June 7, 2026

Route rage hits the group chat

Article URL →HN comments →

Enforcing the First as in BGP AS_PATHs

Cloudflare says one tiny network check could stop internet detours — and commenters are yelling “why wasn’t this already on?”

TLDR: Cloudflare says a basic check on where internet traffic claims to come from could stop some route hijacks that send data down the wrong path. Commenters were stunned such a simple safeguard isn’t universal, though veterans argued rolling it out across old networks is nowhere near as easy as it sounds.

Cloudflare dropped a post about a weirdly simple fix for a messy internet problem: scammers have been abusing forgotten network IDs to send traffic on sketchy detours, and Cloudflare says a basic “does this route actually start where it claims?” check can catch a lot of it. In plain English, this is about stopping digital impostors from redirecting data where it was never supposed to go. And the community reaction? Equal parts relieved, annoyed, and deeply sarcastic.

The strongest reaction was basically: wait, this wasn’t enforced already? A lot of commenters treated the revelation like finding out your bank vault was protected by a sticky note. Some praised Cloudflare for publicly stress-testing big networks and naming a practical fix instead of hand-wavy security theater. Others were less charitable, arguing this is yet another example of the internet running on “hope, vibes, and ancient settings nobody touched in 15 years.”

The drama kicked in around blame. One camp went after large network operators for not turning on obvious safeguards. Another pushed back, saying the real world is messy, old equipment exists, and “simple” fixes can break legitimate traffic if rolled out badly. That turned into the classic comments-section cage match: security purists vs. operations veterans.

And yes, the jokes wrote themselves. People compared the current system to a nightclub bouncer who never checks ID, a GPS happily routing you into a lake, and a kid scribbling their name on someone else’s homework and getting full credit. Beneath the memes, though, the mood was serious: if one basic check can block a chunk of hijacks, readers think the industry is out of excuses.

Key Points

  • Cloudflare analyzed recent route hijacks reported by Spamhaus that appeared to use forged BGP AS_PATHs and unused ASNs.
  • The article says forged AS_PATHs can misdirect traffic, hide the attacker’s identity, and make a hijacker appear to be the prefix origin.
  • Cloudflare presents First-AS validation—checking that a peer’s ASN is the first AS in advertised routes—as a simple mitigation.
  • A hijack example involving an Orange S.A. prefix was examined using the monocle tool and a captured BGP UPDATE message.
  • Cloudflare says it stress-tested major networks and reviewed BGP implementations to assess how well First-AS safeguards are implemented.

Hottest takes

"The internet is held together by duct tape and a checkbox nobody enabled" — neteng_throwaway
"So the big fix is literally ‘ask who sent this’ — amazing stuff" — packetspls
"Everyone saying ‘easy fix’ has never touched a crusty router at 3 a.m." — bgp_grandpa

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.