Prelude to a BGP hijack?

This is part of a series focusing on the presentations from the Netnod Meeting 2025. Each blogpost aims to summarise the key points from the presentation and provides link for readers who want to know more.

A BPG hijack attempt 

The presentation examined a BGP hijack attempt that Telia noticed with a breakdown of the events as they happened.

The first event was that an upstream IP-transit provider alerted Telia that their AS number was part of an AS-SET referenced in the RIPE DB. AS-SETs are often used by IP-transit providers to filter BGP-announcements from their customers.

In practice there are two methods to do IP transit filtering:

• ROA, Route Origin Validation, a method which only validates the originating ASN.
• RPSL filtering, which is based on AS-SET, route and aut-num objects. 

However, it is still possible to misuse RPSL meaning AS-SETs can be used fraudulently.  

How can we secure AS-SETS? ASPA!

The next generation of tools made to fight BGP hijacks include Autonomous System Provider Authorization (ASPA). ASPA is currently going through the IETF process so is not yet ready. It enables you to define  your allowed upstreams. 

The work on ASPA takes place in the SIDROPS working groups, and Lasse hopes that the working group last call will come soon so ASPA can be properly standardised. Vendors are slowly getting on board. 

What should operators do to prevent BGP hijack?

Instead of waiting for ASPA, operators can take action already by monitoring IRRs. There are automated tools which now can provide automated alerts for long reference chains. 

There are outstanding issues, such as a lack of well defined semantics for AS-SETs. 

In the long run, ASPA is the correct solution.

You can watch Lasse’s presentation from the Netnod Meeting 2025 here and see the slides here.