A prefix origin lookup verifies which Autonomous System is authorized to announce an IP block and whether current BGP routing matches. Use rtsak.com to detect hijacks and misconfigurations.
Why Prefix Origin Matters
IP hijacking occurs when unauthorized networks announce prefixes they don't own. Traffic intended for legitimate destinations gets misdirected - enabling interception, denial of service, or fraud.
Prefix origin validation answers: "Who is supposed to announce this prefix, and does current routing match?"
Validation Data Sources
- Regional Internet Registry (RIR) allocations - Official IP address assignments
- Internet Routing Registry (IRR) - Published routing policy and origin ASNs
- RPKI ROAs - Cryptographically signed origin authorizations
- Historical routing - Long-term patterns showing established origin
Reading Origin Results
Authorized origin - The ASN with documented rights to announce the prefix, from IRR or RPKI data.
Observed origin - ASNs currently announcing the prefix in BGP.
Match status - Whether observed matches authorized. Mismatches warrant investigation.
ROA validity - RPKI status: Valid (matches ROA), Invalid (conflicts with ROA), or Unknown (no ROA exists).
Investigating Mismatches
Not every mismatch is malicious. Legitimate causes include:
- Outdated IRR records after authorized transfers
- Anycast configurations with multiple legitimate origins
- Customer prefix announcements by upstream providers
- Transition periods during network changes
Context matters. A mismatch for a bank's prefix is more concerning than for a CDN's anycast range. Investigate by checking RIR records and contacting the allocated organization.
→ Validate a prefix origin on rtsak.com