CDNTechnical DevelopmentJune 3, 2026

Cloudflare Urges Network Operators to Enforce BGP First AS for Security

Cloudflare published research on BGP route hijacks caused by forged AS_PATHs, detailing how attackers exploit unused ASNs to misdirect traffic and conceal identity. They tested major BGP implementations for "First AS" enforcement, finding that many, including Junos OS, Nokia SR OS, and RouterOS, do not enforce this crucial safeguard by default. Cloudflare urges network operators to enforce First AS on their routers to enhance Internet routing security.

Key Takeaways

Route hijacks reported by Spamhaus used forged AS_PATHs and unused ASNs to misdirect traffic and conceal attacker identity.
BGP's 'First AS' rule ensures a peer's network is always the first AS in an advertised route, acting as a security measure.
Cloudflare's tests on major BGP implementations revealed Cisco IOS/XE/XR, Arista EOS, Huawei, OpenBGPD, and FRR enforce First AS by default.
Junos OS, Nokia SR OS, Extreme SLX-OS, RouterOS, and BIRD do not enforce First AS by default, leaving them vulnerable.
Enforcing 'First AS' on External BGP (EBGP) sessions, excluding IX route server neighbors, is a critical step for network operators.

Why It Matters

The security of internet routing directly impacts content delivery and streaming reliability. Defaults on major BGP implementations lacking 'First AS' enforcement expose networks to hijacks that can misdirect traffic, potentially leading to service disruption or data interception. With threat actors exploiting these vulnerabilities, network operators must proactively configure their routers to enable 'First AS' validation. The industry should watch for increased adoption of this security measure, as its widespread implementation is crucial for a more resilient internet ecosystem and safeguarding media distribution pathways.

Read full article at blog.cloudflare.com

wTVision: A Bola TV Migrates Online Channel to Broadcast with Redundant Playout

The Broadcast Bridge: Decoding H.264: Navigating AVC Profiles, Levels, and Signaling for Streaming

wTVision: wTVision delivers live graphics and AR for Fox Sports Brazil's Copa Sudamericana

Cloudflare Urges Network Operators to Enforce BGP First AS for Security

Key Takeaways

Route hijacks reported by Spamhaus used forged AS_PATHs and unused ASNs to misdirect traffic and conceal attacker identity.
BGP's 'First AS' rule ensures a peer's network is always the first AS in an advertised route, acting as a security measure.
Cloudflare's tests on major BGP implementations revealed Cisco IOS/XE/XR, Arista EOS, Huawei, OpenBGPD, and FRR enforce First AS by default.
Junos OS, Nokia SR OS, Extreme SLX-OS, RouterOS, and BIRD do not enforce First AS by default, leaving them vulnerable.
Enforcing 'First AS' on External BGP (EBGP) sessions, excluding IX route server neighbors, is a critical step for network operators.

Why It Matters

Read full article at blog.cloudflare.com

Cloudflare Urges Network Operators to Enforce BGP First AS for Security

Key Takeaways

Why It Matters

Related Articles

Cloudflare Urges Network Operators to Enforce BGP First AS for Security

Key Takeaways

Why It Matters

Related Articles

Newest

Upcoming Events

Top Sources

Newest

Upcoming Events

Top Sources

Related Articles

A Bola TV Migrates Online Channel to Broadcast with Redundant Playout

Decoding H.264: Navigating AVC Profiles, Levels, and Signaling for Streaming

wTVision delivers live graphics and AR for Fox Sports Brazil's Copa Sudamericana