BGP hijacking concerns with smaller ASNs—how do you mitigate?
hey all, we're looking at peering agreements with a few transit providers and i'm starting to get paranoid about route hijacking. we're running a /22 from RIPE and our ASN is pretty new (AS207xxx).
right now we're doing basic prefix filtering, but i'm seeing a lot of talk about RPKI and ROA validation. question is—how many of you are actually validating ROAs on inbound routes? is this table stakes now or still optional for smaller networks?
also curious if anyone's had to deal with accidental leaks from their providers. had a buddy's /24 accidentally announced by Cogent last year and it took hours to sort out.
thoughts? what's your setup look like?
Edited at 26 Mar 2026, 10:45
RPKI validation is basically mandatory now if you're doing serious peering. We started with just prefix filters too, but the number of accidental hijacks we caught once we enabled ROA checking was eye-opening—most were honest mistakes from other operators.
Fwiw, the hard part isn't validation itself, it's convincing your upstream transits to actually validate on their side. Many still don't. You can be perfect, but if your upstream doesn't validate inbound, you're still exposed. Worth asking your transit providers explicitly what they're doing—their answer tells you a lot.
For a /22 from RIPE, definitely get your ROAs set up in the RIPE IRR. Check bgp.tools to see if anyone's already hijacking your space (spoiler: probably not, but good to know).
yeah that's what I was worried about—sounds like RPKI is becoming table stakes. good point on the accidental hijacks; I hadn't realized how common those are. gonna prioritize setting up ROA validation with our transit providers this week. thanks!
One thing nobody mentions: even if you set up ROA validation, make sure your transit providers are actually doing it on their side. We got burned once because our upstream claimed they had RPKI enabled but they were only checking some prefixes. Check with them directly, ask for their validation policy. Also consider using tools like https://bgp.tools/ to monitor your own announcements—catches weird stuff fast.
Don't forget to actually publish your ROAs first—sounds obvious but we've seen new ASNs set up inbound validation before they had their own prefixes signed. Also worth checking bgp.tools to see if your upstream is already rejecting INVALID routes, which tells you if they're validating. If they're not, you might be the canary in the coal mine when they finally flip the switch.