Chinese ISP hijacks the Internet

Posted by Andree Toonk - April 8, 2010 - Hijack - 25 Comments
This morning many users received an alert regarding a possible prefix hijack by a Chinese network. AS23724 is one of the Data Centers operated by China Telecom, China's largest ISP. Normally AS23724 CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation only originates about 40 prefixes, however today for about 15 minutes they originated about ~37,000 unique prefixes that are not assigned to them. This is what we typically call a prefix hijack. This incident follows another concerning incident from China 2 weeks ago. Although it seems they have leaked a whole table, only about 10% of these prefixes propagated outside of the Chinese network. These include prefixes for popular websites such as,,, and A large number of networks impacted this morning were actually Chinese networks. These include some popular Chinese website such as , ,, and A list of all prefixes that were announced/hijacked can be found here The event has been detected globally by peers in The Netherland, UK, Rusia, Italy, Sweded USA, Japan and Brazil. However not all individual prefix 'hijacks' were detected globally, many only by a few peers, in one or 2 countries, but some by more. Some details All announcement had part of the AS path in common. The common part in the ASpath is (note the prepend). 4134 23724 23724 Which are: AS4134 CHINANET-BACKBONE No.31,Jin-rong Street AS23724 CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation ASns peering with AS4134 seem to have picked this up and propagated that to their customers. Some of these ASns include: AS9002 RETN-AS Autonomous System AS12956 TELEFONICA Telefonica Backbone Autonomous System AS209 ASN-QWEST - Qwest Communications Company, LLC AS3320 DTAG Deutsche Telekom AG AS3356 LEVEL3 Level 3 Communications AS7018 ATT-INTERNET4 - AT&T WorldNet Services All RIS peers that detected this where behind (transit/peer) one of those ANS's. AS2914 NTT-COMMUNICATIONS-2914 - NTT America, Inc. customers Looking at more routing information it seems that AS2914 saw more then just the 10% mentioned above. So the impact for NTT America customers might have been bigger. Impact 28% of the RIS collectors used by have detected these events. This means that quite a number of networks were impacted by this. The first announcement was detected at 2010-04-08 17:54:31 (UTC), the last 'hijack' announcement was at 2010-04-08 18:10:14. Most 'alerts' have now been cleared, they typically lasted a few minutes. Probably more then the 51 peers mention above would have detected the prefix, but not have chosen this as the best path. Most likely due to the ASpath length or other policies. I believe it's fair to assume that the impact in China and probably Asia was far bigger then the rest of the world. Possible Cause I have not spoken with engineers from AS23724, so I can only speculate. Given the large number of prefixes and short interval I don't believe this is an intentional hijack. Most likely it's because of configuration issue, i.e. fat fingers. But again, this is just speculation. Prefix distribution Most prefixes impacted by this were prefixes from the US and China. Below you'll find the top countries impacted: Country => number of prefixes hijacked by AS23724 US => 10547 CN => 10298 KR => 2857 AU => 1650 MX => 885 IN => 719 JP => 604 BR => 592 FR => 508 RU => 471 CA => 425 TH => 372 ID => 369 IT => 338 CO => 328 GB => 322 CL => 302 SE => 281 HK => 276 EC => 272 DE => 227 Example alert message ==================================================================== Possible Prefix Hijack (Code: 10) ==================================================================== Your prefix: Prefix Description: Update time: 2010-04-08 16:09 (UTC) Detected by #peers: 4 Detected prefix: Announced by: AS23724 (CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation) Upstream AS: AS4134 (CHINANET-BACKBONE No.31,Jin-rong Street) ASpath: 8331 9002 9002 4134 23724 23724 Alert details: Mark as false alert:


Leave a Reply

Your email address will not be published. Required fields are marked *