‘Hijack’ by AS4761 – Indosat, a quick report

Posted by Andree Toonk - January 15, 2011 - Hijack - 10 Comments

This is just a quick post to address some of the emails I’ve received today. Quite a bit of BGPmon.net users have received a notification regarding a possible hijack of their address space.

On Friday January 14th AS4761, INDOSAT-INP-AP, started to originate a large number of new prefixes. A quick check show that AS4761 originated approximately 2800 new unique prefixes of 824 unique Autonomous systems. Whereas normally they originate approximately 100 prefixes.
The announcements happened between 12:19 and 12:57 PM UTC. Some prefixes were affected longer than others,

The geographic impact of these announcements varies per prefix. Some were seen by only a few peers, where others were seen by up to 50 peers geographically dispersed all over the world. Some of the networks affected are 8.8.8.0/24 (Google open resolver), a number of AS20940 Akamai prefixes, Amazon prefixes, Cisco, DoD, US Senate, American Express, General Electric and many others.

Wondering if your network was affected by this? Here you’ll find a list of all affected networks.

A number of the transit providers of AS4761 accepted these prefixes. This is the distribution:

Number of unique prefixes transit_AS AS Name
2211 AS9505 TWGATE-AP Taiwan Internet Gateway
1299 AS6762 SEABONE-NET TELECOM ITALIA SPARKLE S.p.A.
1142 AS3491 PCW Global  / BTN-ASN – Beyond The Network America, Inc.
685 AS4657 STARHUBINTERNET-AS StarHub Internet Exchange
584 AS7018 ATT-INTERNET4 – AT&T Services, Inc.
330 AS1273 CW Cable and Wireless Worldwide plc
154 AS6453 GLOBEINTERNET TATA Communications
88 AS9304 HUTCHISON-AS-AP Hutchison Global Communications

10 comments

  • Aftab Siddiqui says:

    For how long it lasted? I was checking few of routes provided in the list via bgplay but didn’t find any thing in that. May be it was for very short time and didn’t reach all the route servers.

  • Andree Toonk says:

    Hi Aftab,

    Good question.
    The announcements happened between 12:19 and 12:57 PM UTC.
    I’ve updated that in the blog post.

  • Greg Mcdonald says:

    Thanks for the writeup. It’s incredible that these things keep happening.
    Good to have this documented, keep up the good work.

  • Mike says:

    Not to revive an old post but as of 19-Sept about 1am (Eastern Time) It looks like they did this again on some kind of scale.

    Several of our IP blocks were hijacked again between about 1am and 3:30am Eastern time 19-Sept

  • Gordon says:

    I realize that this is an old post, but just last night one of our ARIN assigned /24 blocks was hijacked by Indosat for 2.5 hours, this caused global issues for us, with nlayer preferring the indosat announced route over our US route. I was unable to reach Dewi Amalia ( dewi.amalia [at] ndosat.com ) by phone or email, even though she is listed as the APNIC contact. APNIC were unable to assist with providing a 24/7 contact for Indosat also. Fortunately the guys at seabone.net (telecomitaliasparkle) were understanding of my Texan accent and worked quickly to shut off indosat’s announcement to their network (they seemed to be the ?only? carrier that had accepted it in the first place.

    An authentication layer to BGP is really needed badly.

    Is this common behavior for Indosat? Is Indosat being malicious or just careless?

  • AG says:

    They are doing this again with all of our IP blocks starting &pm UTC on 2nd APR 2014

  • Bogdan says:

    This thing happen again, today, two times !
    It is real hijack or just techies mistakes? :

    Your prefix: 77.81.167.0/24:
    Prefix Description: VPS Class
    Update time: 2014-04-02 19:58 (UTC)
    Detected by #peers: 1
    Detected prefix: 77.81.167.0/24
    Announced by: AS4761 (INDOSAT-INP-AP INDOSAT Internet Network Provider,ID)
    Upstream AS: AS4651 (THAI-GATEWAY The Communications Authority of Thailand(CAT),TH)
    ASpath: 18356 9931 4651 4761

  • Damian says:

    Seems to be occurring again… any update on this?

  • Andree Toonk says:

    For more information regarding the Indosat event on April 2, 2014 see:
    http://www.bgpmon.net/hijack-event-today-by-indosat/

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>