Category: Hijack

Hijack event today by Indosat

Posted by Andree Toonk - April 3, 2014 - Hijack, News and Updates

Today we observed a large-scale ‘hijack’ event that affected many of the prefixes on the Internet. This blog post is to provide you with some additional information. What happened? Indosat, AS4761, one of Indonesia’s largest telecommunication networks normally originates about 300 prefixes. Starting at 18:26 UTC (April 2, 2014) AS4761 began to originate 417,038 new [...]

Read More

Turkey Hijacking IP addresses for popular Global DNS providers

Posted by Andree Toonk - March 29, 2014 - Hijack, News and Updates

At BGPmon we see numerous BGP hijacks every single day, some are interesting because of the size and scale of the hijack or as we’ve seen today because of the targeted hijacked prefixes.  It all started last weekend when the Turkish president ordered the censorship of This started with a block of twitter by [...]

Read More

Looking at the spamhaus DDOS from a BGP perspective

Posted by Andree Toonk - March 30, 2013 - BGP instability, Hijack

It’s been a busy week for network engineers world wide, rerouting around broken optical links and of course the 300Gb/s DDOS attack towards Spamhaus and Cloudflare. This DDOS has been classified as the largest DDOS attack ever recorded and has been written about quite a bit in mainstream media. There’s been a bit of discussion [...]

Read More

Accidentally stealing the Internet

Posted by Andree Toonk - January 8, 2013 - Hijack, News and Updates

Just a few days ago we learned  about an incident involving a mis-issued SSL certificate that was used in a Man in the Middle attack to intercept Gmail data. In this blog post we’ll talk about how Man in the Middle (MITM) attacks work and we’ll look at recent BGP MITM event that caused traffic [...]

Read More

F-Root DNS server moved to Beijing

Posted by Andree Toonk - October 3, 2011 - Hijack

F-Root DNS server moved to Beijing Systems such as DNS (root) servers often rely on anycast technology to improve availability and response time. The idea behind anycast is that the same prefix is announced from multiple geographically separated systems. As a result the client should always end-up at the closest (as seen from a BGP [...]

Read More

Facebook’s detour through China and Korea

Posted by Andree Toonk - March 26, 2011 - Hijack

Many of you remember the story of about a year ago, when we reported that a Chinese network was announcing a significant part of the prefixes on the Internet.  Networks affected by this incident included big names such as and as well as U.S. government (.gov) and military (.mil) sites, including those for [...]

Read More

Securing BGP routing with RPKI and ROA’s

Posted by Andree Toonk - January 19, 2011 - Hijack, IRR, RPKI

Securing BGP has been on the todo list of the IETF and the community at large for many years. Over the years we’ve seen several proposals, the Resource Public Key Infrastructure (RPKI) is the latest and most successful initiative. RPKI solves one of the most fundemental problems. It allows us to verify whether an Autonomous [...]

Read More

‘Hijack’ by AS4761 – Indosat, a quick report

Posted by Andree Toonk - January 15, 2011 - Hijack

This is just a quick post to address some of the emails I’ve received today. Quite a bit of users have received a notification regarding a possible hijack of their address space. On Friday January 14th AS4761, INDOSAT-INP-AP, started to originate a large number of new prefixes. A quick check show that AS4761 originated [...]

Read More

Chinese BGP hijack, putting things into perspective

Posted by Andree Toonk - November 21, 2010 - Hijack

China denies hijacking a huge chunk of US net traffic
Internet Traffic from U.S. Government Websites Was Redirected Via Chinese Networks

Read More

Google’s services redirected to Romania and Austria

Posted by Andree Toonk - August 23, 2010 - Hijack

BGP hijacks happen every day, the majority of them don’t affect a large geographic region and only are noticed a small number of users. Every now and then however we see an event that affects many users, either because of the geographic scale or simply because of the specific prefix that is affected. The latter [...]

Read More

Chinese ISP hijacks the Internet

Posted by Andree Toonk - April 8, 2010 - Hijack

This morning many users received an alert regarding a possible prefix hijack by a Chinese network. AS23724 is one of the Data Centers operated by China Telecom, China’s largest ISP. Normally AS23724 CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation only originates about 40 prefixes, however today for about 15 minutes they originated about ~37,000 unique prefixes [...]

Read More

BGP leak in Italy

Posted by Andree Toonk - October 10, 2009 - Hijack

Friday morning around 07:22:08 UTC AS9035 (Wind Telecomunicazioni) started to announce approximately 85.000 prefixes with an invalid origin AS. The origin AS was set to AS9035 while these prefixes did not belong to AS9035. The impact was local to a number of Italian providers, all Telecom Italia customers. The incident was resolved in about ~2 [...]

Read More

Did AS13214 really hijack the Internet?

Posted by Andree Toonk - May 11, 2009 - Hijack

This morning there was a discussion about a possible prefix hijack by AS13214 on the Nanog list. Cyclops users received a notification email notifying them that AS13214 was announcing their prefix.  I just went trough some of the raw data and this is what I found. It seems it was picked up by the route-views4 [...]

Read More

BGPmon now has full IPv6 support!

Posted by Andree Toonk - November 25, 2008 -, bogons, Hijack, IPv6

I am happy to announce that BGPmon now has full IPv6 support! This means that you can now monitor your IPv6 prefixes just as you are monitoring your IPv4 prefixes. All the codes, alarm messages etc are they same as for IPv4. It took a while because I had to write a few new libraries [...]

Read More

Prefix hijack by AS16735

Posted by Andree Toonk - November 11, 2008 - Hijack

Many users received a notification email regarding a possible prefix hijack.   I just went over the data files manually and verified the leak. For those interested, let me share with you what I saw in the raw data. Between 01:55  UTC  and 02:15  267947 distinct prefixes were originated from AS16735 (Companhia de Telecomunicacoes [...]

Read More