Large prefix hijack from Vodafone AS55410
Earlier today I saw twitter feed of bgpstream about Vodafone AS55410 hijacking a prefix from Brazil.
BGP,HJ,hijacked prefix AS270497 24.152.117.0/24, RUTE MARIA DA CUNHA, BR,-,By AS55410 VIL-AS-AP Vodafone Idea Ltd, IN, https://t.co/WvDvQMMDCf
— Cisco BGPStream (@bgpstream) April 16, 2021
Soon my friend Doug Madory tweeted about large scale hijack coming from Vodafone AS55410.
Large BGP routing leak out of India this morning.
— Doug Madory (@DougMadory) April 16, 2021
AS55410 mistakenly announced over 30,000 BGP prefixes causing a 13x spike in inbound traffic to their network according to @kentikinc netflow data.
(cc: @anurag_bhatia, @aftabsiddiqui, @jaredmauch) pic.twitter.com/PQ4iiTKD2Q
His tweet gave a clear idea of timeline which is between 13:40 to 14:00 UTC on 16th April 2021. Looking at RIPE RIS RRC01 in London for actual impacted prefixes.
Data Lookup
Looking at update data from 13:00 UTC to 15:00 UTC gets me this:
This gives a clear idea when to look for the hijacked prefixes. At 1345 UTC, in the updates 13295 updates messages were visible at RRC01 with AS55410 in the AS_PATH. In the next message 75987 messages. Both these updates cover 7229 + 20890 unique prefixes with AS_PATH ending with as path “55410 55410 55410$”. In almost all these cases Airtel AS9498 was the immediate upstream which carried this leak and data shows even Airtel itself was impacted by the hijack.
List of Indian networks
[table id=7 /]
Syntax | Description |
---|---|
Header | Title |
Paragraph | Text |
ASN | AS Name |
---|---|
10199 | TATA-AS Tata Communications Ltd, IN |
131215 | SANCHARONLINE-IN 116 MADHAV DARSHAN, IN |
132116 | ANINETWORK-IN Ani Network Pvt Ltd, IN |
132215 | POWERGRID-IN Power Grid Corporation of India Limited, IN |
132573 | SAINGN-AS-IN SAI NGN Network Services, IN |
133278 | ENETSOLS-AS-IN Dehradun Enet Solutions Private Ltd, IN |
134293 | KUTCHTELELINK-AS-IN Kutch Telelink Private Limited, IN |
134540 | TTML-AS-AP Tata Teleservices (Maharashtra) Ltd, IN |
134913 | JETWAYBROADBANDINDIA-AS JETWAY BROADBAND INDIA PVT LTD, IN |
134927 | VIL-AS-AP Vodafone Idea Ltd, IN |
135133 | PDPL-AS-AP PI DATA CENTERS PRIVATE LIMITED, IN |
135772 | POWERNETCOMM-AS Powernet Communications Pvt.ltd., IN |
136334 | VNPL-AS Vortex Netsol Private Limited, IN |
136946 | WEEBO-AS-AP Weebo networks Pvt Ltd, IN |
137130 | ITDPNB-AS Punjab National Bank, IN |
17488 | HATHWAY-NET-AP Hathway IP Over Cable Internet, IN |
17625 | BLAZENET-IN-AP BlazeNet_s Network, IN |
17762 | HTIL-TTML-IN-AP Tata Teleservices Maharashtra Ltd, IN |
17903 | COGNIZANT-IN-AP Cognizant Technology Solutions India Pvt Ltd, IN |
17917 | QTLTELECOM-AS-AP Quadrant Televentures Limited, IN |
203020 | HOSTROYALE, IN |
23772 | ORTELNET-AS M/s Ortel Communications Ltd, IN |
24554 | FIVE-NET-AS-IN Fivenetwork Solution India Pvt Ltd Internet, IN |
38266 | VODAFONE-IN Vodafone India Ltd., IN |
45117 | INPL-IN-AP Ishan_s Network, IN |
45194 | SIPL-AS Syscon Infoway Pvt. Ltd., IN |
45271 | ICLNET-AS-AP Idea Cellular Limited, IN |
45415 | VASAICABLEPVTLTD-AS-IN Vasai Cable Pvt. Ltd., IN |
45528 | TIKONAIN-AS Tikona Infinet Ltd., IN |
45582 | VAINAVIINDUSTRIESLTD-IN VAINAVI INDUSTIES LTD, INTERNET SERVICE PROVIDER, INDIA, IN |
45648 | BELLTELE-AS-IN Bell Teleservices India Pvt Ltd., ISP having own OFC network in Bangalore, India., IN |
45769 | DVOIS-IN D-Vois Broadband Pvt Ltd, IN |
45775 | WISHNET-AS-AP WISH NET PRIVATE LIMITED, IN |
45820 | TTSL-MEISISP Tata Teleservices ISP AS, IN |
45916 | GTPL-AS-AP Gujarat Telelink Pvt Ltd, IN |
45942 | SIKKANET-AS-AP Sikka Broadband Pvt. Ltd., IN |
46071 | PIONEER-CDN-AS-IN Pioneer Elabs Ltd., IN |
4755 | TATACOMM-AS TATA Communications formerly VSNL is Leading ISP, IN |
55441 | TTSLMEIS-AS-AP TTSL-ISP DIVISION, IN |
55448 | GLOBALLOGIC-IN GlobalLogic India Ltd., IN |
55644 | VIL-AS-AP Vodafone Idea Ltd, IN |
55836 | RELIANCEJIO-IN Reliance Jio Infocomm Limited, IN |
55847 | NKN-EDGE-NW NKN EDGE Network, IN |
59179 | MINS-AS MINS Technologies Private Limited, IN |
9498 | BBIL-AP BHARTI Airtel Ltd., IN |
9583 | SIFY-AS-IN Sify Limited, IN |
An interesting thing here was that Vodafone AS55410 also hijacked it’s own mobile network AS38266 prefixes.
Following prefixes from these Indian networks were hijacked for this duration:
[table id=8 /]
List of all networks impacted globally due to this hijack is published on this Google sheet here. You can check that though keep in mind that it has 20k+ rows and might be bit heavy on your browser tab.