This morning BGPmon.net users have received and alert regarding a possible prefix hijack.
It seems that AS23724 CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation has originated about ~37,000 unique prefixes that are not assigned to them. This is what we typically call a prefix hijack.
This incident follows another concerning incident from China 2 weeks ago.
Although it seems they have leaked a whole table, only about 10% of these prefixes propagated outside of the Chinese network. These include prefixes for popular websites such as dell.com, cnn.com, www.amazon.de, www.rapidshare.com and www.geocities.jp.
A large number of networks impacted this morning were actually Chinese networks. These include some popular Chinese website such as
www.joy.cn , www.pconline.com.cn , www.huanqiu.com, www.tianya.cn and www.chinaz.com
A list of all prefixes that were announced/hijacked can be found here
The event has been detected globally by peers in The Netherland, UK, Rusia, Italy, Sweded USA, Japan and Brazil. However not all individual prefix ‘hijacks’ were detected globally, many only by a few peers, in one or 2 countries, but some by more.
All announcement had part of the AS path in common. The common part in the ASpath is (note the prepend).
4134 23724 23724
AS4134 CHINANET-BACKBONE No.31,Jin-rong Street
AS23724 CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation
ASns peering with AS4134 seem to have picked this up and propagated that to their customers.
Some of these ASns include:
AS9002 RETN-AS ReTN.net Autonomous System
AS12956 TELEFONICA Telefonica Backbone Autonomous System
AS209 ASN-QWEST – Qwest Communications Company, LLC
AS3320 DTAG Deutsche Telekom AG
AS3356 LEVEL3 Level 3 Communications
AS7018 ATT-INTERNET4 – AT&T WorldNet Services
All RIS peers that detected this where behind (transit/peer) one of those ANS’s.
AS2914 NTT-COMMUNICATIONS-2914 – NTT America, Inc. customers
Looking at more routing information it seems that AS2914 saw more then just the 10% mentioned above. So the impact for NTT America customers might have been bigger.
28% of the RIS collectors used by BGPmon.net have detected these events. This means that quite a number of networks were impacted by this. The first announcement was detected at 2010-04-08 17:54:31 (UTC), the last hijack announcement was at 2010-04-08 18:10:14.
Most ‘alerts’ have now been cleared, they typically lasted a few minutes.
Probably more then the 51 peers mention above would have detected the prefix, but not have chosen this as the best path. Most likely due to the ASpath length or other policies.
I have not spoken with engineers from AS23724, so I can only speculate. Given the large number of prefixes and short interval I don’t believe this is an intentional hijack, infact, these are very rare.
Most likely it’s because of configuration issue, i.e. fat fingers. But again, this is just speculation.
Most prefixes impacted by this were prefixes from the US and China. Below you’ll find the top countries impacted:
Country => number of prefixes hijacked by AS23724
US => 10547
CN => 10298
KR => 2857
AU => 1650
MX => 885
IN => 719
JP => 604
BR => 592
FR => 508
RU => 471
CA => 425
TH => 372
ID => 369
IT => 338
CO => 328
GB => 322
CL => 302
SE => 281
HK => 276
EC => 272
DE => 227
Example alert message
Possible Prefix Hijack (Code: 10)
Your prefix: 126.96.36.199/21:
Prefix Description: www.infoseek.co.jp
Update time: 2010-04-08 16:09 (UTC)
Detected by #peers: 4
Detected prefix: 188.8.131.52/21
Announced by: AS23724 (CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation)
Upstream AS: AS4134 (CHINANET-BACKBONE No.31,Jin-rong Street)
ASpath: 8331 9002 9002 4134 23724 23724
Alert details: http://bgpmon.net/alerts.php?details&alert_id=6617721
Mark as false alert: http://bgpmon.net/fp.php?aid=6617721