 42772 Maxihost cloud unsafe 262287 Selectel MSK cloud
unsafe 50340 NetCom BW ISP unsafe 41998 Continent 8 LLC cloud unsafe 14537
Synapsecom Telecoms cloud unsafe 8280 A3 Sverige ISP unsafe 45011 Deutsche
Glasfaser ISP unsafe 60294 Vodafone Portugal ISP unsafe 12353 TekSavvy ISP
unsafe 5645 SkyCable ISP unsafe 23944 Cybernet Pakistan ISP unsafe 9541 CSL IDC
cloud unsafe 9891 Telefonica Peru ISP unsafe 6147 MTS Belarus ISP unsafe 25106
TheGigabit cloud unsafe 55720 ST-BGP cloud unsafe 46844 MEO Portugal ISP unsafe
3243 UK-2 Limited cloud unsafe 13213 SKY Brasil ISP unsafe 11338 Ovnicom cloud
unsafe 27796 Locaweb cloud unsafe 27715 ARTNET cloud unsafe 197155 K-NET ISP
unsafe 24904 Free SAS ISP signed unsafe 12322 Bouygues Telecom ISP unsafe 5410
Oy Creanova Hosting Solutions Ltd cloud unsafe 51765 GSL Networks cloud unsafe
137409 Digi ISP unsafe 20845 O2 Broadband ISP unsafe 35228 Vodafone Hungary ISP
unsafe 21334 Networx Bulgaria ISP unsafe 34569 FishNet cloud unsafe 43317
ArgonHost cloud unsafe 58477 OVH cloud unsafe 16276 ComHemAB ISP started unsafe
39651 Kingston Communications PLC ISP unsafe 12390 WestHost cloud unsafe 29854
Magenta (T-Mobile) Austria ISP unsafe 8412 ALMOUROLTEC SERVICOS DE INFORMATICA E
INTERNET LDA cloud unsafe 24768 Optus Microplex ISP unsafe 4804 Global IP
Exchange cloud unsafe 47536 trabia network cloud signed unsafe 43289
Packetexchange cloud unsafe 58065 Alands Telekommunikation Ab ISP unsafe 3238
Amanah cloud unsafe 32489 UNMETERED cloud unsafe 54133 T-Mobile ISP unsafe 21928
Vodafone UK ISP unsafe 5378 Numericable ISP unsafe 21502 H4Y cloud signed unsafe
397373 MEO Portugal - Serviços de Comunicações e Multimédia ISP unsafe 42863
Intergrid cloud unsafe 133480 Mobilink ISP unsafe 45669 INTERSPACE-MK cloud
unsafe 200899 Monkeybrains ISP unsafe 32329 BroadbandGibraltarLtd. ISP unsafe
34803 AltusHost cloud unsafe 51430 Stadtnetz Bamberg ISP unsafe 198570 Vodafone
India ISP unsafe 38266 Afrihost ISP unsafe 37611 tzulo cloud unsafe 11878
Istanbuldc Veri Merkezi cloud unsafe 197328 Sprint Personal Communications
Systems transit unsafe 10507 Kaisanet Oy ISP unsafe 13170 Phase Layer Global
Networks cloud unsafe 51852 eSecureData cloud signed unsafe 11831 Axcelx cloud
unsafe 33083 Siamdata Communication cloud unsafe 56309 ProveNET ISP unsafe
263945 Cloud9 cloud unsafe 57814 Claro Brasil ISP unsafe 28573 TurkCell ISP
unsafe 16135 Free Mobile ISP signed unsafe 51207 Hi3G ISP signed unsafe 44034
T-Mobile Netherlands ISP unsafe 31615 Taiwan Mobile ISP signed unsafe 24158
Leaseweb USA-LAX-11 cloud unsafe 395954 TOPNET ISP unsafe 37705 B2 Net Solutions
cloud unsafe 55286 Webpass ISP unsafe 19165 T-Mobile Thuis ISP signed unsafe
50266 Globe Telecom ISP unsafe 132199 Three UK ISP unsafe 206067 University of
North Carolina at Chapel Hill ISP unsafe 36850 Leaseweb USA-SFO-12 cloud unsafe
7203 Smart Communications ISP unsafe 10139 Leaseweb USA-SEA-10 cloud unsafe
396190 Leaseweb USA-WDC-01 cloud unsafe 30633 Millenicom ISP unsafe 34296
Trustpower ISP started unsafe 55850 NetCup cloud unsafe 197540 NOS MADEIRA
COMUNICACOES ISP unsafe 15457 Leaseweb USA-NYC-11 cloud unsafe 396362 Leaseweb
USA-PHX-11 cloud unsafe 19148 A1 Hrvatska ISP unsafe 29485 Wave G ISP unsafe
54858 Leaseweb USA-DAL-10 cloud unsafe 394380 CBN Broadband ISP started unsafe
135478 Lanet Network ISP unsafe 47800 EHOSTIDC cloud unsafe 45382 Silknet ISP
signed unsafe 15491 Coextro ISP unsafe 36445 NOS ACORES COMUNICACOES ISP signed
unsafe 42580 Aktsiaselts WaveCom cloud unsafe 34702 ThorDC cloud unsafe 50613
Leaseweb USA-MIA-11 cloud unsafe 393886 KemiNet cloud unsafe 197706 Informacines
sistemos ir technologijos UAB cloud unsafe 61272 Web World Ireland cloud unsafe
30900 Database By Design LLC cloud unsafe 17090 Serverfield cloud unsafe 134094
ELSERVER S.R.L cloud unsafe 52270 nobistech cloud unsafe 15003 ENAHOST s.r.o.
cloud unsafe 201924 Silknet ISP signed unsafe 42082 Dynamic Hosting cloud unsafe
36077 Avative Fiber ISP unsafe 394752 Globalhost d.o.o. cloud unsafe 200698
FlokiNET cloud unsafe 200651 ByteDance cloud signed unsafe 396986 HQserv cloud
unsafe 42994 Asimia Damaskou cloud unsafe 205053 iServer-AS cloud unsafe 57127
NUT HOST SRL cloud unsafe 264649 SIA Bighost.lv cloud unsafe 200709 Estoxy cloud
unsafe 208673 NETSTYLE A. LTD cloud unsafe 43945 Galaxy Broadband ISP started
unsafe 139879

Last updated April 25, 2022 – Edit on GitHub




WHAT’S A BGP HIJACK?

To better understand why BGP’s lack of security is so problematic, let’s look at
a simplified model of how BGP is used to route Internet packets.

The Internet is not run by just one company. It’s made up of thousands of
autonomous systems with nodes located all around the world, connected to each
other in a massive graph.

In essence, the way BGP works is that each node must determine how to route
packets using only what it knows from the nodes it connects with directly.

For example, in the simple network A–B–C–D–E, the node A only knows how to reach
E based on information it received from B. The node B knows about the network
from A and C. And so forth.

A BGP hijack occurs when a malicious node deceives another node, lying about
what the routes are for its neighbors. Without any security protocols, this
misinformation can propagate from node to node, until a large number of nodes
now know about, and attempt to use these incorrect, nonexistent, or malicious
routes.

Click “Hijack the request” to visualize how packets are re-routed:


UNSAFE BGP: NORMAL REQUEST







Laptop
ISP
Hijacker
Transit
Malicious website
Cloud
Web resource
Hijack the request


In order to make BGP safe, we need some way of preventing the spread of this
misinformation. Since the Internet is so open and distributed, we can’t prevent
malicious nodes from attempting to deceive other nodes in the first place. So
instead we need to give nodes the ability to validate the information they
receive, so they can reject these undesired routes on their own.

Enter Resource Public Key Infrastructure (RPKI), a security framework method
that associates a route with an autonomous system. It gets a little technical,
but the basic idea is that RPKI uses cryptography to provide nodes with a way of
doing this validation.

With RPKI enabled, let’s see what happens to packets after an attempted BGP
hijack. Click “Attempt to hijack” to visualize how RPKI allows the network to
protect itself by invalidating the malicious routes:


SAFE BGP WITH RPKI







Laptop
ISP
Hijacker
Transit
Malicious website
Cloud
Web resource
Attempt to hijack




FAQ

What is BGP?

Border Gateway Protocol (BGP) is the postal service of the Internet. When
someone drops a letter into a mailbox, the postal service processes that piece
of mail and chooses a fast, efficient route to deliver that letter to its
recipient. Similarly, when someone submits data across the Internet, BGP is
responsible for looking at all of the available paths that data could travel and
picking the best route, which usually means hopping between autonomous systems.
Learn more →

Why is BGP unsafe?

By default, BGP does not embed any security protocols. It is up to every
autonomous system to implement filtering of “wrong routes”. Leaking routes can
break parts of the Internet by making them unreachable. It is commonly the
result of misconfigurations. Although, it is not always accidental. A practice
called BGP hijack consists of redirecting traffic to another autonomous system
to steal information (via phishing, or passive listening for instance).

BGP can be made safe if all autonomous systems (AS) only announce legitimate
routes. A route is defined as legitimate when the owner of the resource allows
its announcement. Filters need to be built in order to make sure only legitimate
routes are accepted. There are a few approaches for BGP route validation which
vary in degrees of trustability and efficiency. A mature implementation is RPKI.

What is RPKI?

With 800k+ routes on the Internet, it is impossible to check them manually.
Resource Public Key Infrastructure (RPKI) is a security framework method that
associates a route with an autonomous system. It uses cryptography in order to
validate the information before being passed onto the routers. You can read more
about RPKI on the Cloudflare blog.

On May 14th, Job Snijders from NTT will present a free RPKI 101 webinar.

How does the test work?

In order to test if your ISP is implementing BGP safely, we announce a
legitimate route but we make sure the announcement is invalid. If you can load
the website we host on that route, that means the invalid route was accepted by
your ISP. A leaked or a hijacked route would likely be accepted too.

Can even more be done?

Over the years, network operators and developers started working groups to
design and deploy standards to overcome unsafe routing protocols. Cloudflare
recently joined a global initiative called Mutually Agreed Norms for Routing
Security (MANRS). It’s a community of security-minded organizations committed to
making routing infrastructure more robust and secure, and members agree to
implement filtering mechanisms. New voices are always appreciated.

What can you do?

Share this page. For BGP to be safe, all of the major ISPs will need to embrace
RPKI. Sharing this page will increase awareness of the problem which can
ultimately pressure ISPs into implementing RPKI for the good of themselves and
the general public. You can also reach out to your service provider or hosting
company directly and ask them to deploy RPKI and join MANRS. When the Internet
is safe, everybody wins.

Share on Twitter →


Cloudflare docs logomarkThe logo for Cloudflare used in the Cloudflare’s
developer documentation.
© 2021 Cloudflare, Inc. · Privacy · Terms