INDOSAT-INP-AP internet hijack (Informational)

« Back

[#153] INDOSAT-INP-AP internet hijack (Informational)

Posted: 2014-04-03 08:48

Start: 2014-04-02 20:00:00
End : 2014-04-02 23:00:00

Affects: World wide, mostly Thailand region

Yesterday evening a provider called INDOSAT had a misconfiguration in their network. This caused many prefixes to be announced from their network. Thus incorrectly make them originate from their network (INDOSAT).

Please be aware that this was a world wide issue caused by INDOSAT and not an NFOrce specific issue. In fact about 400.000 thousand routes were affected. This is nearly the whole internet, as the grand total of available internet routes are ~490.000 at this moment.

We can however conclude this was most likely "just" a misconfiguration, as they announced exactly the same prefixes as originally announced by the legitimate providers. If they wanted to hijack specific networks on purpose they would announce their prefixes as "more specifics" (smaller prefixes that have priority in BGP routing).

We received hijack reports from the follow network monitoring sources:
#1 AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID)
#2 AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH)
#3 AS38794 (BB-Broadband Co., Ltd. Transit AS)
#4 AS18356 (AWARE-AS-AP)

#1 = the network that caused all this.
#2 = the network that bluntly accepted their mistake.
#3 & #4 = networks that reported to use the mistaken routes.

Surely there are many more, but the above is what our monitoring reported back to us.

Please see a more detailed report below ( source: ):

What happened?
Indosat, AS4761, one of Indonesia's largest telecommunication networks normally originates about 300 prefixes. Starting at 18:26 UTC (April 2, 2014) AS4761 began to originate 417,038 new prefixes normally announced by other Autonomous Systems such as yours. The 'mis-origination' event by Indosat lasted for several hours affecting different prefixes at different times until approximately 21:15 UTC.

What caused this?
Given the large scale of this event we presume this is not malicious or intentional but rather the result of an operational issue. Other sources report this was the result of a maintenance window gone bad. Interestingly we documented a similar event involving Indosat in 2011, more details regarding that incident can be found here:

The impact of this event was different per network, many of the hijacked routes were seen by several providers in Thailand. This means that it's likely that communication between these providers in Thailand (as well as Indonesia) and your prefix may have been affected.
One of the heuristics we look at to determine the global impact of an event like this is the number of probes that detected the event. In this case, out of the 400k affected prefixes, 8,182 were detected by more than 10 different probes, which means that the scope and impact of this event was larger for these prefixes.
The screenshot below is an example of a Syrian prefix that was hijacked by Indosat where the "hijacked" route was seen from Australia to the US and Canada.