Large scale BGP hijack out of India

Posted by Andree Toonk - November 6, 2015 - Hijack - 1 Comment

BGP hijacks happen every day, some of them affect more networks than others and every now and then there’s a major incident that affects thousands of networks. Our monitoring systems keep an eye out for our users and if you would like to have a general idea of what’s going on in the world of BGP incidents, keep an eye on BGPstream.com. Earlier today we detected one of those major incidents that affected thousands of networks.

Starting at 05:52 UTC, AS9498 (BHARTI Airtel Ltd.) started to claim ownership for thousands of prefixes by originating them in BGP. This affected prefixes for over two thousand unique organizations (Autonomous systems).

Our systems detected origin AS changes (hijacks) for 16,123 prefixes. The scope and impact was different per prefix but to give you an idea, about 7,600 of these announcements were seen by five or more of our peers (unique peers ASns) and 6,000 of these were seen by more than 10 of our peers.

One of the reasons this was so widespread is because large networks such as AS174 (Cogent Communications) and AS52320 (GlobeNet Cabos Submarinos VZLA) accepted and propagated these prefixes to their peers and customers.

The BGPlay visualization below shows an example hijack for a prefix normally announced by AS39891 Saudi Telecom Company JSC.

Screen Shot 2015-11-06 at 5.32.03 AM

Some of the networks that were most impacted in terms of number of prefixes affected include

AS20940 & AS16625 & AS35994- Akamai International,
AS7545 – TPG Telecom Limited,
AS8402 – OJSC Vimpelcom,
AS39891 – Saudi Telecom Company JSC,
AS45528 – Tikona Digital Networks Pvt Lt,
AS24378 – Total Access Communication PLC
AS4755 – TATA Communications
AS7552 – Viettel Corporation
AS9605 – NTT DOCOMO, INC.
AS2914 – NTT America, INC.
AS3257 – GTT
AS714 – Apple Inc

Below an example screenshot from our portal for one of the affected Amazon prefixes.
Screen Shot 2015-11-06 at 6.07.10 AM
The last ‘bad’ announcements cleared at 14:40 UTC today, concluding the intermittent hijacks that started at 05:52 UTC today. Whether this event is intentional, or more likely, a configuration error or bug, Incidents like these can cause significantly impair the readability of your prefixes.
For those interested in events like this, feel free to try our monitoring service  for free here: or keep an eye on BGPstream.com or follow @BGPstream on twitter where our systems automatically publish a filtered list of BGP incidents.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *