BGP Basics

The Border Gateway Protocol is the only system that tells the internet "where the IPs are". It's a 30-year-old protocol of trust-based announcements that occasionally takes a continent offline. Knowing how it works is what separates "I configure routers" from "I read post-mortems and understand them".

ASNs and prefixes

Every network on the BGP internet has an Autonomous System Number (ASN). Cloudflare is AS13335. Google is AS15169. Your ISP has one. Your company might have one if you run multi-homed BGP. ASNs are issued by the Regional Internet Registries (ARIN, RIPE, APNIC, LACNIC, AFRINIC).

A network announces prefixes — CIDR blocks like 1.1.1.0/24 or 2606:4700::/32 — to its neighbours. The announcement says: "I, AS13335, can reach prefix 1.1.1.0/24."

Neighbours pass the announcement on, prepending their own ASN as they go:

AS13335 announces  1.1.1.0/24                  AS_PATH = [13335]
        ↓ (eBGP)
AS3356  hears it   1.1.1.0/24 via [13335]      relays as [3356, 13335]
        ↓
AS174   hears it   1.1.1.0/24 via [3356,13335] relays as [174, 3356, 13335]
        ↓
your ISP hears it  1.1.1.0/24 via [174, 3356, 13335]

Your ISP now knows: "to reach 1.1.1.0/24, hand the packet to AS174, which hands it to AS3356, which hands it to AS13335." The AS_PATH is the route.

Path selection — how BGP picks one route from many

A given router will hear about the same prefix from multiple peers, often via different AS_PATHs. BGP applies a tiebreaker stack — strictly ordered:

1. LOCAL_PREF — local preference (set by your network's policy). Higher wins.
2. Shortest AS_PATH — fewer ASNs is better. The simplest "physical" rule.
3. Lowest origin code — IGP < EGP < incomplete.
4. Lowest MED (Multi-Exit Discriminator) — tells your neighbour which of their entry points to prefer.
5. eBGP > iBGP — prefer routes from external peers over internal.
6. Lowest IGP cost to next-hop — prefer the closest internal exit.
7. Lowest router ID — final tiebreaker, deterministic.

The first four matter most. Network operators express their business policy via LOCAL_PREF (prefer my customers' announcements over my peers' over my providers'). After LOCAL_PREF, it's mostly path length.

How outages happen

The trust model is: "if a peer says they have a route, believe them." Without RPKI, anyone can announce anything. Three categories of incident:

1. Accidental hijacks

1997 — AS7007: A small ISP misconfigured its router and announced ALL prefixes (the entire IPv4 space, fragmented into /24s). Their upstreams accepted the announcement; the announcement leaked globally; chaos ensued. The internet was offline in big chunks for ~2 hours.

2008 — Pakistan → YouTube: Pakistan Telecom announced YouTube's prefix internally to block YouTube within Pakistan. Their upstream (PCCW) accepted and re-announced globally. YouTube was unreachable worldwide for 90 minutes.

2017 — Russian incident: A Russian telco briefly announced prefixes belonging to Mastercard, Visa, and several US banks. Lasted minutes; never confirmed as malicious or accidental.

2. Self-withdrawals

2021 — Facebook (Meta): A configuration change on internal backbone routers caused Facebook's BGP routers to withdraw their own prefix announcements globally. fb.com, instagram.com, whatsapp.com — all gone for ~6 hours. The post-mortem makes painful reading: their internal tooling for bringing the routers back also depended on those prefixes being announced.

2022 — Rogers (Canada): A misconfigured BGP filter caused Rogers' prefixes to be withdrawn. Half of Canada lost internet for a day. ATMs, payment terminals, the country's tax-payment system — all routed through Rogers, all broken.

3. Deliberate hijacks

Most often, attackers hijack a smaller prefix to intercept traffic for a few minutes — long enough to harvest credentials or BGP-MITM a TLS handshake (when DV cert validation goes through HTTP and the attacker can answer the validation challenge from the hijacked prefix). MyEtherWallet (April 2018) lost ~$152k in this exact way.

RPKI — the cryptographic fix

RPKI (Resource Public Key Infrastructure) lets prefix holders cryptographically sign authorisations. The artifact is a ROA (Route Origin Authorization):

"The prefix 1.1.1.0/24, with max length /24, is authorized to be
 originated by AS13335. Signed by ARIN trust anchor."

A router with RPKI Origin Validation enabled will reject any announcement of 1.1.1.0/24 whose first AS is not 13335. The Pakistan Telecom incident, with RPKI in 2025-era networks, would have lasted seconds, not 90 minutes — every modern transit network would have rejected the announcement.

Adoption in 2026: roughly 50% of the global routing table has ROAs published, and most major transit networks (Cloudflare, Hurricane Electric, NTT, Telia) drop RPKI-invalid routes. The remaining 50% is mostly long-tail networks that haven't published ROAs.

If you run BGP, publish ROAs for your prefixes. It takes 10 minutes.

What ASN/prefix lookups are useful for

• Capacity planning. Where does your traffic come from? Lookup the ASN of incoming connections to see which networks dominate.
• Anti-abuse. Block ranges of ASNs known for spam, DDoS, or scrapers.
• Latency debugging. Combine mtr --aslookup with prefix lookups to see whose network you're traversing.
• Outage detection. Monitor your own prefix announcements globally (BGPMon, Cloudflare Radar) — get alerted if your prefix disappears or shows up via an unexpected ASN.

# AS-lookup for an IP
curl -s https://api.bgpview.io/ip/1.1.1.1 | jq '.data.prefixes[0]'
# Or use whois directly:
whois -h whois.cymru.com " -v 1.1.1.1"

What you should remember

1. ASNs identify networks; prefixes are CIDR blocks they advertise.
2. AS_PATH is the route — shorter wins, mostly.
3. Trust model is "believe your peers" — historically broken in spectacular ways.
4. Famous outages: Pakistan→YouTube (2008), Facebook self-withdraw (2021), Rogers (2022).
5. RPKI is the signed-attestation fix — half-deployed and getting better.

When you see an internet-wide news event ("my apps stopped working all over the world"), the answer is almost always either DNS or BGP. Now you understand half of those.