Large prefix hijack from Vodafone AS55410

Earlier today I saw twitter feed of bgpstream about Vodafone AS55410 hijacking a prefix from Brazil.

 

Soon my friend Doug Madory tweeted about large scale hijack coming from Vodafone AS55410.

His tweet gave a clear idea of timeline which is between 13:40 to 14:00 UTC on 16th April 2021. Looking at RIPE RIS RRC01 in London for actual impacted prefixes.

 

Data Lookup

Looking at update data from 13:00 UTC to 15:00 UTC gets me this:

This gives a clear idea when to look for the hijacked prefixes. At 1345 UTC, in the updates 13295 updates messages were visible at RRC01 with AS55410 in the AS_PATH. In the next message 75987 messages. Both these updates cover 7229 + 20890 unique prefixes with AS_PATH ending with as path “55410 55410 55410$”. In almost all these cases Airtel AS9498 was the immediate upstream which carried this leak and data shows even Airtel itself was impacted by the hijack.

 

List of Indian networks

[table id=7 /]

Syntax Description
Header Title
Paragraph Text
ASN AS Name
10199 TATA-AS Tata Communications Ltd, IN
131215 SANCHARONLINE-IN 116 MADHAV DARSHAN, IN
132116 ANINETWORK-IN Ani Network Pvt Ltd, IN
132215 POWERGRID-IN Power Grid Corporation of India Limited, IN
132573 SAINGN-AS-IN SAI NGN Network Services, IN
133278 ENETSOLS-AS-IN Dehradun Enet Solutions Private Ltd, IN
134293 KUTCHTELELINK-AS-IN Kutch Telelink Private Limited, IN
134540 TTML-AS-AP Tata Teleservices (Maharashtra) Ltd, IN
134913 JETWAYBROADBANDINDIA-AS JETWAY BROADBAND INDIA PVT LTD, IN
134927 VIL-AS-AP Vodafone Idea Ltd, IN
135133 PDPL-AS-AP PI DATA CENTERS PRIVATE LIMITED, IN
135772 POWERNETCOMM-AS Powernet Communications Pvt.ltd., IN
136334 VNPL-AS Vortex Netsol Private Limited, IN
136946 WEEBO-AS-AP Weebo networks Pvt Ltd, IN
137130 ITDPNB-AS Punjab National Bank, IN
17488 HATHWAY-NET-AP Hathway IP Over Cable Internet, IN
17625 BLAZENET-IN-AP BlazeNet_s Network, IN
17762 HTIL-TTML-IN-AP Tata Teleservices Maharashtra Ltd, IN
17903 COGNIZANT-IN-AP Cognizant Technology Solutions India Pvt Ltd, IN
17917 QTLTELECOM-AS-AP Quadrant Televentures Limited, IN
203020 HOSTROYALE, IN
23772 ORTELNET-AS M/s Ortel Communications Ltd, IN
24554 FIVE-NET-AS-IN Fivenetwork Solution India Pvt Ltd Internet, IN
38266 VODAFONE-IN Vodafone India Ltd., IN
45117 INPL-IN-AP Ishan_s Network, IN
45194 SIPL-AS Syscon Infoway Pvt. Ltd., IN
45271 ICLNET-AS-AP Idea Cellular Limited, IN
45415 VASAICABLEPVTLTD-AS-IN Vasai Cable Pvt. Ltd., IN
45528 TIKONAIN-AS Tikona Infinet Ltd., IN
45582 VAINAVIINDUSTRIESLTD-IN VAINAVI INDUSTIES LTD, INTERNET SERVICE PROVIDER, INDIA, IN
45648 BELLTELE-AS-IN Bell Teleservices India Pvt Ltd., ISP having own OFC network in Bangalore, India., IN
45769 DVOIS-IN D-Vois Broadband Pvt Ltd, IN
45775 WISHNET-AS-AP WISH NET PRIVATE LIMITED, IN
45820 TTSL-MEISISP Tata Teleservices ISP AS, IN
45916 GTPL-AS-AP Gujarat Telelink Pvt Ltd, IN
45942 SIKKANET-AS-AP Sikka Broadband Pvt. Ltd., IN
46071 PIONEER-CDN-AS-IN Pioneer Elabs Ltd., IN
4755 TATACOMM-AS TATA Communications formerly VSNL is Leading ISP, IN
55441 TTSLMEIS-AS-AP TTSL-ISP DIVISION, IN
55448 GLOBALLOGIC-IN GlobalLogic India Ltd., IN
55644 VIL-AS-AP Vodafone Idea Ltd, IN
55836 RELIANCEJIO-IN Reliance Jio Infocomm Limited, IN
55847 NKN-EDGE-NW NKN EDGE Network, IN
59179 MINS-AS MINS Technologies Private Limited, IN
9498 BBIL-AP BHARTI Airtel Ltd., IN
9583 SIFY-AS-IN Sify Limited, IN

An interesting thing here was that Vodafone AS55410 also hijacked it’s own mobile network AS38266 prefixes.

Following prefixes from these Indian networks were hijacked for this duration:

[table id=8 /]

List of all networks impacted globally due to this hijack is published on this Google sheet here. You can check that though keep in mind that it has 20k+ rows and might be bit heavy on your browser tab.