Is BGP safe yet? No.

Border Gateway Protocol (BGP) is the postal service of the Internet. It’s responsible for looking at all of the available paths that data could travel and picking the best route.

Unfortunately, it isn’t secure, and there have been some major Internet disruptions as a result. But fortunately there is a way to make it secure.

ISPs and other major Internet players (Sprint and others) would need to implement a certification system, called RPKI.

Read FAQ

Latest updates

Status

Displaying 31 major operators

NameTypeDetailsStatusASN ?
Lumen transit signed + filtering safe 3356
Arelion (formerly Telia) transit signed + filtering safe 1299
Cogent transit signed + filtering safe 174
NTT transit signed + filtering safe 2914
Hurricane Electric transit signed + filtering safe 6939
GTT transit signed + filtering safe 3257
TATA transit signed + filtering safe 6453
Zayo transit signed + filtering safe 6461
PCCW transit signed + filtering safe 3491
RETN transit partially signed + filtering safe 9002
Orange transit signed + filtering safe 5511
Telefonica/Telxius transit signed + filtering safe 12956
Comcast ISP signed + filtering safe 7922
Verizon ISP signed + filtering safe 701
Liberty Global transit signed + filtering safe 6830
Deutsche Telekom ISP signed + filtering safe 3320
T-Mobile transit filtering safe 1239
KPN transit signed + filtering safe 286
Vocus Communications transit signed + filtering safe 4826
Core-Backbone transit signed + filtering safe 33891
Swisscom ISP signed + filtering safe 3303
Cox Communications ISP signed + filtering safe 22773
G8 transit signed + filtering safe 28329
Telstra transit signed + filtering safe 1221
Orange Polska ISP signed + filtering safe 5617
GEANT ISP signed + filtering safe 20965
Softdados Telecom transit signed + filtering safe 52873
Next Layer GmbH transit signed + filtering safe 1764
TELUS Communications ISP signed + filtering safe 852
OpenX transit signed + filtering safe 263444
Vocus Retail ISP signed + filtering safe 9443
Jaguar Network ISP signed + filtering safe 30781
HiNet ISP signed + filtering safe 3462
ITS Telecom transit signed + filtering safe 28186
Orange Polska ISP signed + filtering safe 29535
Acorus Networks ISP signed + filtering safe 35280
Virgin Media UK ISP signed + filtering safe 5089
TDC ISP signed + filtering safe 3292
Ensite Telecom transit signed + filtering safe 28263
Telenor ISP signed + filtering safe 2119
ANEXIA Internetdienstleistungs GmbH transit signed + filtering safe 47147
Biznet Networks ISP signed + filtering safe 17451
UPX TECNOLOGIA transit signed + filtering safe 52863
RCN ISP signed + filtering safe 6079
Devoli ISP signed + filtering safe 45177
NTS Workspace AG ISP signed + filtering safe 15576
MNET ISP signed + filtering safe 8767
Charter ISP signed + filtering safe 11351
Kyivstar ISP signed + filtering safe 15895
Inferno Communications transit signed + filtering safe 207841
Brisanet ISP signed + filtering safe 28126
Hydra Communications cloud signed + filtering safe 25369
KPN-Netco ISP signed + filtering safe 1136
Charter ISP signed + filtering safe 12271
HOPUS transit signed + filtering safe 44530
Persis Telecom ISP signed + filtering safe 14282
ViewQwest ISP signed + filtering safe 18106
QuadraNet cloud safe 8100
CYTA ISP signed + filtering safe 6866
Trustpower ISP signed + filtering safe 55850
STARTNET transit signed + filtering safe 52999
Obenetwork ISP signed + filtering safe 3399
NOS COMUNICACOES ISP signed + filtering safe 2860
Altibox ISP signed + filtering safe 29695
Bredband2 ISP signed + filtering safe 29518
UltraWave Telecom ISP signed + filtering safe 262659
noris network AG ISP signed + filtering safe 12337
UKServers cloud signed + filtering safe 42831
August Internet ISP signed + filtering safe 50058
Cablenet Cyprus ISP signed + filtering safe 35432
Claranet ISP safe 8426
Mobicom transit filtering safe 55805
Terrahost cloud signed + filtering safe 56655
RKOM ISP signed + filtering safe 12611
Belwue ISP signed + filtering safe 553
SpaceNet ISP signed + filtering safe 5539
CESNET ISP signed + filtering safe 2852
Belnet ISP signed + filtering safe 2611
A2B Internet ISP signed + filtering safe 51088
Cloudflare cloud signed + filtering safe 13335
WOBCOM ISP signed + filtering safe 9136
MilkyWan ISP signed + filtering safe 2027
HostDime.com Inc cloud safe 33182
xs4all cloud signed + filtering safe 3265
Netinternet cloud signed + filtering safe 51559
Netwerkvereniging ColoClue ISP signed + filtering safe 8283
TNG Stadtnetz GmbH ISP signed + filtering safe 13101
Aussie Broadband ISP signed + filtering safe 4764
Dhiraagu ISP signed + filtering safe 7642
Rozint Ltd Co ISP signed + filtering safe 21738
Microsoft cloud signed + filtering safe 8075
APIK Media cloud signed + filtering safe 58820
EdgeUno cloud signed + filtering safe 7195
Atria Convergence Technologies Ltd ISP signed + filtering safe 24309
EOLO ISP signed + filtering safe 35612
Amazon cloud signed + filtering safe 16509
Gis Telecom ISP signed + filtering safe 264130
HEAnet ISP signed + filtering safe 1213
Accuris Technologies ISP signed + filtering safe 52210
Via Radio Dourados transit signed + filtering safe 61785
ACT Fibernet ISP signed + filtering safe 18209
Get (Telia Norway) ISP signed + filtering safe 41164
Karabro AB ISP signed + filtering safe 51519
Netflix cloud signed + filtering safe 2906
Afrihost ISP safe 37611
EBOX ISP signed + filtering safe 1403
Aura Fiber ISP safe 204274
DELTA Fiber ISP signed + filtering safe 15435
komro GmbH ISP signed + filtering safe 29413
VoiceHost ISP signed + filtering safe 31472
Neptune Networks cloud signed + filtering safe 397143
Gigabit DK ISP signed + filtering safe 60876
Iver Norge AS ISP safe 49409
Clearfly Communications ISP signed + filtering safe 27400
Tech Futures ISP signed + filtering safe 394256
DK Hostmaster cloud signed + filtering safe 39839
Wikimedia Foundation cloud signed + filtering safe 14907
Stellar Technologies cloud signed + filtering safe 14525
Hi3G ISP signed + filtering safe 44034
Scaleway cloud signed + filtering safe 12876
Turksat ISP signed + filtering safe 47524
Kerfuffle Cloud signed + filtering safe 35008
Datapark ISP safe 21040
PROMAX ISP safe 31423
ASERGO cloud signed + filtering safe 30736
Inter Connects Inc cloud safe 46805
Redder ISP signed + filtering safe 33986
Freethought Internet Limited cloud signed + filtering safe 41000
Green Mini host cloud signed + filtering safe 205668
Parknet ISP signed + filtering safe 197301
Kviknet DK ISP signed + filtering safe 204151
Dream Fusion - IT Services Lda cloud signed + filtering safe 39384
TL Group cloud safe 263812
Rose Telecom ISP signed + filtering safe 54681
Nutrien ISP signed + filtering safe 393891
Powerhosting Cloud signed + filtering safe 60422
AnacondaWeb ISP signed + filtering safe 265656
Cobaso Cloud safe 399866
WhiteHat ISP signed + filtering safe 51999
Raiola Networks cloud signed + filtering safe 56958
andrewnet ISP signed + filtering safe 211562
Bryan Barbolina trading as Cloudwebservices cloud signed + filtering safe 213268
Chilean Government Network (Red de Conectividad del Estado) ISP signed + filtering safe 17147
Zaledia Networks ISP signed + filtering safe 207149
Bristol Bay Telephone Coop ISP signed + filtering safe 397388
NNET ISP signed + filtering safe 142582
Ursin Filli ISP signed + filtering safe 202427
Hazelnet ISP signed + filtering safe 200242
Telstra International transit signed partially safe 4637
AT&T ISP signed + filtering peers only partially safe 7018
IIJ transit signed + filtering peers only partially safe 2497
OCN ISP signed + filtering peers only partially safe 4713
Vivacom ISP signed partially safe 8866
Equinix Metal Cloud signed + filtering peers partially safe 54825
Janet ISP partially signed + filtering partially safe 786
CDN77 cloud signed partially safe 60068
DFN Deutsches Forschungsnetz ISP partially signed + filtering partially safe 680
Ziggo ISP signed partially safe 33915
Digital Energy Technologies Limited (Global) cloud signed + filtering peers partially safe 61317
ColoCrossing cloud filtering partially safe 36352
Google cloud signed partially safe 15169
Worldstream ISP signed partially safe 49981
Triolan ISP filtering partially safe 13188
LeapSwitch Networks cloud filtering partially safe 132335
DigitalOcean cloud filtering peers only partially safe 14061
GTHost cloud filtering partially safe 63023
Zayo France transit signed + filtering peers only partially safe 8218
EE ISP filtering partially safe 12576
Plusnet ISP filtering partially safe 6871
volumedrive cloud filtering partially safe 46664
MadeIT cloud filtering partially safe 54455
Pacswitch ISP filtering partially safe 55536
Sparkle transit started unsafe 6762
Vodafone transit unsafe 1273
PJSC RosTelecom transit unsafe 12389
TransTelecom transit unsafe 20485
SingTel transit unsafe 7473
Algar Telecom transit unsafe 16735
Globenet transit unsafe 52320
Telefonica Vivo transit unsafe 10429
Internexa transit unsafe 262589
Angola Cables transit unsafe 37468
China Telecom transit unsafe 4809
Oi ISP unsafe 7738
KT (Fixed Line) ISP unsafe 4766
Vivo GVT ISP unsafe 18881
Embratel transit unsafe 4230
Telekom Hungary ISP signed unsafe 5483
Eletronet transit unsafe 267613
Windstream Communications ISP unsafe 7029
TIM Brasil ISP unsafe 26615
MOB Telecom transit unsafe 28598
Optus transit unsafe 7474
Seabras transit unsafe 13786
SK Broadband ISP unsafe 9318
TPG ISP unsafe 7545
Durand transit unsafe 22356
Bell Canada ISP unsafe 577
Optimum ISP unsafe 6128
RCS&RDS ISP unsafe 8708
Softbank ISP unsafe 17676
Commcorp transit unsafe 14840
Superloop Australia transit unsafe 38195
TurkTelekom ISP unsafe 9121
Shaw Communications ISP unsafe 6327
M247 cloud unsafe 9009
A1 Telekom Austria ISP unsafe 8447
Wave Broadband ISP unsafe 11404
W I X NET DO BRASIL cloud unsafe 53013
Init7 (Schweiz) AG ISP started unsafe 13030
Telecom Argentina ISP unsafe 7303
Fastweb ISP unsafe 12874
American Tower Brasil transit unsafe 23106
Vogel transit unsafe 25933
TIM ISP unsafe 3269
AAPT Limited ISP unsafe 2764
TELY transit unsafe 53087
Rogers ISP started unsafe 812
British Telecommunications ISP unsafe 2856
Vodafone España ISP unsafe 12430
Sunrise Communications AG ISP unsafe 6730
SIA Tet ISP unsafe 12578
PLDT ISP unsafe 9299
VNPT cloud unsafe 45899
Forte Telecom transit unsafe 263009
Alta Rede transit unsafe 28260
Vodafone DE ISP unsafe 3209
Nianet A/S ISP signed unsafe 31027
Globe Telecom ISP unsafe 4775
HKBN ISP unsafe 9269
Claro Argentina ISP unsafe 11664
Copel Telecom transit unsafe 14868
Vocus Group NZ ISP unsafe 9790
ACONET transit started unsafe 1853
Wirelink transit unsafe 28368
SFR ISP unsafe 15557
TASCOM transit unsafe 52871
WOW! ISP unsafe 12083
Hutchison Drei Austria ISP unsafe 25255
K2 Telecom transit unsafe 53181
NFOrce cloud signed unsafe 43350
Psychz Networks cloud unsafe 40676
SuddenLink ISP unsafe 19108
Delta Telecom cloud unsafe 29049
Cogeco ISP unsafe 7992
DNA Oyj ISP unsafe 16086
Silknet ISP signed unsafe 35805
NIB India ISP unsafe 9829
Elisa Finland ISP unsafe 719
Reliance Jio ISP signed unsafe 55836
Volia cloud unsafe 25229
Taiwan Fixed Network ISP signed unsafe 9924
Beltelecom ISP unsafe 6697
Hetzner Online cloud signed unsafe 24940
eww ag transit unsafe 21013
Videotron ISP unsafe 5769
ASAP Telecom transit unsafe 264144
G-Core Labs cloud unsafe 199524
Blix Solutions AS cloud unsafe 50304
Telenet ISP unsafe 6848
2degrees ISP unsafe 23655
NetCologne ISP unsafe 8422
Vodafone IT ISP unsafe 30722
Shentel ISP unsafe 4922
Proximus ISP unsafe 5432
FasterNET ISP unsafe 28580
MásMóvil ISP unsafe 15704
Turknet ISP unsafe 12735
iiNet Limited ISP unsafe 4739
Siminn ISP unsafe 6677
IBM Cloud cloud unsafe 36351
PenTeleData ISP signed unsafe 3737
Selectel Ltd cloud unsafe 49505
Total Server Solutions cloud unsafe 46562
Vodafone Idea ISP unsafe 55410
IP Converge Data Services Inc. cloud unsafe 23930
xneelo cloud unsafe 37153
Nine Internet Solutions cloud signed unsafe 29691
HotNet Internet Services ISP unsafe 12849
Pakistan Telecom Company Limited ISP unsafe 45595
Radore Veri Merkezi Hizmetleri cloud unsafe 42926
SaskTel ISP signed unsafe 803
JCOM ISP unsafe 9824
A1 Belarus ISP unsafe 42772
Maxihost cloud unsafe 262287
Selectel MSK cloud unsafe 50340
NetCom BW ISP unsafe 41998
Continent 8 LLC cloud unsafe 14537
Synapsecom Telecoms cloud unsafe 8280
A3 Sverige ISP unsafe 45011
Deutsche Glasfaser ISP unsafe 60294
Vodafone Portugal ISP unsafe 12353
TekSavvy ISP unsafe 5645
SkyCable ISP unsafe 23944
Cybernet Pakistan ISP unsafe 9541
CSL IDC cloud unsafe 9891
Telefonica Peru ISP unsafe 6147
MTS Belarus ISP unsafe 25106
TheGigabit cloud unsafe 55720
TOT-NET ISP unsafe 23969
ST-BGP cloud unsafe 46844
MEO Portugal ISP unsafe 3243
UK-2 Limited cloud unsafe 13213
SKY Brasil ISP unsafe 11338
Ovnicom cloud unsafe 27796
Locaweb cloud unsafe 27715
ARTNET cloud unsafe 197155
K-NET ISP unsafe 24904
Free SAS ISP signed unsafe 12322
Bouygues Telecom ISP unsafe 5410
Oy Creanova Hosting Solutions Ltd cloud unsafe 51765
GSL Networks cloud unsafe 137409
Sejong Telecom ISP unsafe 4670
Digi ISP unsafe 20845
O2 Broadband ISP unsafe 35228
Vodafone Hungary ISP unsafe 21334
Networx Bulgaria ISP unsafe 34569
FishNet cloud unsafe 43317
ArgonHost cloud unsafe 58477
OVH cloud unsafe 16276
ComHemAB ISP started unsafe 39651
WestHost cloud unsafe 29854
Magenta (T-Mobile) Austria ISP unsafe 8412
ALMOUROLTEC SERVICOS DE INFORMATICA E INTERNET LDA cloud unsafe 24768
Optus Microplex ISP unsafe 4804
Global IP Exchange cloud unsafe 47536
trabia network cloud signed unsafe 43289
Packetexchange cloud unsafe 58065
Alands Telekommunikation Ab ISP unsafe 3238
Amanah cloud unsafe 32489
UNMETERED cloud unsafe 54133
T-Mobile ISP signed unsafe 21928
Vodafone UK ISP unsafe 5378
Numericable ISP unsafe 21502
H4Y cloud signed unsafe 397373
MEO Portugal - Serviços de Comunicações e Multimédia ISP unsafe 42863
Intergrid cloud unsafe 133480
Mobilink ISP unsafe 45669
INTERSPACE-MK cloud unsafe 200899
Monkeybrains ISP unsafe 32329
BroadbandGibraltarLtd. ISP unsafe 34803
AltusHost cloud unsafe 51430
Kingston Communications ISP signed unsafe 12390
Stadtnetz Bamberg ISP unsafe 198570
Rakuten Mobile ISP unsafe 138384
Vodafone India ISP unsafe 38266
tzulo cloud unsafe 11878
Istanbuldc Veri Merkezi cloud unsafe 197328
Sprint Personal Communications Systems transit unsafe 10507
Kaisanet Oy ISP unsafe 13170
Phase Layer Global Networks cloud unsafe 51852
eSecureData cloud signed unsafe 11831
Axcelx cloud unsafe 33083
rh-tec cloud signed unsafe 25560
InterNetX cloud signed unsafe 15456
Siamdata Communication cloud unsafe 56309
ProveNET ISP unsafe 263945
Demando cloud unsafe 196819
Cloud9 cloud unsafe 57814
Claro Brasil ISP unsafe 28573
TurkCell ISP unsafe 16135
Free Mobile ISP signed unsafe 51207
T-Mobile Netherlands ISP unsafe 31615
Taiwan Mobile ISP signed unsafe 24158
Leaseweb USA-LAX-11 cloud unsafe 395954
TOPNET ISP unsafe 37705
B2 Net Solutions cloud unsafe 55286
Webpass ISP unsafe 19165
T-Mobile Thuis ISP signed unsafe 50266
Globe Telecom ISP unsafe 132199
Three UK ISP unsafe 206067
University of North Carolina at Chapel Hill ISP unsafe 36850
Leaseweb USA-SFO-12 cloud unsafe 7203
Smart Communications ISP unsafe 10139
Leaseweb USA-SEA-10 cloud unsafe 396190
Leaseweb USA-WDC-01 cloud unsafe 30633
Millenicom ISP unsafe 34296
NetCup cloud unsafe 197540
True Online ISP unsafe 17552
LG U+ (Fixed Line) ISP unsafe 17858
SK Telecom ISP unsafe 9644
NTT Docomo ISP unsafe 9605
NOS MADEIRA COMUNICACOES ISP unsafe 15457
ASAHI Net ISP unsafe 4685
LG U+ (Mobile) ISP unsafe 17853
Leaseweb USA-NYC-11 cloud unsafe 396362
Leaseweb USA-PHX-11 cloud unsafe 19148
A1 Hrvatska ISP unsafe 29485
Wave G ISP unsafe 54858
Leaseweb USA-DAL-10 cloud unsafe 394380
CBN Broadband ISP started unsafe 135478
Lanet Network ISP unsafe 47800
EHOSTIDC cloud unsafe 45382
Silknet ISP signed unsafe 15491
Coextro ISP unsafe 36445
NOS ACORES COMUNICACOES ISP signed unsafe 42580
Aktsiaselts WaveCom cloud unsafe 34702
ThorDC cloud unsafe 50613
Leaseweb USA-MIA-11 cloud unsafe 393886
KemiNet cloud unsafe 197706
Informacines sistemos ir technologijos UAB cloud unsafe 61272
Web World Ireland cloud unsafe 30900
Database By Design LLC cloud unsafe 17090
Serverfield cloud unsafe 134094
ELSERVER S.R.L cloud unsafe 52270
nobistech cloud unsafe 15003
ENAHOST s.r.o. cloud unsafe 201924
Silknet ISP signed unsafe 42082
Dynamic Hosting cloud unsafe 36077
Avative Fiber ISP unsafe 394752
Globalhost d.o.o. cloud unsafe 200698
FlokiNET cloud unsafe 200651
ByteDance cloud signed unsafe 396986
HQserv cloud unsafe 42994
WARI.NET COMUNICACIONES S.R.L ISP unsafe 265708
Asimia Damaskou cloud unsafe 205053
iServer-AS cloud unsafe 57127
NUT HOST SRL cloud unsafe 264649
SIA Bighost.lv cloud unsafe 200709
Estoxy cloud unsafe 208673
NETSTYLE A. LTD cloud unsafe 43945
Galaxy Broadband ISP started unsafe 139879
Advanced Wireless Network Co. Ltd. ISP signed unsafe 133481

What’s a BGP hijack?

To better understand why BGP’s lack of security is so problematic, let’s look at a simplified model of how BGP is used to route Internet packets.

The Internet is not run by just one company. It’s made up of thousands of autonomous systems with nodes located all around the world, connected to each other in a massive graph.

In essence, the way BGP works is that each node must determine how to route packets using only what it knows from the nodes it connects with directly.

For example, in the simple network A–B–C–D–E, the node A only knows how to reach E based on information it received from B. The node B knows about the network from A and C. And so forth.

A BGP hijack occurs when a malicious node deceives another node, lying about what the routes are for its neighbors. Without any security protocols, this misinformation can propagate from node to node, until a large number of nodes now know about, and attempt to use these incorrect, nonexistent, or malicious routes.

Click “Hijack the request” to visualize how packets are re-routed:

Unsafe BGP: Normal request

Laptop
ISP
Hijacker
Transit
Malicious website
Cloud
Web resource

In order to make BGP safe, we need some way of preventing the spread of this misinformation. Since the Internet is so open and distributed, we can’t prevent malicious nodes from attempting to deceive other nodes in the first place. So instead we need to give nodes the ability to validate the information they receive, so they can reject these undesired routes on their own.

Enter Resource Public Key Infrastructure (RPKI), a security framework method that associates a route with an autonomous system. It gets a little technical, but the basic idea is that RPKI uses cryptography to provide nodes with a way of doing this validation.

With RPKI enabled, let’s see what happens to packets after an attempted BGP hijack. Click “Attempt to hijack” to visualize how RPKI allows the network to protect itself by invalidating the malicious routes:

Safe BGP with RPKI

Laptop
ISP
Hijacker
Transit
Malicious website
Cloud
Web resource

FAQ

What is BGP?

Border Gateway Protocol (BGP) is the postal service of the Internet. When someone drops a letter into a mailbox, the postal service processes that piece of mail and chooses a fast, efficient route to deliver that letter to its recipient. Similarly, when someone submits data across the Internet, BGP is responsible for looking at all of the available paths that data could travel and picking the best route, which usually means hopping between autonomous systems. Learn more →

Why is BGP unsafe?

By default, BGP does not embed any security protocols. It is up to every autonomous system to implement filtering of “wrong routes”. Leaking routes can break parts of the Internet by making them unreachable. It is commonly the result of misconfigurations. Although, it is not always accidental. A practice called BGP hijack consists of redirecting traffic to another autonomous system to steal information (via phishing, or passive listening for instance).

BGP can be made safe if all autonomous systems (AS) only announce legitimate routes. A route is defined as legitimate when the owner of the resource allows its announcement. Filters need to be built in order to make sure only legitimate routes are accepted. There are a few approaches for BGP route validation which vary in degrees of trustability and efficiency. A mature implementation is RPKI.

What is RPKI?

With 800k+ routes on the Internet, it is impossible to check them manually. Resource Public Key Infrastructure (RPKI) is a security framework method that associates a route with an autonomous system. It uses cryptography in order to validate the information before being passed onto the routers. You can read more about RPKI on the Cloudflare blog.

On May 14th 2020, Job Snijders from NTT presented a free RPKI 101 webinar.

How does the test work?

In order to test if your ISP is implementing BGP safely, we announce a legitimate route but we make sure the announcement is invalid. If you can load the website we host on that route, that means the invalid route was accepted by your ISP. A leaked or a hijacked route would likely be accepted too.

Can even more be done?

Over the years, network operators and developers started working groups to design and deploy standards to overcome unsafe routing protocols. Cloudflare recently joined a global initiative called Mutually Agreed Norms for Routing Security (MANRS). It’s a community of security-minded organizations committed to making routing infrastructure more robust and secure, and members agree to implement filtering mechanisms. New voices are always appreciated.

What can you do?

Share this pageFor BGP to be safe, all of the major ISPs will need to embrace RPKI. Sharing this page will increase awareness of the problem which can ultimately pressure ISPs into implementing RPKI for the good of themselves and the general public. You can also reach out to your service provider or hosting company directly and ask them to deploy RPKI and join MANRS. When the Internet is safe, everybody wins.