AS-Path Prepend

Since it it so commonly used, what is the problem with the excessive use of AS_Path prepend? Here are a few examples:

The risk of excessive use of AS_Path prepend can be illustrated with real-world examples. Consider the Ukranian prefix (95.47.142.0/23) which is normally announced with an inordinate amount of prepending. A recent analysis revealed that 95.47.142.0/23 is announced to the world along the following AS path: 3255 197158 197158 197158 197158 197158 197158 197158 197158 197158 197158 197158 197158 197158 197158 197158 197158 197158 197158 197158 197158 197158 197158 197158 In this example, the origin AS197158 appears 23 consecutive times before being passed on to a single upstream (AS3255), which passes it on to the global internet, prepended-to-all. An attacker wanting to intercept or manipulate traffic to this prefix might enlist a datacenter of questionable morals who would allow announcements of the same prefix with a fabricated AS path such as 999999 3255 197158. Here the fictional AS999999 represents the shady datacenter. This malicious route would be pretty popular due to the shortened AS path length and might go unnoticed by the true origin, even if route-monitoring had been implemented. Standard BGP route monitoring checks a route’s origin and upstream and both would be intact in this scenario. The length of the prepending gives the attacker room to craft an AS path that would appear plausible to the casual observer, comply with origin validation mechanisms, and not be detected by off-the-shelf route monitoring.

In April 2010, China Telecom experienced a routing leak. While analyzing the leak something peculiar was noticed. When we ranked the approximately 50,000 prefixes involved in the leak based on how many ASes accepted the leaked routes, most of the impact was constrained to Chinese routes. However, two of the top five most-propagated leaked routes (listed in the table below) were US routes. Was there some grand conspiracy to intercept traffic destined for these routes? Actually, it was due to something much more troubling: gratuitous AS path prepending. During the routing leak, nearly all of the ASes of the internet preferred the Chinese leaked routes for 12.5.48.0/21 and 12.4.196.0/22 because, at the time, these two US prefixes were being announced to the entire internet along the following excessively prepended AS path: 3257 7795 12163 12163 12163 12163 12163 12163. With this odd configuration, virtually any illegitimate route, whether a deliberate hijack or an inadvertent leak, would be preferred over the legitimate route. In this case, the victim is all but ensuring their victimhood. There was only a single upstream seen in the prepending example from above, so the prepending was achieving nothing while incurring risk of hijacked traffic during a routing leak or hijack. You’d think such mistakes would be relatively rare, especially now, 10 years later. As it turns out, there is quite a lot of prepending-to-all going on right now and during leaks, it doesn’t go well for those who make this mistake. While one can debate the merits of prepending to a subset of multiple transit providers, it is difficult to see the utility in prepending to every provider. In this configuration, the prepending is no longer shaping route propagation. It is simply incentivizing ASes to choose another origin if one were to suddenly appear whether by mistake or otherwise.

So what happens when a non-prepended route competes against an excessively prepended route? Let’s consider a real-world example. The Polish route 91.149.240.0/22 is normally announced with the origin prepended three times (41952 41952 41952) to three providers and prepended twice to a fourth. Beginning at 15:28:14 UTC on June 6, a new origin that was not prepended appeared in the routing table for this route. As is illustrated in the graphic below, AS60781 quickly became the most popular version of this route for the next week until it disappeared. When both AS41952 and AS60781 were in contention for being considered the origin of this prefix, the non-prepended route was dominating as we would expect. In some cases, the impact of prepending isn’t as straightforward. Let’s take 66.220.224.0/19 as an example. This prefix is prepended but isn’t one of the 60,000 prepended-to-all routes mentioned earlier because its prepending is only visible to a little more than half of our BGP sources. In any event, this prefix is announced to the internet in two ways: it’s prepended to AS6939 and not prepended to AS174: ...6939 17356 17356 17356 17356 17356 17356 17356 17356 17356 17356 17356 ...174 17356 From these two route options, one might reasonably infer that it is 17356’s intention to deprioritize routes to AS6939 by prepending itself 10 times on routes to that upstream. It may seem to follow that the non-prepended path to AS174 would be the most popular. However, the opposite is true. Despite extensive prepending, AS6939 is the more popular choice. In this case, prepending is going up against the local preferences of a legion of ASes: AS6939 has an extensive peering base of thousands of ASes. These ASes opt to send traffic for free through their AS6939 peering links instead of having to pay to send traffic through a transit provider (and via AS174) regardless of the AS path length. AS17356 could prepend their routes to AS6939 100 times (please don’t!) and AS6939 would still be the more popular provider. Keep in mind that the average AS diameter of the internet is only around 4 hops, so prepending more than a couple of times buys you nothing.

Out of approximately 750,000 routes in the IPv4 global routing table, nearly 60,000 BGP routes are prepended to 95% or more of hundreds of BGP sources. About 8% of the global routing table, or 1 out of every 12 BGP routes, is configured with prepends to virtually the entire internet. The 60,000 routes include entities of every stripe: governments, financial institutions, even important parts of internet infrastructure. Much of the worst propagation of leaked routes during big leak events have been due to routes being prepended-to-all. AS4671 leak of April 2014 (>320,000 prefixes) was prepended-to-all. And the AS4788 leak of June 2015 (>260,000 prefixes) was also prepended-to-all. Prepended-to-all prefixes are those seen as prepended by all (or nearly all) of the ASes of the internet. In this configuration, prepending is no longer shaping route propagation but is simply incentivizing ASes to choose another origin if one were to suddenly appear whether by mistake or otherwise. The percentage of the IPv4 table that is prepended-to-all is growing at 0.5% per year. The IPv6 table is growing slower at 0.2% per year. The reasons for using prepend-to-all appears to be due to 1) the AS forgetting to remove the prepending for one of its transit providers when it is no longer needed and 2) the AS attempting to de-prioritize traffic from transit providers over settlement-free peers and 3) there are simply a lot of errors in BGP routing. Consider the prepended AS path of 181.191.170.0/24 below: 52981 267429 267429 267492 267492 267429 267429 267492 267492 267429 267429 267492 267492 267429 The prepending here involves a mix of two distinct ASNs (267429 and 267492) with the last two digits transposed.

Some BGP implementations have had memory corruption/fragmentation problems with long AS_PATHS.

There was an Internet-wide outage caused by a single errant routing announcement. In this incident, AS47868 announced its one prefix with an extremely long AS path. Someone entered their ASN instead of the prepend count 47868 modulo 256 = 252 prepends and when a path lengths exceeded 255, routers crashed