Regarding smaller prefix for hijack protection

William Herrin bill at
Thu Aug 30 10:41:36 CDT 2012

On Thu, Aug 30, 2012 at 7:54 AM, Anurag Bhatia <me at> wrote:
> Is using /24 a must to protect (a bit) against route hijacking?

Hi Anurag,

Not only is it _not_ a must, it doesn't work and it impairs your
ability to detect the fault.

In a route hijacking scenario, traffic for a particular prefix will
flow to the site with the shortest AS path from the origin. Your /24
competes with their /24. Half the Internet, maybe more maybe less
depending on how well connected each of you are, will be inaccessible
to you.

The fault presents as a partial outage: you can get to everything
nearby but the further away the customer is, the worse chance he has
of reaching you. Since there are lots of partial outages on the
Internet and BGP hijacks are rare, your customer support team won't
take the first couple calls seriously. I can reach it from our test
ISP so the problem must lie with your ISP. Sorry.

On the flip side, if you announce a covering route and someone hijacks
with a /24, all traffic follows the most specific route: the hijacker.
You detect this condition pretty much immediately, at which point you
can collide him with a /24 announcement while contacting him and his
peers to get the offending announcement killed.

> Also, if one uses /22 and /24 - will both prefixes will show in Global
> routing table? I know /24 will be prefered but will ISP see /22 as well or
> it will pop up only when /24 is filtered?

Unless one of the transit providers is behaving badly or you use BGP
communities to explicitly limit propagation of the announcement, all
routers in the default-free zone (DFZ, aka Internet core) will see
both the /22 and the /24 in their routing information base (RIB). When
this is processed into the forwarding information base (FIB) only one
next hop will be selected - the one from the /24.

A number of very smart people have sought an algorithm to allow
intermediate nodes to aggregate the /24 into the /22 without damaging
the network (black holes). No such algorithm has been identified. As
near as anyone can figure, only the source of the announcement can
safely aggregate it.

On the other hand, if you announce, say, the /24 via multiple ISPs
most routers will only see the path to one of them (the closest one)
at any given time. When a router reannounces the path to you via BGP
to its peers, it only offers the path it selected as best for that
particular prefix.

A fair bit of traffic engineering is based on announcing a covering
route to everybody (the /22 in your example) and then announcing a
more specific (the /24) to a particular ISP peer with a set community
strings attached that tells the ISP to only propagate the route to
specific peers.

Bill Herrin

William D. Herrin ................ herrin at  bill at
3005 Crane Dr. ...................... Web: <>
Falls Church, VA 22042-3004

More information about the NANOG mailing list