Category: Hijack

Large hijack affects reachability of high traffic destinations

Posted by Andree Toonk - April 22, 2016 - Hijack
10

April 23, Update: NOC Team at innofield posted an explanation of the Incident in the comments section below. Starting today at 17:09 UTC our systems detected a large scale routing incident affecting hundreds of Autonomous systems. Many BGPmon users have received an email informing them of this change. Our initial investigation shows that the scope […]

Read More

Large scale BGP hijack out of India

Posted by Andree Toonk - November 6, 2015 - Hijack
1

BGP hijacks happen every day, some of them affect more networks than others and every now and then there’s a major incident that affects thousands of networks. Our monitoring systems keep an eye out for our users and if you would like to have a general idea of what’s going on in the world of […]

Read More

How Hacking Team Helped Italian Special Operations Group with BGP Routing Hijack

Posted by Andree Toonk - July 12, 2015 - Hijack
0

By Andree Toonk and Dhia Mahjoub As part of the Hacking Team fall out and all the details published on Wikileaks, it became public knowledge that Hacking Team helped one of their customers Special Operations Group (ROS), regain access to Remote Access Tool (RAT) clients. As first reported here: http://blog.bofh.it/id_456 ROS recommended using BGP hijacking […]

Read More

BGP Optimizer Causes Thousands Of Fake Routes

Posted by Andree Toonk - March 27, 2015 - Hijack
0

Earlier today many BGPmon users received one or more alerts informing them that their autonomous system (AS) started to announce a more-specific prefix. BGPmon classified many of these alerts as possible BGP man-in-the-middle (MITM) attacks. Here is an example alert: ==================================================================== Possible BGP MITM attack (Code: 21) ==================================================================== Your prefix: 23.20.0.0/15: Prefix Description: acxiom-online.com — […]

Read More

BGP routing incidents in 2014, malicious or not?

Posted by Andree Toonk - February 17, 2015 - BGPmon.net, Hijack
0

Over the last year we have seen and written about numerous BGP routing incidents that looked out of the ordinary, straight-up suspicious or were just configuration mistakes. In this blog post we will highlight a few of them and look at the impact and cause of each of the observed incidents and try to determine […]

Read More

BGP hijack incident by Syrian Telecommunications Establishment

Posted by Andree Toonk - December 9, 2014 - Hijack
2

The Syrian national Telecommunications Establishment (STE) has been in the news numerous times over the last few years, mostly because of the long lasting large scale Internet outages in Syria. This morning however we observed a new incident involving the two Autonomous systems for STE (AS29386 and AS29256). Starting at 08:33 UTC we detected  that hundreds of […]

Read More

Using BGP data to find Spammers

Posted by Andree Toonk - September 3, 2014 - Hijack
4

It’s long been assumed that Spammers use a technique called IP squatting to get around IP reputation lists and to make it harder to find the real source of the spammers. In this blog we’ll take a closer look at Spam operations and their techniques. IP Squatting We’ve all read the reports about IPv4 running […]

Read More

The Canadian Bitcoin Hijack

Posted by Andree Toonk - August 12, 2014 - Hijack
0

A few days ago researchers at Dell SecureWorks published the details of an attacker repeatedly hijacking BGP prefixes for numerous large providers such as Amazon, OVH, Digital Ocean, LeaseWeb, Alibaba and more. The goal of the operation was to intercept data between Bitcoin miners and Bitcoin mining pools. They estimated that $83,000 was made with this […]

Read More

Hijack event today by Indosat

Posted by Andree Toonk - April 3, 2014 - Hijack, News and Updates
1

Today we observed a large-scale ‘hijack’ event that affected many of the prefixes on the Internet. This blog post is to provide you with some additional information. What happened? Indosat, AS4761, one of Indonesia’s largest telecommunication networks normally originates about 300 prefixes. Starting at 18:26 UTC (April 2, 2014) AS4761 began to originate 417,038 new […]

Read More

Turkey Hijacking IP addresses for popular Global DNS providers

Posted by Andree Toonk - March 29, 2014 - Hijack, News and Updates
26

At BGPmon we see numerous BGP hijacks every single day, some are interesting because of the size and scale of the hijack or as we’ve seen today because of the targeted hijacked prefixes.  It all started last weekend when the Turkish president ordered the censorship of twitter.com. This started with a block of twitter by […]

Read More

Looking at the spamhaus DDOS from a BGP perspective

Posted by Andree Toonk - March 30, 2013 - BGP instability, Hijack
3

It’s been a busy week for network engineers world wide, rerouting around broken optical links and of course the 300Gb/s DDOS attack towards Spamhaus and Cloudflare. This DDOS has been classified as the largest DDOS attack ever recorded and has been written about quite a bit in mainstream media. There’s been a bit of discussion […]

Read More

Accidentally stealing the Internet

Posted by Andree Toonk - January 8, 2013 - Hijack, News and Updates
7

Just a few days ago we learned  about an incident involving a mis-issued SSL certificate that was used in a Man in the Middle attack to intercept Gmail data. In this blog post we’ll talk about how Man in the Middle (MITM) attacks work and we’ll look at recent BGP MITM event that caused traffic […]

Read More

F-Root DNS server moved to Beijing

Posted by Andree Toonk - October 3, 2011 - Hijack
6

F-Root DNS server moved to Beijing Systems such as DNS (root) servers often rely on anycast technology to improve availability and response time. The idea behind anycast is that the same prefix is announced from multiple geographically separated systems. As a result the client should always end-up at the closest (as seen from a BGP […]

Read More

Facebook’s detour through China and Korea

Posted by Andree Toonk - March 26, 2011 - Hijack
1

Many of you remember the story of about a year ago, when we reported that a Chinese network was announcing a significant part of the prefixes on the Internet.  Networks affected by this incident included big names such as dell.com and cnn.com as well as U.S. government (.gov) and military (.mil) sites, including those for […]

Read More

Securing BGP routing with RPKI and ROA’s

Posted by Andree Toonk - January 19, 2011 - Hijack, IRR, RPKI
8

Securing BGP has been on the todo list of the IETF and the community at large for many years. Over the years we’ve seen several proposals, the Resource Public Key Infrastructure (RPKI) is the latest and most successful initiative. RPKI solves one of the most fundemental problems. It allows us to verify whether an Autonomous […]

Read More

‘Hijack’ by AS4761 – Indosat, a quick report

Posted by Andree Toonk - January 15, 2011 - Hijack
10

This is just a quick post to address some of the emails I’ve received today. Quite a bit of BGPmon.net users have received a notification regarding a possible hijack of their address space. On Friday January 14th AS4761, INDOSAT-INP-AP, started to originate a large number of new prefixes. A quick check show that AS4761 originated […]

Read More

Chinese BGP hijack, putting things into perspective

Posted by Andree Toonk - November 21, 2010 - Hijack
2

China denies hijacking a huge chunk of US net traffic
Internet Traffic from U.S. Government Websites Was Redirected Via Chinese Networks

Read More

Google’s services redirected to Romania and Austria

Posted by Andree Toonk - August 23, 2010 - Hijack
1

BGP hijacks happen every day, the majority of them don’t affect a large geographic region and only are noticed a small number of users. Every now and then however we see an event that affects many users, either because of the geographic scale or simply because of the specific prefix that is affected. The latter […]

Read More

Chinese ISP hijacks the Internet

Posted by Andree Toonk - April 8, 2010 - Hijack
25

This morning many BGPmon.net users received an alert regarding a possible prefix hijack by a Chinese network. AS23724 is one of the Data Centers operated by China Telecom, China’s largest ISP. Normally AS23724 CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation only originates about 40 prefixes, however today for about 15 minutes they originated about ~37,000 unique prefixes […]

Read More

BGP leak in Italy

Posted by Andree Toonk - October 10, 2009 - Hijack
0

Friday morning around 07:22:08 UTC AS9035 (Wind Telecomunicazioni) started to announce approximately 85.000 prefixes with an invalid origin AS. The origin AS was set to AS9035 while these prefixes did not belong to AS9035. The impact was local to a number of Italian providers, all Telecom Italia customers. The incident was resolved in about ~2 […]

Read More

Did AS13214 really hijack the Internet?

Posted by Andree Toonk - May 11, 2009 - Hijack
1

This morning there was a discussion about a possible prefix hijack by AS13214 on the Nanog list. Cyclops users received a notification email notifying them that AS13214 was announcing their prefix.  I just went trough some of the raw data and this is what I found. It seems it was picked up by the route-views4 […]

Read More

BGPmon now has full IPv6 support!

Posted by Andree Toonk - November 25, 2008 - BGPmon.net, bogons, Hijack, IPv6
2

I am happy to announce that BGPmon now has full IPv6 support! This means that you can now monitor your IPv6 prefixes just as you are monitoring your IPv4 prefixes. All the codes, alarm messages etc are they same as for IPv4. It took a while because I had to write a few new libraries […]

Read More

Prefix hijack by AS16735

Posted by Andree Toonk - November 11, 2008 - Hijack
9

Many BGPmon.net users received a notification email regarding a possible prefix hijack.   I just went over the data files manually and verified the leak. For those interested, let me share with you what I saw in the raw data. Between 01:55  UTC  and 02:15  267947 distinct prefixes were originated from AS16735 (Companhia de Telecomunicacoes […]

Read More