RTSAK.COM

Search for stuff

Prefix Origin - Validate IP Block Ownership

Verify the legitimate origin of any IP prefix. Prefix origin lookup shows which Autonomous System should announce a block and whether current routing matches authorized origins - essential for detecting hijacks and misconfigurations.

Why Prefix Origin Matters

IP hijacking occurs when unauthorized networks announce prefixes they don't own. Traffic intended for legitimate destinations gets misdirected - enabling interception, denial of service, or fraud.

Prefix origin validation answers: "Who is supposed to announce this prefix, and does current routing match?"

Validation Data Sources

  • Regional Internet Registry (RIR) allocations - Official IP address assignments
  • Internet Routing Registry (IRR) - Published routing policy and origin ASNs
  • RPKI ROAs - Cryptographically signed origin authorizations
  • Historical routing - Long-term patterns showing established origin

Reading Origin Results

Authorized origin - The ASN with documented rights to announce the prefix, from IRR or RPKI data.

Observed origin - ASNs currently announcing the prefix in BGP.

Match status - Whether observed matches authorized. Mismatches warrant investigation.

ROA validity - RPKI status: Valid (matches ROA), Invalid (conflicts with ROA), or Unknown (no ROA exists).

Investigating Mismatches

Not every mismatch is malicious. Legitimate causes include:

  • Outdated IRR records after authorized transfers
  • Anycast configurations with multiple legitimate origins
  • Customer prefix announcements by upstream providers
  • Transition periods during network changes

Context matters. A mismatch for a bank's prefix is more concerning than for a CDN's anycast range. Investigate by checking RIR records and contacting the allocated organization.

→ Validate a prefix origin

FAQ

What's an RPKI ROA? A Route Origin Authorization is a signed statement in the RPKI system declaring which AS is authorized to originate a prefix. It's the strongest form of origin validation.

Can I create ROAs for my prefixes? If you have direct RIR allocation, you can create ROAs through your RIR's portal. If you have provider-assigned space, work with your provider.

What happens when routes are RPKI-invalid? Networks implementing RPKI filtering may drop invalid routes. Coverage varies - not all networks filter yet.

How do I report a hijack? Contact the RIR responsible for the prefix, your upstream providers, and the prefix owner if identifiable. Include evidence from route lookup.