RTSAK.COM
Search for stuff
Prefix Origin - Validate IP Block Ownership
Verify the legitimate origin of any IP prefix. Prefix origin lookup shows which Autonomous System should announce a block and whether current routing matches authorized origins - essential for detecting hijacks and misconfigurations.
Why Prefix Origin Matters
IP hijacking occurs when unauthorized networks announce prefixes they don't own. Traffic intended for legitimate destinations gets misdirected - enabling interception, denial of service, or fraud.
Prefix origin validation answers: "Who is supposed to announce this prefix, and does current routing match?"
Validation Data Sources
- Regional Internet Registry (RIR) allocations - Official IP address assignments
- Internet Routing Registry (IRR) - Published routing policy and origin ASNs
- RPKI ROAs - Cryptographically signed origin authorizations
- Historical routing - Long-term patterns showing established origin
Reading Origin Results
Authorized origin - The ASN with documented rights to announce the prefix, from IRR or RPKI data.
Observed origin - ASNs currently announcing the prefix in BGP.
Match status - Whether observed matches authorized. Mismatches warrant investigation.
ROA validity - RPKI status: Valid (matches ROA), Invalid (conflicts with ROA), or Unknown (no ROA exists).
Investigating Mismatches
Not every mismatch is malicious. Legitimate causes include:
- Outdated IRR records after authorized transfers
- Anycast configurations with multiple legitimate origins
- Customer prefix announcements by upstream providers
- Transition periods during network changes
Context matters. A mismatch for a bank's prefix is more concerning than for a CDN's anycast range. Investigate by checking RIR records and contacting the allocated organization.