BGP Hijacking

I don’t understand networking well. But it seems there are some limited options to protect your network from BGP hijacking.

Though, after casting about, I found that Amazon is marked as “safe” by which I interpret to mean that they met the requirements but failed in practice.

An alternative approach to ROA creation would be to do what other networks such as Cloudflare and Comcast have done: set the origin and maximum prefix length to be identical to how the prefix is routed. While this approach incurs an overhead cost of needing to update a ROA every time a route is modified, it also leaves little room for alternate versions of the route to come into circulation.

1 Like can check RPKI for a server or your own connection. It looks like Mojeek’s service provider has configured RPKI.

1 Like

Assuming we have transit encryption, the main result of Border Gateway Patrol (BGP) errors is mass downtime. Downtime for a typical service is a headache; downtime for a CA can be disastrous. BGP hijacking also enables certificate mis-issuance by messing with weak domain control validation. Route authorization is an important mitigation!

That said: TLS is our last line of defense against BGP attacks that re-direct HTTPS requests.

Users wouldn’t have been robbed if Celer Bridge used HSTS preloading. Victims were greeted by a TLS error and chose to add a security exception; a payment platform shouldn’t offer that choice. HSTS instructs browsers to remove this option, and HSTS preloading prevents HSTS stripping (and TLS stripping).

HTTP Public Key Pinning (HPKP) makes such attacks even harder, but HPKP had its own list of issues preventing adoption.

POSSE note from

I found this blog post about the problems with HSTS and HPKP:

Gemini uses TOFU. I looked at tofu again and found this Wikipedia entry about Marlinspike and Perspectives:

To put this in perspective, all the things we’re talking about have to do with identifying a service on the internet which was the main issue in the cryptocurrency attack.


I wrote my thoughts on TOFU, Gemini, and HPKP earlier:

Self signed certificate problems