Telegram prefixes hijack by Rcom AS18101
The last few hours were quite noisy with a lot of discussion around Telegram block and Rcom’s hijack of Telegram prefixes. For those who may not know, Telegram has been blocked in India till 22 June 2026 (news here). The justification has been to avoid paper leak over the telegram. Anyways, I am not going into whether the block is good or bad as it can be part of an endless discussion depending on how one views it. Maybe some separate time but let’s look at the BGP routing side of things.
ISPs went for blocking it in all possible ways - from the usual DNS layer to block resolution of Telegram to also blackhole its prefixes. Telegram is a special case as they have their own ASN, IP prefixes etc making it easy to block them at the routing layer directly. I saw this on Airtel, where traffic seems to be dropping at their routers.
mtr -wby0 -4 web.telegram.org
Start: 2026-06-17T01:20:46+0530
HOST: desktop Loss% Snt Last Avg Best Wrst StDev
1. AS??? _gateway (172.16.0.1) 0.0% 10 0.2 0.2 0.2 0.2 0.0
2. AS??? 10.240.9.204 0.0% 10 4.6 7.4 4.2 25.7 6.5
3. AS??? 172.31.0.154 0.0% 10 8.1 13.5 6.4 26.4 6.2
4. AS9498 169.168.18.125.dhcp.anaronline.net (125.18.168.169) 0.0% 10 5.2 6.8 4.9 13.6 2.6
5. AS??? ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
At 11:58 PM - Telegram CEO Pavel Durov tweeted and accused Reliance (technically Rcom and not Jio) for outage of Telegram outside of India by BGP hijacking.
Indian telecom Reliance is sabotaging access to Telegram for millions of users OUTSIDE India (including the UAE) via a rogue method called BGP hijacking.
— Pavel Durov (@durov) June 16, 2026
The sabotage seems intentional, as Reliance has ignored multiple reports.
This may be part of a competitive war, as…
Technically it’s true that Rcom AS18101 has hijacked Telegram’s prefixes. Take e.g 91.105.192.0/23 - AS18101 started originating this prefix at 16:14:19 GMT / 21:44:19 IST on 16 June as visible from many RIPE RIS collectors including RIPE RIS RRC01 in London. It’s bad and they should not have done it. With that being said I strongly feel it’s a “fat finger mistake”.
https://bgp.he.net/AS18101#_prefixes
Likely was not intentional and here’s why:
Rcom would have a bunch of their own super-set prefixes in their router with BGP communities acting as the pull-up route. It’s quite common to blackhole one’s own superset prefix and then use slices of it on interfaces, static routes, etc. Likely they would have copy-pasted the existing prefix list and added Telegram prefixes to the list and boom!
The impact here varies as Telegram itself has multiple ASNs - AS62041, AS62014, AS59930, AS44907 and AS211157. These prefixes have different set of upstreams. The ones which are learning hijacked prefixes directly from Telegram, they normally won’t have an impact.
If it was actually intentional, one would have kept the origin ASN the same and faked Telegram AS211157 behind AS18101 or so. That would not trigger RPKI RoV filtering across a larger transit-free tier-1 layer as well as various backbones and IXPs.
Technically what failed?
Well, besides the fat finger mistake by Rcom AS18101 here, what failed was the lack of RPKI RoV by their upstreams - FLAG AS15412 and Tata Comm AS4755. Since these prefixes were signed, an RPKI RoV deployment would have easily filtered these and restricted routes within AS18101 and any of its downstream that were not filtering.
Update: 17 June 2026 - 01:47 IST
AS I am writing this, I see the prefix has gone behind FLAG AS15412. Either they have filtered it or Rcom has stopped announcing it and it’s slowly fading away from the global table. Write now, the prefix is visible only behind AS4755 and that too only in India. That’s for some of the prefixes, some are still visible.
Disclaimer: This is my personal blog, and hence, posts made here are in my personal capacity. These do not represent the views of my employer.