Skip to content
Tech News
← Back to articles

Enforcing the First as in BGP AS_PATHs

2026-06-04 | original
read original more articles

10 min read

Some recent route hijacks reported by Spamhaus captured our attention. In many of these hijack attempts, an apparent bad actor took advantage of unused autonomous system numbers , or ASNs. Notably in these hijacks, the actor appears to be creating fake AS_PATHs toward destinations, misdirecting traffic down an unexpected path.

By creating forged AS_PATHs, the hijacker is attempting to lead traffic somewhere it isn’t normally meant to go while also trying to conceal their identity. A hijacker could strip enough information away from a network path that they could pretend to be the origin of a Border Gateway Protocol (BGP) prefix themselves. Attackers can use this hijacked route to intercept traffic and for other nefarious purposes.

There is a simple solution for these cases: basic verification that a BGP peer autonomous system (AS) always includes their network as the “First AS” in an advertised route. To get a sense of how well these safeguards are implemented, we stress-tested several major networks and researched their BGP implementations. Read on to see what we learned.

Examining route hijacks involving forged paths

The idea that an actor is creating fake AS_PATHs is supported when we take a closer look at implausible AS relationships in the path. For example, let’s examine one of the hijacks reported by Spamhaus, involving a prefix belonging to Orange S.A., the French telecom company. Using the monocle tool, we can easily find a BGP UPDATE message related to the hijack:

➜ ~ monocle search --start-ts 2026-04-13T00:20:00Z --end-ts 2026-04-13T00:23:59Z --prefix 90.98.0.0/15 --collector rrc26 --json { "aggr_asn": null, "aggr_ip": null, "as_path": "48237 1299 199524 270118 17072 41128", "atomic": false, "collector": "rrc26", "communities": null, "local_pref": 0, "med": 0, "next_hop": "185.1.8.3", "origin": "IGP", "peer_asn": 48237, "peer_ip": "185.1.8.3", "prefix": "90.98.0.0/15", "timestamp": 1776039612.0, "type": "ANNOUNCE" }

We know AS1299 ( Arelion ) is a Tier 1 network , meaning every AS on the right-hand side in the path is describing an upstream (customer-to-provider) relationship. This implies that AS17072 is a transit provider for AS41128, AS270118 for AS17072, and AS199524 for AS270118. If we take a closer look at these networks:

AS41128 is an unused ASN belonging to Orange France

AS17072 is an ISP primarily based in Mexico

... continue reading

Explore topics: enforce network networks path route
Related:
How's Linear so fast? A technical breakdown
C0XMO botnet spreads via DD-WRT router flaw, kills rival malware
Mythos rejuvenated the cybersecurity sector. Earnings put the recent rally to the test
Meta's AI support agent bound recovery emails for anyone who asked. Your SOC never saw an alert.
Dark web Nemesis Market vendor gets 26 years for selling drugs

© 2026 GoKawiil

About | Editorial Policy | Contact