BHARTI Airtel Ltd. internet hijack (Informational)

« Back

[#296] BHARTI Airtel Ltd. internet hijack (Informational)

Posted: 2015-11-07 10:06

Start: 2015-11-06 05:52:00
End : 2015-11-06 14:40:00

Affects: World wide, mostly India region

Yesterday morning a provider called BHARTI Airtel Ltd. with AS number 9498 had (presumably) a misconfiguration in their network. This caused at least 16.123 prefixes from the global internet to be announced from their network. Thus incorrectly make them originate from their network (Airtel Ltd.).

Please be aware that this was a world wide issue caused by Airtel Ltd. and not an NFOrce specific issue. In fact as we (NFOrce) are widely directly connected with hundreds of network, even if they would leak/announce any of our prefixes its affect would most likely be limited to BHARTI Airtel Ltd. customers only. However we are sending this notification as we can imagine you noticed issues in general on the internet yesterday without knowing what was going on.

We can however conclude this was most likely "just" a misconfiguration, as they announced exactly the same prefixes as originally announced by the legitimate providers. If they wanted to hijack specific networks on purpose they would announce their prefixes as "more specifics" (smaller prefixes that have priority in BGP routing). Next to that they would not

Please see a list of most impacted networks below ( source: http://www.bgpmon.net/large-scale-bgp-hijack-out-of-india/ ):

AS20940 & AS16625 & AS35994- Akamai International,
AS7545 – TPG Telecom Limited,
AS8402 – OJSC Vimpelcom,
AS39891 – Saudi Telecom Company JSC,
AS45528 – Tikona Digital Networks Pvt Lt,
AS24378 – Total Access Communication PLC
AS4755 – TATA Communications
AS7552 – Viettel Corporation
AS9605 – NTT DOCOMO, INC.
AS2914 – NTT America, INC.
AS3257 – GTT
AS714 – Apple Inc