Border Gateway Protocol (BGP) is the postal service of the Internet. It’s responsible for looking at all of the available paths that data could travel and picking the best route.
Unfortunately, it isn’t secure, and there have been some major Internet disruptions as a result. But fortunately there is a way to make it secure.
ISPs and other major Internet players (Sprint and others) would need to implement a certification system, called RPKI.
Displaying 31 major operators
Name | Type | Details | Status | ASN ? |
---|---|---|---|---|
Lumen | transit | signed + filtering | safe | 3356 |
Arelion (formerly Telia) | transit | signed + filtering | safe | 1299 |
Cogent | transit | signed + filtering | safe | 174 |
NTT | transit | signed + filtering | safe | 2914 |
Hurricane Electric | transit | signed + filtering | safe | 6939 |
GTT | transit | signed + filtering | safe | 3257 |
TATA | transit | signed + filtering | safe | 6453 |
Zayo | transit | signed + filtering | safe | 6461 |
PCCW | transit | signed + filtering | safe | 3491 |
RETN | transit | partially signed + filtering | safe | 9002 |
Orange | transit | signed + filtering | safe | 5511 |
Telefonica/Telxius | transit | signed + filtering | safe | 12956 |
Comcast | ISP | signed + filtering | safe | 7922 |
Verizon | ISP | signed + filtering | safe | 701 |
Liberty Global | transit | signed + filtering | safe | 6830 |
Deutsche Telekom | ISP | signed + filtering | safe | 3320 |
KPN | transit | signed + filtering | safe | 286 |
Vocus Communications | transit | signed + filtering | safe | 4826 |
Core-Backbone | transit | signed + filtering | safe | 33891 |
Swisscom | ISP | signed + filtering | safe | 3303 |
Cox Communications | ISP | signed + filtering | safe | 22773 |
G8 | transit | signed + filtering | safe | 28329 |
Telstra | transit | signed + filtering | safe | 1221 |
Inter.link | transit | signed + filtering | safe | 5405 |
Orange Polska | ISP | signed + filtering | safe | 5617 |
T-Mobile | transit | partially signed + filtering | safe | 1239 |
GEANT | ISP | signed + filtering | safe | 20965 |
Softdados Telecom | transit | signed + filtering | safe | 52873 |
Next Layer GmbH | transit | signed + filtering | safe | 1764 |
TELUS Communications | ISP | signed + filtering | safe | 852 |
OpenX | transit | signed + filtering | safe | 263444 |
Init7 (Schweiz) AG | ISP | signed + filtering | safe | 13030 |
Vocus Retail | ISP | signed + filtering | safe | 9443 |
Jaguar Network | ISP | signed + filtering | safe | 30781 |
HiNet | ISP | signed + filtering | safe | 3462 |
ITS Telecom | transit | signed + filtering | safe | 28186 |
Orange Polska | ISP | signed + filtering | safe | 29535 |
Acorus Networks | ISP | signed + filtering | safe | 35280 |
Virgin Media UK | ISP | signed + filtering | safe | 5089 |
TDC | ISP | signed + filtering | safe | 3292 |
Ensite Telecom | transit | signed + filtering | safe | 28263 |
Telenor | ISP | signed + filtering | safe | 2119 |
ANEXIA Internetdienstleistungs GmbH | transit | signed + filtering | safe | 47147 |
Biznet Networks | ISP | signed + filtering | safe | 17451 |
UPX TECNOLOGIA | transit | signed + filtering | safe | 52863 |
RCN | ISP | signed + filtering | safe | 6079 |
Devoli | ISP | signed + filtering | safe | 45177 |
NTS Workspace AG | ISP | signed + filtering | safe | 15576 |
MNET | ISP | signed + filtering | safe | 8767 |
Charter | ISP | signed + filtering | safe | 11351 |
Kyivstar | ISP | signed + filtering | safe | 15895 |
Inferno Communications | transit | signed + filtering | safe | 207841 |
DNA Oyj | ISP | signed + filtering | safe | 16086 |
Brisanet | ISP | signed + filtering | safe | 28126 |
Hydra Communications | cloud | signed + filtering | safe | 25369 |
Elisa Finland | ISP | signed + filtering | safe | 719 |
KPN-Netco | ISP | signed + filtering | safe | 1136 |
Charter | ISP | signed + filtering | safe | 12271 |
HOPUS | transit | signed + filtering | safe | 44530 |
Persis Telecom | ISP | signed + filtering | safe | 14282 |
ViewQwest | ISP | signed + filtering | safe | 18106 |
QuadraNet | cloud | safe | 8100 | |
CYTA | ISP | signed + filtering | safe | 6866 |
Trustpower | ISP | signed + filtering | safe | 55850 |
STARTNET | transit | signed + filtering | safe | 52999 |
Obenetwork | ISP | signed + filtering | safe | 3399 |
NOS COMUNICACOES | ISP | signed + filtering | safe | 2860 |
IONOS SE | Cloud | signed + filtering | safe | 8560 |
Altibox | ISP | signed + filtering | safe | 29695 |
Bredband2 | ISP | signed + filtering | safe | 29518 |
Ziggo | ISP | signed + filtering | safe | 33915 |
UltraWave Telecom | ISP | signed + filtering | safe | 262659 |
noris network AG | ISP | signed + filtering | safe | 12337 |
UKServers | cloud | signed + filtering | safe | 42831 |
August Internet | ISP | signed + filtering | safe | 50058 |
Cablenet Cyprus | ISP | signed + filtering | safe | 35432 |
Claranet | ISP | safe | 8426 | |
Mobicom | transit | filtering | safe | 55805 |
Terrahost | cloud | signed + filtering | safe | 56655 |
RKOM | ISP | signed + filtering | safe | 12611 |
Belwue | ISP | signed + filtering | safe | 553 |
SpaceNet | ISP | signed + filtering | safe | 5539 |
SysEleven | transit | signed + filtering | safe | 25291 |
CESNET | ISP | signed + filtering | safe | 2852 |
Belnet | ISP | signed + filtering | safe | 2611 |
A2B Internet | ISP | signed + filtering | safe | 51088 |
Cloudflare | cloud | signed + filtering | safe | 13335 |
WOBCOM | ISP | signed + filtering | safe | 9136 |
MilkyWan | ISP | signed + filtering | safe | 2027 |
HostDime.com Inc | cloud | safe | 33182 | |
xs4all | cloud | signed + filtering | safe | 3265 |
Netinternet | cloud | signed + filtering | safe | 51559 |
Netwerkvereniging ColoClue | ISP | signed + filtering | safe | 8283 |
TNG Stadtnetz GmbH | ISP | signed + filtering | safe | 13101 |
TelHi Corporation (Infal) | ISP | signed + filtering | safe | 150369 |
Aussie Broadband | ISP | signed + filtering | safe | 4764 |
Dhiraagu | ISP | signed + filtering | safe | 7642 |
Rozint Ltd Co | ISP | signed + filtering | safe | 21738 |
Microsoft | cloud | signed + filtering | safe | 8075 |
APIK Media | cloud | signed + filtering | safe | 58820 |
EdgeUno | cloud | signed + filtering | safe | 7195 |
Atria Convergence Technologies Ltd | ISP | signed + filtering | safe | 24309 |
EOLO | ISP | signed + filtering | safe | 35612 |
Amazon | cloud | signed + filtering | safe | 16509 |
Gis Telecom | ISP | signed + filtering | safe | 264130 |
HEAnet | ISP | signed + filtering | safe | 1213 |
Accuris Technologies | ISP | signed + filtering | safe | 52210 |
Via Radio Dourados | transit | signed + filtering | safe | 61785 |
ACT Fibernet | ISP | signed + filtering | safe | 18209 |
Get (Telia Norway) | ISP | signed + filtering | safe | 41164 |
Karabro AB | ISP | signed + filtering | safe | 51519 |
Netflix | cloud | signed + filtering | safe | 2906 |
C1V hosting | ISP | signed + filtering | safe | 212271 |
Afrihost | ISP | safe | 37611 | |
EBOX | ISP | signed + filtering | safe | 1403 |
Aura Fiber | ISP | safe | 204274 | |
komro GmbH | ISP | signed + filtering | safe | 29413 |
VoiceHost | ISP | signed + filtering | safe | 31472 |
Neptune Networks | cloud | signed + filtering | safe | 397143 |
Gigabit DK | ISP | signed + filtering | safe | 60876 |
Iver Norge AS | ISP | safe | 49409 | |
Clearfly Communications | ISP | signed + filtering | safe | 27400 |
Tech Futures | ISP | signed + filtering | safe | 394256 |
DK Hostmaster | cloud | signed + filtering | safe | 39839 |
Wikimedia Foundation | cloud | signed + filtering | safe | 14907 |
Wifx | ISP | signed + filtering | safe | 199811 |
Stellar Technologies | cloud | signed + filtering | safe | 14525 |
Hi3G | ISP | signed + filtering | safe | 44034 |
Scaleway | cloud | signed + filtering | safe | 12876 |
Turksat | ISP | signed + filtering | safe | 47524 |
Kerfuffle | Cloud | signed + filtering | safe | 35008 |
Datapark | ISP | safe | 21040 | |
PROMAX | ISP | safe | 31423 | |
ASERGO | cloud | signed + filtering | safe | 30736 |
Inter Connects Inc | cloud | safe | 46805 | |
Redder | ISP | signed + filtering | safe | 33986 |
Freethought Internet Limited | cloud | signed + filtering | safe | 41000 |
Green Mini host | cloud | signed + filtering | safe | 205668 |
Parknet | ISP | signed + filtering | safe | 197301 |
Kviknet DK | ISP | signed + filtering | safe | 204151 |
Copper Valley Long Distance | ISP | signed + filtering | safe | 20259 |
Dream Fusion - IT Services Lda | cloud | signed + filtering | safe | 39384 |
TL Group | cloud | safe | 263812 | |
Rose Telecom | ISP | signed + filtering | safe | 54681 |
Nutrien | ISP | signed + filtering | safe | 393891 |
Powerhosting | Cloud | signed + filtering | safe | 60422 |
AnacondaWeb | ISP | signed + filtering | safe | 265656 |
Cobaso | Cloud | safe | 399866 | |
WhiteHat | ISP | signed + filtering | safe | 51999 |
Raiola Networks | cloud | signed + filtering | safe | 56958 |
andrewnet | ISP | signed + filtering | safe | 211562 |
Bryan Barbolina trading as Cloudwebservices | cloud | signed + filtering | safe | 213268 |
Chilean Government Network (Red de Conectividad del Estado) | ISP | signed + filtering | safe | 17147 |
Zaledia Networks | ISP | signed + filtering | safe | 207149 |
Bristol Bay Telephone Coop | ISP | signed + filtering | safe | 397388 |
NNET | ISP | signed + filtering | safe | 142582 |
Ursin Filli | ISP | signed + filtering | safe | 202427 |
Hazelnet | ISP | signed + filtering | safe | 200242 |
Vodafone | transit | signed + filtering peers only | partially safe | 1273 |
Telstra International | transit | signed | partially safe | 4637 |
AT&T | ISP | signed + filtering peers only | partially safe | 7018 |
PJSC MegaFon | transit | signed | partially safe | 31133 |
IIJ | transit | signed + filtering peers only | partially safe | 2497 |
OCN | ISP | signed + filtering peers only | partially safe | 4713 |
Vivacom | ISP | signed | partially safe | 8866 |
Equinix Metal | Cloud | signed + filtering peers | partially safe | 54825 |
Janet | ISP | partially signed + filtering | partially safe | 786 |
CDN77 | cloud | signed | partially safe | 60068 |
DFN Deutsches Forschungsnetz | ISP | partially signed + filtering | partially safe | 680 |
Digital Energy Technologies Limited (Global) | cloud | signed + filtering peers | partially safe | 61317 |
ColoCrossing | cloud | filtering | partially safe | 36352 |
cloud | signed | partially safe | 15169 | |
Worldstream | ISP | signed | partially safe | 49981 |
Triolan | ISP | filtering | partially safe | 13188 |
LeapSwitch Networks | cloud | filtering | partially safe | 132335 |
DigitalOcean | cloud | filtering peers only | partially safe | 14061 |
GTHost | cloud | filtering | partially safe | 63023 |
Zayo France | transit | signed + filtering peers only | partially safe | 8218 |
EE | ISP | filtering | partially safe | 12576 |
Plusnet | ISP | filtering | partially safe | 6871 |
volumedrive | cloud | filtering | partially safe | 46664 |
MadeIT | cloud | filtering | partially safe | 54455 |
Pacswitch | ISP | filtering | partially safe | 55536 |
Sparkle | transit | started | unsafe | 6762 |
PJSC RosTelecom | transit | unsafe | 12389 | |
TransTelecom | transit | unsafe | 20485 | |
SingTel | transit | unsafe | 7473 | |
Algar Telecom | transit | unsafe | 16735 | |
Globenet | transit | unsafe | 52320 | |
Telefonica Vivo | transit | unsafe | 10429 | |
Internexa | transit | unsafe | 262589 | |
Angola Cables | transit | unsafe | 37468 | |
China Telecom | transit | unsafe | 4809 | |
Oi | ISP | unsafe | 7738 | |
KT (Fixed Line) | ISP | unsafe | 4766 | |
Vivo GVT | ISP | unsafe | 18881 | |
Embratel | transit | unsafe | 4230 | |
Telekom Hungary | ISP | signed | unsafe | 5483 |
Eletronet | transit | unsafe | 267613 | |
Windstream Communications | ISP | unsafe | 7029 | |
TIM Brasil | ISP | unsafe | 26615 | |
MOB Telecom | transit | unsafe | 28598 | |
Optus | transit | unsafe | 7474 | |
Seabras | transit | unsafe | 13786 | |
SK Broadband | ISP | unsafe | 9318 | |
TPG | ISP | unsafe | 7545 | |
Durand | transit | unsafe | 22356 | |
Bell Canada | ISP | unsafe | 577 | |
Optimum | ISP | unsafe | 6128 | |
RCS&RDS | ISP | unsafe | 8708 | |
Softbank | ISP | unsafe | 17676 | |
Telekom Malaysia Berhad | ISP | signed | unsafe | 4788 |
Commcorp | transit | unsafe | 14840 | |
Superloop Australia | transit | unsafe | 38195 | |
TurkTelekom | ISP | unsafe | 9121 | |
Shaw Communications | ISP | unsafe | 6327 | |
M247 | cloud | unsafe | 9009 | |
A1 Telekom Austria | ISP | unsafe | 8447 | |
Wave Broadband | ISP | unsafe | 11404 | |
W I X NET DO BRASIL | cloud | unsafe | 53013 | |
Telecom Argentina | ISP | unsafe | 7303 | |
Fastweb | ISP | unsafe | 12874 | |
American Tower Brasil | transit | unsafe | 23106 | |
Vogel | transit | unsafe | 25933 | |
TIM | ISP | unsafe | 3269 | |
AAPT Limited | ISP | unsafe | 2764 | |
TELY | transit | unsafe | 53087 | |
Rogers | ISP | started | unsafe | 812 |
British Telecommunications | ISP | unsafe | 2856 | |
Vodafone España | ISP | unsafe | 12430 | |
Sunrise Communications AG | ISP | unsafe | 6730 | |
SIA Tet | ISP | unsafe | 12578 | |
1&1 Versatel | ISP | partially signed | unsafe | 8881 |
PLDT | ISP | unsafe | 9299 | |
VNPT | cloud | unsafe | 45899 | |
Forte Telecom | transit | unsafe | 263009 | |
Alta Rede | transit | unsafe | 28260 | |
Vodafone DE | ISP | unsafe | 3209 | |
Nianet A/S | ISP | signed | unsafe | 31027 |
Globe Telecom | ISP | unsafe | 4775 | |
HKBN | ISP | unsafe | 9269 | |
Claro Argentina | ISP | unsafe | 11664 | |
Copel Telecom | transit | unsafe | 14868 | |
Vocus Group NZ | ISP | unsafe | 9790 | |
ACONET | transit | started | unsafe | 1853 |
Wirelink | transit | unsafe | 28368 | |
SFR | ISP | unsafe | 15557 | |
TASCOM | transit | unsafe | 52871 | |
WOW! | ISP | unsafe | 12083 | |
Hutchison Drei Austria | ISP | unsafe | 25255 | |
K2 Telecom | transit | unsafe | 53181 | |
NFOrce | cloud | signed | unsafe | 43350 |
Psychz Networks | cloud | unsafe | 40676 | |
SuddenLink | ISP | unsafe | 19108 | |
Delta Telecom | cloud | unsafe | 29049 | |
Cogeco | ISP | unsafe | 7992 | |
Silknet | ISP | signed | unsafe | 35805 |
NIB India | ISP | unsafe | 9829 | |
Reliance Jio | ISP | signed | unsafe | 55836 |
Volia | cloud | unsafe | 25229 | |
Taiwan Fixed Network | ISP | signed | unsafe | 9924 |
Beltelecom | ISP | unsafe | 6697 | |
Hetzner Online | cloud | signed | unsafe | 24940 |
eww ag | transit | unsafe | 21013 | |
Videotron | ISP | unsafe | 5769 | |
ASAP Telecom | transit | unsafe | 264144 | |
G-Core Labs | cloud | unsafe | 199524 | |
Blix Solutions AS | cloud | unsafe | 50304 | |
Telenet | ISP | unsafe | 6848 | |
2degrees | ISP | unsafe | 23655 | |
NetCologne | ISP | unsafe | 8422 | |
Vodafone IT | ISP | unsafe | 30722 | |
Shentel | ISP | unsafe | 4922 | |
Proximus | ISP | unsafe | 5432 | |
FasterNET | ISP | unsafe | 28580 | |
MásMóvil | ISP | unsafe | 15704 | |
Turknet | ISP | unsafe | 12735 | |
iiNet Limited | ISP | unsafe | 4739 | |
Siminn | ISP | unsafe | 6677 | |
IBM Cloud | cloud | unsafe | 36351 | |
PenTeleData | ISP | signed | unsafe | 3737 |
Selectel Ltd | cloud | unsafe | 49505 | |
Total Server Solutions | cloud | unsafe | 46562 | |
Vodafone Idea | ISP | unsafe | 55410 | |
IP Converge Data Services Inc. | cloud | unsafe | 23930 | |
xneelo | cloud | unsafe | 37153 | |
Nine Internet Solutions | cloud | signed | unsafe | 29691 |
HotNet Internet Services | ISP | unsafe | 12849 | |
Pakistan Telecom Company Limited | ISP | unsafe | 45595 | |
Radore Veri Merkezi Hizmetleri | cloud | unsafe | 42926 | |
SaskTel | ISP | signed | unsafe | 803 |
JCOM | ISP | unsafe | 9824 | |
A1 Belarus | ISP | unsafe | 42772 | |
Maxihost | cloud | unsafe | 262287 | |
Selectel MSK | cloud | unsafe | 50340 | |
NetCom BW | ISP | unsafe | 41998 | |
Continent 8 LLC | cloud | unsafe | 14537 | |
Synapsecom Telecoms | cloud | unsafe | 8280 | |
A3 Sverige | ISP | unsafe | 45011 | |
Deutsche Glasfaser | ISP | unsafe | 60294 | |
Vodafone Portugal | ISP | unsafe | 12353 | |
TekSavvy | ISP | unsafe | 5645 | |
SkyCable | ISP | unsafe | 23944 | |
Cybernet Pakistan | ISP | unsafe | 9541 | |
Sonic | ISP | signed | unsafe | 46375 |
CSL IDC | cloud | unsafe | 9891 | |
Telefonica Peru | ISP | unsafe | 6147 | |
MTS Belarus | ISP | unsafe | 25106 | |
TheGigabit | cloud | unsafe | 55720 | |
TOT-NET | ISP | unsafe | 23969 | |
ST-BGP | cloud | unsafe | 46844 | |
MEO Portugal | ISP | unsafe | 3243 | |
UK-2 Limited | cloud | unsafe | 13213 | |
SKY Brasil | ISP | unsafe | 11338 | |
Ovnicom | cloud | unsafe | 27796 | |
Locaweb | cloud | unsafe | 27715 | |
ARTNET | cloud | unsafe | 197155 | |
K-NET | ISP | unsafe | 24904 | |
Free SAS | ISP | signed | unsafe | 12322 |
Bouygues Telecom | ISP | unsafe | 5410 | |
Oy Creanova Hosting Solutions Ltd | cloud | unsafe | 51765 | |
GSL Networks | cloud | unsafe | 137409 | |
Sejong Telecom | ISP | unsafe | 4670 | |
Digi | ISP | unsafe | 20845 | |
O2 Broadband | ISP | unsafe | 35228 | |
Vodafone Hungary | ISP | unsafe | 21334 | |
Networx Bulgaria | ISP | unsafe | 34569 | |
FishNet | cloud | unsafe | 43317 | |
ArgonHost | cloud | unsafe | 58477 | |
OVH | cloud | unsafe | 16276 | |
ComHemAB | ISP | started | unsafe | 39651 |
WestHost | cloud | unsafe | 29854 | |
Magenta (T-Mobile) Austria | ISP | unsafe | 8412 | |
ALMOUROLTEC SERVICOS DE INFORMATICA E INTERNET LDA | cloud | unsafe | 24768 | |
Optus Microplex | ISP | unsafe | 4804 | |
Global IP Exchange | cloud | unsafe | 47536 | |
trabia network | cloud | signed | unsafe | 43289 |
Packetexchange | cloud | unsafe | 58065 | |
Alands Telekommunikation Ab | ISP | unsafe | 3238 | |
Amanah | cloud | unsafe | 32489 | |
UNMETERED | cloud | unsafe | 54133 | |
T-Mobile | ISP | signed | unsafe | 21928 |
Vodafone UK | ISP | unsafe | 5378 | |
Numericable | ISP | unsafe | 21502 | |
H4Y | cloud | signed | unsafe | 397373 |
MEO Portugal - Serviços de Comunicações e Multimédia | ISP | unsafe | 42863 | |
Intergrid | cloud | unsafe | 133480 | |
Mobilink | ISP | unsafe | 45669 | |
INTERSPACE-MK | cloud | unsafe | 200899 | |
Monkeybrains | ISP | unsafe | 32329 | |
BroadbandGibraltarLtd. | ISP | unsafe | 34803 | |
AltusHost | cloud | unsafe | 51430 | |
Kingston Communications | ISP | signed | unsafe | 12390 |
Stadtnetz Bamberg | ISP | unsafe | 198570 | |
Rakuten Mobile | ISP | unsafe | 138384 | |
Vodafone India | ISP | unsafe | 38266 | |
tzulo | cloud | unsafe | 11878 | |
Istanbuldc Veri Merkezi | cloud | unsafe | 197328 | |
Sprint Personal Communications Systems | transit | unsafe | 10507 | |
Kaisanet Oy | ISP | unsafe | 13170 | |
DELTA Fiber | ISP | signed | unsafe | 15435 |
Phase Layer Global Networks | cloud | unsafe | 51852 | |
eSecureData | cloud | signed | unsafe | 11831 |
Axcelx | cloud | unsafe | 33083 | |
Starlink | ISP | signed | unsafe | 14593 |
rh-tec | cloud | signed | unsafe | 25560 |
InterNetX | cloud | signed | unsafe | 15456 |
Siamdata Communication | cloud | unsafe | 56309 | |
ProveNET | ISP | unsafe | 263945 | |
Demando | cloud | unsafe | 196819 | |
Cloud9 | cloud | unsafe | 57814 | |
Claro Brasil | ISP | unsafe | 28573 | |
TurkCell | ISP | unsafe | 16135 | |
Free Mobile | ISP | signed | unsafe | 51207 |
T-Mobile Netherlands | ISP | unsafe | 31615 | |
Taiwan Mobile | ISP | signed | unsafe | 24158 |
Leaseweb USA-LAX-11 | cloud | unsafe | 395954 | |
TOPNET | ISP | unsafe | 37705 | |
B2 Net Solutions | cloud | unsafe | 55286 | |
Webpass | ISP | unsafe | 19165 | |
T-Mobile Thuis | ISP | signed | unsafe | 50266 |
Globe Telecom | ISP | unsafe | 132199 | |
Three UK | ISP | unsafe | 206067 | |
University of North Carolina at Chapel Hill | ISP | unsafe | 36850 | |
Leaseweb USA-SFO-12 | cloud | unsafe | 7203 | |
Smart Communications | ISP | unsafe | 10139 | |
Leaseweb USA-SEA-10 | cloud | unsafe | 396190 | |
Leaseweb USA-WDC-01 | cloud | unsafe | 30633 | |
Millenicom | ISP | unsafe | 34296 | |
NetCup | cloud | unsafe | 197540 | |
True Online | ISP | unsafe | 17552 | |
LG U+ (Fixed Line) | ISP | unsafe | 17858 | |
SK Telecom | ISP | unsafe | 9644 | |
NTT Docomo | ISP | unsafe | 9605 | |
NOS MADEIRA COMUNICACOES | ISP | unsafe | 15457 | |
ASAHI Net | ISP | unsafe | 4685 | |
LG U+ (Mobile) | ISP | unsafe | 17853 | |
Datacamp Limited | signed | transit | unsafe | 212238 |
Leaseweb USA-NYC-11 | cloud | unsafe | 396362 | |
Leaseweb USA-PHX-11 | cloud | unsafe | 19148 | |
A1 Hrvatska | ISP | unsafe | 29485 | |
Wave G | ISP | unsafe | 54858 | |
Leaseweb USA-DAL-10 | cloud | unsafe | 394380 | |
CBN Broadband | ISP | started | unsafe | 135478 |
Lanet Network | ISP | unsafe | 47800 | |
EHOSTIDC | cloud | unsafe | 45382 | |
Silknet | ISP | signed | unsafe | 15491 |
Coextro | ISP | unsafe | 36445 | |
NOS ACORES COMUNICACOES | ISP | signed | unsafe | 42580 |
Aktsiaselts WaveCom | cloud | unsafe | 34702 | |
ThorDC | cloud | unsafe | 50613 | |
Leaseweb USA-MIA-11 | cloud | unsafe | 393886 | |
KemiNet | cloud | unsafe | 197706 | |
Informacines sistemos ir technologijos UAB | cloud | unsafe | 61272 | |
Web World Ireland | cloud | unsafe | 30900 | |
Database By Design LLC | cloud | unsafe | 17090 | |
Serverfield | cloud | unsafe | 134094 | |
ELSERVER S.R.L | cloud | unsafe | 52270 | |
nobistech | cloud | unsafe | 15003 | |
ENAHOST s.r.o. | cloud | unsafe | 201924 | |
Silknet | ISP | signed | unsafe | 42082 |
Dynamic Hosting | cloud | unsafe | 36077 | |
Avative Fiber | ISP | unsafe | 394752 | |
Globalhost d.o.o. | cloud | unsafe | 200698 | |
FlokiNET | cloud | unsafe | 200651 | |
ByteDance | cloud | signed | unsafe | 396986 |
HQserv | cloud | unsafe | 42994 | |
WARI.NET COMUNICACIONES S.R.L | ISP | unsafe | 265708 | |
Asimia Damaskou | cloud | unsafe | 205053 | |
iServer-AS | cloud | unsafe | 57127 | |
NUT HOST SRL | cloud | unsafe | 264649 | |
SIA Bighost.lv | cloud | unsafe | 200709 | |
Estoxy | cloud | unsafe | 208673 | |
NETSTYLE A. LTD | cloud | unsafe | 43945 | |
Galaxy Broadband | ISP | started | unsafe | 139879 |
Advanced Wireless Network Co. Ltd. | ISP | signed | unsafe | 133481 |
To better understand why BGP’s lack of security is so problematic, let’s look at a simplified model of how BGP is used to route Internet packets.
The Internet is not run by just one company. It’s made up of thousands of autonomous systems with nodes located all around the world, connected to each other in a massive graph.
In essence, the way BGP works is that each node must determine how to route packets using only what it knows from the nodes it connects with directly.
For example, in the simple network A–B–C–D–E, the node A only knows how to reach E based on information it received from B. The node B knows about the network from A and C. And so forth.
A BGP hijack occurs when a malicious node deceives another node, lying about what the routes are for its neighbors. Without any security protocols, this misinformation can propagate from node to node, until a large number of nodes now know about, and attempt to use these incorrect, nonexistent, or malicious routes.
Click “Hijack the request” to visualize how packets are re-routed:
In order to make BGP safe, we need some way of preventing the spread of this misinformation. Since the Internet is so open and distributed, we can’t prevent malicious nodes from attempting to deceive other nodes in the first place. So instead we need to give nodes the ability to validate the information they receive, so they can reject these undesired routes on their own.
Enter Resource Public Key Infrastructure (RPKI), a security framework method that associates a route with an autonomous system. It gets a little technical, but the basic idea is that RPKI uses cryptography to provide nodes with a way of doing this validation.
With RPKI enabled, let’s see what happens to packets after an attempted BGP hijack. Click “Attempt to hijack” to visualize how RPKI allows the network to protect itself by invalidating the malicious routes:
Border Gateway Protocol (BGP) is the postal service of the Internet. When someone drops a letter into a mailbox, the postal service processes that piece of mail and chooses a fast, efficient route to deliver that letter to its recipient. Similarly, when someone submits data across the Internet, BGP is responsible for looking at all of the available paths that data could travel and picking the best route, which usually means hopping between autonomous systems. Learn more →
By default, BGP does not embed any security protocols. It is up to every autonomous system to implement filtering of “wrong routes”. Leaking routes can break parts of the Internet by making them unreachable. It is commonly the result of misconfigurations. Although, it is not always accidental. A practice called BGP hijack consists of redirecting traffic to another autonomous system to steal information (via phishing, or passive listening for instance).
BGP can be made safe if all autonomous systems (AS) only announce legitimate routes. A route is defined as legitimate when the owner of the resource allows its announcement. Filters need to be built in order to make sure only legitimate routes are accepted. There are a few approaches for BGP route validation which vary in degrees of trustability and efficiency. A mature implementation is RPKI.
With 800k+ routes on the Internet, it is impossible to check them manually. Resource Public Key Infrastructure (RPKI) is a security framework method that associates a route with an autonomous system. It uses cryptography in order to validate the information before being passed onto the routers. You can read more about RPKI on the Cloudflare blog.
On May 14th 2020, Job Snijders from NTT presented a free RPKI 101 webinar.
In order to test if your ISP is implementing BGP safely, we announce a legitimate route but we make sure the announcement is invalid. If you can load the website we host on that route, that means the invalid route was accepted by your ISP. A leaked or a hijacked route would likely be accepted too.
Over the years, network operators and developers started working groups to design and deploy standards to overcome unsafe routing protocols. Cloudflare recently joined a global initiative called Mutually Agreed Norms for Routing Security (MANRS). It’s a community of security-minded organizations committed to making routing infrastructure more robust and secure, and members agree to implement filtering mechanisms. New voices are always appreciated.
Share this pageFor BGP to be safe, all of the major ISPs will need to embrace RPKI. Sharing this page will increase awareness of the problem which can ultimately pressure ISPs into implementing RPKI for the good of themselves and the general public. You can also reach out to your service provider or hosting company directly and ask them to deploy RPKI and join MANRS. When the Internet is safe, everybody wins.