BGP hijack incident by Syrian Telecommunications Establishment

Posted by Andree Toonk - December 9, 2014 - Hijack - 2 Comments

The Syrian national Telecommunications Establishment (STE) has been in the news numerous times over the last few years, mostly because of the long lasting large scale Internet outages in Syria. This morning however we observed a new incident involving the two Autonomous systems for STE (AS29386 and AS29256). Starting at 08:33 UTC we detected  that hundreds of new prefixes were being announced by primarily AS 29386. The new BGP announcements by STE (AS29386) were for prefixes that are not owned or operates by the Syrian Telco and as a result triggered ‘hijack / origin AS’ alerts for numerous BGPmon users. The announcements lasted for a few minutes only and we saw paths changing back to the original origin AS at about 08:37 UTC.

RIPE stat has some great tools that visualize the event, this example shows what happened to the youtube prefix 208.117.232.0/24

Youtube prefix hijack

Propagation
STE buys upstream connectivity to the rest of the Internet via three providers, AS3491 (PCCW Global), AS3320 (Deutsche Telekom AG) and AS6762 (Telecom Italia Sparkle). The ‘bad’ BGP updates from this morning were only seen via Telecom Italia. This is either because STE only announced it to Telecom Italia, or because the other two providers filtered correctly. It’s clear that in this case Telecom Italia failed to filter correctly as it should have never accepted the prefixes from AS 29386 (STE).

Scope and impact
In total we detected 1481 prefixes that were affected by this hijack which last for a few minutes. Most of these events were seen globally so it’s likely that connectivity to these prefixes was affected for that brief period. The 1481 prefixes belong to 306 unique Autonomous Systems (organizations) from around the globe.
Note worthy networks that were affected include US DOD, Chicago Public Schools , Level3, Savis, Telstra, UPC Liberty Global, Comcast, Time Warner Cable, Tiscali UK, China Enterprise Communications, Internet2, Province of New Brunswick, Yandex, Rogers Communications, Uganda Telecom, Dell, Sanford Airport Authority, Kabel Deutschland, Red Hat, YOUTUBE, Iran Post Company, Etihad Atheeb Telecom Company, Akamai, Telefonica Germany and many more.

It’s unclear what the cause of this incident is, but typically large scale and short-lived hijacks like these are due to configuration mistakes as compared to intentional hijacks with a malicious purpose. Whatever the root cause and intent is, the result was that the users of these prefixes will likely have seen a short partial outage or performance degradation during this period while some of their traffic was being routed to Syria.

2 comments

Leave a Reply

Your email address will not be published. Required fields are marked *