Large prefix hijack from Vodafone AS55410
Earlier today I saw twitter feed of bgpstream about Vodafone AS55410 hijacking a prefix from Brazil.
BGP,HJ,hijacked prefix AS270497 24.152.117.0/24, RUTE MARIA DA CUNHA, BR,-,By AS55410 VIL-AS-AP Vodafone Idea Ltd, IN, https://t.co/WvDvQMMDCf
— Cisco BGPStream (@bgpstream) April 16, 2021
Soon my friend Doug Madory tweeted about large scale hijack coming from Vodafone AS55410.
Large BGP routing leak out of India this morning.
— Doug Madory (@DougMadory) April 16, 2021
AS55410 mistakenly announced over 30,000 BGP prefixes causing a 13x spike in inbound traffic to their network according to @kentikinc netflow data.
(cc: @anurag_bhatia, @aftabsiddiqui, @jaredmauch) pic.twitter.com/PQ4iiTKD2Q
His tweet gave a clear idea of timeline which is between 13:40 to 14:00 UTC on 16th April 2021. Looking at RIPE RIS RRC01 in London for actual impacted prefixes.
Data Lookup
Looking at update data from 13:00 UTC to 15:00 UTC gets me this:
This gives a clear idea when to look for the hijacked prefixes. At 1345 UTC, in the updates 13295 updates messages were visible at RRC01 with AS55410 in the AS_PATH. In the next message 75987 messages. Both these updates cover 7229 + 20890 unique prefixes with AS_PATH ending with as path “55410 55410 55410$”. In almost all these cases Airtel AS9498 was the immediate upstream which carried this leak and data shows even Airtel itself was impacted by the hijack.
List of Indian networks
| ASN | AS Name |
|---|---|
| 10199 | TATA-AS Tata Communications Ltd, IN |
| 131215 | SANCHARONLINE-IN 116 MADHAV DARSHAN, IN |
| 132116 | ANINETWORK-IN Ani Network Pvt Ltd, IN |
| 132215 | POWERGRID-IN Power Grid Corporation of India Limited, IN |
| 132573 | SAINGN-AS-IN SAI NGN Network Services, IN |
| 133278 | ENETSOLS-AS-IN Dehradun Enet Solutions Private Ltd, IN |
| 134293 | KUTCHTELELINK-AS-IN Kutch Telelink Private Limited, IN |
| 134540 | TTML-AS-AP Tata Teleservices (Maharashtra) Ltd, IN |
| 134913 | JETWAYBROADBANDINDIA-AS JETWAY BROADBAND INDIA PVT LTD, IN |
| 134927 | VIL-AS-AP Vodafone Idea Ltd, IN |
| 135133 | PDPL-AS-AP PI DATA CENTERS PRIVATE LIMITED, IN |
| 135772 | POWERNETCOMM-AS Powernet Communications Pvt.ltd., IN |
| 136334 | VNPL-AS Vortex Netsol Private Limited, IN |
| 136946 | WEEBO-AS-AP Weebo networks Pvt Ltd, IN |
| 137130 | ITDPNB-AS Punjab National Bank, IN |
| 17488 | HATHWAY-NET-AP Hathway IP Over Cable Internet, IN |
| 17625 | BLAZENET-IN-AP BlazeNet_s Network, IN |
| 17762 | HTIL-TTML-IN-AP Tata Teleservices Maharashtra Ltd, IN |
| 17903 | COGNIZANT-IN-AP Cognizant Technology Solutions India Pvt Ltd, IN |
| 17917 | QTLTELECOM-AS-AP Quadrant Televentures Limited, IN |
| 203020 | HOSTROYALE, IN |
| 23772 | ORTELNET-AS M/s Ortel Communications Ltd, IN |
| 24554 | FIVE-NET-AS-IN Fivenetwork Solution India Pvt Ltd Internet, IN |
| 38266 | VODAFONE-IN Vodafone India Ltd., IN |
| 45117 | INPL-IN-AP Ishan_s Network, IN |
| 45194 | SIPL-AS Syscon Infoway Pvt. Ltd., IN |
| 45271 | ICLNET-AS-AP Idea Cellular Limited, IN |
| 45415 | VASAICABLEPVTLTD-AS-IN Vasai Cable Pvt. Ltd., IN |
| 45528 | TIKONAIN-AS Tikona Infinet Ltd., IN |
| 45582 | VAINAVIINDUSTRIESLTD-IN VAINAVI INDUSTIES LTD, INTERNET SERVICE PROVIDER, INDIA, IN |
| 45648 | BELLTELE-AS-IN Bell Teleservices India Pvt Ltd., ISP having own OFC network in Bangalore, India., IN |
| 45769 | DVOIS-IN D-Vois Broadband Pvt Ltd, IN |
| 45775 | WISHNET-AS-AP WISH NET PRIVATE LIMITED, IN |
| 45820 | TTSL-MEISISP Tata Teleservices ISP AS, IN |
| 45916 | GTPL-AS-AP Gujarat Telelink Pvt Ltd, IN |
| 45942 | SIKKANET-AS-AP Sikka Broadband Pvt. Ltd., IN |
| 46071 | PIONEER-CDN-AS-IN Pioneer Elabs Ltd., IN |
| 4755 | TATACOMM-AS TATA Communications formerly VSNL is Leading ISP, IN |
| 55441 | TTSLMEIS-AS-AP TTSL-ISP DIVISION, IN |
| 55448 | GLOBALLOGIC-IN GlobalLogic India Ltd., IN |
| 55644 | VIL-AS-AP Vodafone Idea Ltd, IN |
| 55836 | RELIANCEJIO-IN Reliance Jio Infocomm Limited, IN |
| 55847 | NKN-EDGE-NW NKN EDGE Network, IN |
| 59179 | MINS-AS MINS Technologies Private Limited, IN |
| 9498 | BBIL-AP BHARTI Airtel Ltd., IN |
| 9583 | SIFY-AS-IN Sify Limited, IN |
An interesting thing here was that Vodafone AS55410 also hijacked it’s own mobile network AS38266 prefixes.
List of all networks impacted globally due to this hijack is published on this Google sheet here. You can check that though keep in mind that it has 20k+ rows and might be bit heavy on your browser tab.