The world of BGP routing is a fascinating place with lots of interesting BGP events happening every day. It can be challenging to keep track of it all and so two years ago we started the BGPstream website
where we keep track of large scale outages and BGP hijacks. We list the events, basic info and visualize it with one of my favorite tools: BGPlay. For those who keep an eye on @bgpstream
, you probably noticed a curious series of BGP hijacks today all by the same Autonomous system affecting many well known networks.
Starting at April 26 22:36 UTC till approximately 22:43 UTC AS12389 (PJSC Rostelecom) started to originate 50 prefixes for numerous other Autonomous systems. The 50 hijacked prefixes included 37 unique autonomous systems and the complete list of affected networks can be found below. If your organization is in this list feel free to reach out and we can provide more details if needed. Keep in mind that many of these hijacks are already published on BGPstream.com
So back to this incident, what happened here? What makes the list of affected networks 'curious' is the high number of financial institutions such as for example: MasterCard,Visa, Fortis,
Alfa-Bank,card complete Service Bank and more.
The other curious thing is that this included several more specific prefixes. One example is this one for HSBC https://bgpstream.com/event/80330
This indicates this is not your typical 'leak' (say BGP > OSPF > BGP). Because the prefix normally exist as 126.96.36.199/23 not as the /24 announced by Rostelecom. So someone (likely 12389 Rostelecom) is inserting it in their routing tables themselves. The question is why? One typical scenario where this is normally done is because of some kind of traffic engineering or traffic redirection.
It's also worth noting that at the same time as the hijacks we did see many (78) new advertisements originated
by 12389 for prefixes by 'other' Rostelecom telecom ASns (29456,21378,13056,13118,8570). So something probably went wrong internally causing Rostelecom to start originating these new prefixes.
Never attribute to malice that which is adequately explained by... well let's say an innocent misconfiguration. If this was in-fact an attempt to on purpose redirect traffic for some of these financial institutions, it was done in a very visible and large scale manner, so from that perspective perhaps not too likely. Then again, given the number of high value prefixes of all the same category (financial institutions and credit card processors) it seems a bit more than an innocent accidental hijack, especially considering the fact that new more specific prefixes were introduced.
For sure an interesting and curious case, so keep an eye on @bgpstream
or sign-up for our BGP monitoring service
and be alerted as soon as it happens!
Below the list of affected networks (other Rostelecom networks excluded)
||Autonomous System Name
|| Federal State Unitary Enterprise Russian
|| LANTA Ltd
|| Visa International
|| Euro-Information-Europeenne de Traitemen
|| Servicios Para Medios De Pago S.A.
|| MCI Communications Services, Inc. d/b/a
|| Docapost Bpo SAS
|| Swisscom (Switzerland) Ltd
|| State Educational Institution of Higher
|| Worldline SA
|| The Federal Guard Service of the Russian
|| Worldline SA
|| The State Educational Institution of Hig
|| HSBC HongKong
|| TIME dotCom Berhad
|| Xand Corporation
|| EMC Corporation
|| SIA Lattelecom
|| SIA S.p.A.
|| 38, Teatralnaya st.
|| JSC Alfa-Bank
|| PJSC CB PrivatBank
|| ROSNIIROS Russian Institute for Public N
|| Servicios de Hosting en Internet S.A.
|| Reliance Communications Ltd.DAKC MUMBAI
|| Bank Zachodni WBK S.A.
|| MasterCard Technologies LLC
|| Fortis Bank N.V.
|| VeriSign Infrastructure & Operations
|| Netcetera AG
|| Ojsc Bank Avangard
|| Provus Service Provider SA
|| card complete Service Bank AG
|| Norvik Banka AS
|| Itera Norge AS