AS hijacking (Philosophy, rants, GeoMind)


As our canned Email stated, AS2 (and many low digit AS') get hijacked and
often go on to hijack someone's prefix. AS2 (proper) is rarely changed and
the chances of an actual prefix hijack from it is extremely low.

So as I've asked our peers, I'll ask here: What is expected of us to be good
"Net Citizens" with these hijacks?

Thoughts on AS hijack prevention:
With RPKI-based route origin validation (ROV), it turns out that incremental solution for prefix hijacking is also an incremental solution for AS hijacking. For example -- assuming Invalid routes will be dropped -- if 70% of the announced prefixes are protected by ROAs, then those 70% prefixes cannot be hijacked with a hijacked AS. (Note: An exception to this is -- a deliberate hijacker can still perform what is called forged-origin hijack [1], i.e., the attacker matches the hijacked prefix with a hijacked AS such that they both belong to the same ROA.) So, the community should keep pushing ahead with ROA and RPKI-based ROV deployments to achieve 100% ROA coverage for announced prefixes and also 100% dropping of Invalid.

The above can also be said about “trusted” IRR-based (or IRR+RPKI based) ROV [1]. However, priority should be given to speedup the RPKI/ROA deployment towards full adoption.

FYI... Worldwide ROA coverage is currently at 20% for globally routed prefixes.

Security guidance regarding route objects in IRR, ROAs in RPKI, and ROV deployment can be found here:
[1] “Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation,” NIST Special Publication, NIST SP 800-189, December 2019.

Also, look up:
[2] MANRS:

Thank you.