Cloudflare 20260603 Enforcing the First AS in BGP AS_PATHs Summary

Generated by Codex with GPT-5

What happened

Cloudflare’s official blog published Enforcing the First AS in BGP AS_PATHs, a June 3, 2026 engineering post about a deceptively small BGP validation rule that blocks a class of forged-path route hijacks.

The post starts from recent hijack attempts in which an attacker appeared to use unused autonomous system numbers and forged AS_PATH values. In BGP, a route announcement carries an ordered list of autonomous systems that the route has traversed. That list influences path selection, supports loop prevention, and helps operators reason about where traffic will go. But BGP still inherits a trust model in which the path attribute can be manipulated unless neighbors enforce basic consistency checks.

The specific failure is simple: a peer can send a route whose leftmost AS in the AS_PATH does not match the peer AS that actually delivered the update. If the receiving network accepts that announcement, the sender can strip its own identity, pretend traffic should flow through a different path, and sometimes present a path that looks valid to other routing-security mechanisms. Cloudflare argues that this is not a theoretical edge case. It inspected public route data from reported hijacks and found paths whose business relationships and adjacencies were implausible, including cases where Cloudflare’s own ASN appeared in a path for a route it knew it did not carry.

The important engineering point is that this attack bypasses defenses that only validate the origin or higher-level path relationship. RPKI route origin validation can say that the final origin AS is authorized for the prefix, but it does not prove that the neighbor who sent the update was honest about the first hop. ASPA can help validate provider relationships, but if the malicious update omits enough path information, there may be no relationship violation left to detect. First AS enforcement fills that gap by checking the boundary where the route enters the receiving network.

The mechanism

First AS enforcement compares two values that every external BGP session already knows: the configured remote AS for the neighbor, and the leftmost AS in the route’s advertised AS_PATH. On a normal external BGP session, those should match. If the neighbor is AS64505, then routes learned directly from that neighbor should begin with AS64505. A mismatch indicates that the path has been malformed or manipulated before it reached the receiver.

That check is powerful because it is local. It does not require a global trust database, a new cryptographic object, or knowledge of every valid path on the Internet. The receiving router only has to reject routes whose first advertised hop is inconsistent with the peer that sent them. RFC 4271 describes this check, and later error-handling guidance allows the router to drop only the malformed route rather than resetting the entire BGP session.

Cloudflare uses two examples to show why this local check matters. In a forged-origin attack, an attacker can announce a route that appears to originate from the victim’s authorized AS, while stripping the attacker’s AS from the path. Origin validation can still pass because the origin looks correct. In a path-shortening attack, a provider can remove itself from the path to make its route look shorter and attract traffic that would otherwise follow another provider. In both cases, enforcing the first AS at the receiving edge prevents the bogus path from entering the broader routing system.

The only common exception is an Internet Exchange route server. A route server intentionally distributes routes between peers without placing its own AS at the front of the path, so operators need a way to disable First AS enforcement for those specific sessions. Cloudflare’s broader argument is that this exception should not drive the default behavior for ordinary external BGP peers. Most EBGP sessions are not transparent route-server sessions, so the safer default is enforcement with explicit exceptions, not permissive behavior everywhere.

The measurement

Cloudflare did not stop at protocol reasoning. It intentionally announced test prefixes to Tier 1 external BGP neighbors with a Cloudflare-owned but incorrect ASN placed before Cloudflare’s normal AS13335. Networks enforcing the rule should drop the malformed announcement. Networks not enforcing it should accept and propagate it, making the result visible in public route views.

The experiment had to be constrained because some routers still handle malformed AS_PATH updates by resetting the BGP session instead of treating only the route as withdrawn. A continuous public test would therefore risk disrupting real Cloudflare traffic. Instead, Cloudflare focused on Tier 1 networks, where the blast radius of accepting forged paths is especially large because those networks sit high in the global transit graph.

The result was uncomfortable: Cloudflare found that roughly half of the Tier 1 networks it tested accepted and installed the malformed prefixes. Several major networks dropped the invalid announcements, while others propagated them. The post also connects this behavior to implementation defaults. Some routing stacks enforce First AS by default; others do not. Cloudflare notes that many of the failing peers appeared to be running Juniper routers, where the default is not enforcement. The lesson is not that one vendor caused the problem alone. It is that default router behavior becomes Internet-scale security posture when operators deploy it broadly and rarely revisit old assumptions.

This is what makes the post more than a narrow BGP configuration tip. It shows how protocol optionality, vendor defaults, operational exceptions, and incomplete error handling combine into a live security gap. The validation rule is old and simple, but a simple rule that is not enforced at enough edges is not a system property. It is only a recommendation.

Why it matters

The route-hijack pattern in the post is attractive because it attacks the path rather than only the prefix origin. The Internet has made real progress on origin validation through RPKI, but origin validation does not guarantee that the path to that origin is truthful. As more operators deploy ASPA and related path-security mechanisms, attackers will look for places where malformed paths can keep enough plausible structure to pass the next layer of validation. First AS enforcement is a low-cost guardrail at exactly that boundary.

The broader engineering takeaway is that mature distributed systems often fail at the edges between local correctness and ecosystem correctness. Each network can say that BGP is behaving according to local policy, each vendor can justify a permissive default because route servers exist, and each operator can assume someone else will filter malformed announcements. The forged path still propagates because the system-wide invariant was never consistently enforced.

Cloudflare’s recommendation is operationally conservative: enforce First AS on external BGP sessions except those facing transparent route servers, and prefer route-specific withdrawal behavior for malformed updates so a bad route does not reset a whole session. That advice is modest, but the measurement gives it urgency. When half of the most connected networks in a test accept an obviously malformed first hop, attackers do not need exotic capabilities to exploit the gap.

The post is also a useful reminder that security work is often about making old controls universal enough to matter. New routing-security systems are important, but they cannot compensate for every missing local check. First AS enforcement is not a complete defense against BGP hijacking. It is a cheap, local, already-specified check that blocks a meaningful class of forged-path attacks before they spread. For operators, the actionable lesson is to audit defaults and exceptions now, not after a forged path makes their network part of the next incident.