BHARTI Airtel Ltd. internet hijack (Informational)

« Back

[#296] BHARTI Airtel Ltd. internet hijack (Informational)

Posted: 2015-11-07 10:06

Start: 2015-11-06 05:52:00
End : 2015-11-06 14:40:00

Affects: World wide, mostly India region

Yesterday morning a provider called BHARTI Airtel Ltd. with AS number 9498 had (presumably) a misconfiguration in their network. This caused at least 16.123 prefixes from the global internet to be announced from their network. Thus incorrectly make them originate from their network (Airtel Ltd.).

Please be aware that this was a world wide issue caused by Airtel Ltd. and not an NFOrce specific issue. In fact as we (NFOrce) are widely directly connected with hundreds of network, even if they would leak/announce any of our prefixes its affect would most likely be limited to BHARTI Airtel Ltd. customers only. However we are sending this notification as we can imagine you noticed issues in general on the internet yesterday without knowing what was going on.

We can however conclude this was most likely "just" a misconfiguration, as they announced exactly the same prefixes as originally announced by the legitimate providers. If they wanted to hijack specific networks on purpose they would announce their prefixes as "more specifics" (smaller prefixes that have priority in BGP routing). Next to that they would not

Please see a list of most impacted networks below ( source: ):

AS20940 & AS16625 & AS35994- Akamai International,
AS7545 TPG Telecom Limited,
AS8402 OJSC Vimpelcom,
AS39891 Saudi Telecom Company JSC,
AS45528 Tikona Digital Networks Pvt Lt,
AS24378 Total Access Communication PLC
AS4755 TATA Communications
AS7552 Viettel Corporation
AS2914 NTT America, INC.
AS3257 GTT
AS714 Apple Inc