Large prefix hijack by Vodafone Idea (AS55410)

  • Thread starter Thread starter panks21
  • Start date Start date
  • Replies Replies 10
  • Views Views 1,049
P

panks21

Messages
258
Location
Delhi
ISP
Airtel Static IP
ACT Broadband

Large prefix hijack from Vodafone AS55410

Earlier today I saw twitter feed of bgpstream about Vodafone AS55410 hijacking a prefix from Brazil. BGP,HJ,hijacked prefix AS270497 24.152.117.0/24, RUTE MARIA DA CUNHA, BR,-,By AS55410 VIL-AS-AP Vodafone Idea Ltd, IN, https://t.co/WvDvQMMDCf — Cisco BGPStream (@bgpstream) April 16, 2021 Soon...
anuragbhatia.com anuragbhatia.com

Internet heart attack yesterday
 
Thanks for sharing my post here. Yeah it was quite unfortunately and impact was visible across the globe.
Besides Vodafone AS55410 who made the mistake, it was issue with their upstream Airtel AS9498 which carried those prefixes further. Almost all hijacks were visible behind/routed via Airtel AS9498. This could have been avoided to great extent by atleast having prefix limit on the BGP session from Airtel end and that would have acted as circuit breaker. Besides many other usual things like prefix filters, RPKI ROA based filters etc.

Lack of all those resulted in the issue.
 
@Nithishsaba Before going to hijack, let's first look at how networks interconnect.

Let's say you go out with your friends to a theatre and decide to find each other in the hall. When you are in the hall, you realise you have no cell phone coverage and it's dark. Imagine another few dozen of friends group with a similar challenge. It would be quite tricky to find who is sitting where. Let's say I give a blank paper to the first person sitting there and ask him to write his name, pass it to his right. He does, the person next to him does that and so on. Within a few mins, you will have a perfect table about who is sitting where and how to reach them. In the same manner, global interconnection works using a protocol called BGP (Border Gateway Protocol).

There are 65000+ autonomous networks in the world. It's not feasible for each of them to connect together. But's it's possible to have certain large networks connecting many smaller networks and so on. This all works well and is fine as long as no one "bluffs" who they are. If one does, it becomes a serious issue like yesterday's case where Vodafone originated 20,000+ pools covers many crores of IP addresses that did not belong to them. There are ways to protect somewhat against it but all vary depending on where one is in the chain as well as how much one is willing to invest in terms of time on putting protections.


I hope that explains. Read more about BGP for a deeper understanding.
 
So this will mess up services like VoWifi right ?. VI made way to advertise themselves in the news and Networking community:p
 
Last edited:
Not just VoWifi.. it messed up whole lot of services.. Look at the list of IP addresses they announced...
They haven't implemented RPKI yet... which could have avoided the issue.. similar event happened in June 2019 with Cloudflare.. That is an interesting read

blog.cloudflare.com

How Verizon and a BGP Optimizer Knocked Large Parts of the Internet Offline Today

Today at 10:30UTC, the Internet had a small heart attack. A small company in Northern Pennsylvania became a preferred path of many Internet routes through Verizon (AS701), a major Internet transit provider.
blog.cloudflare.com blog.cloudflare.com
 
Anurag Bhatia said:
Thanks for sharing my post here. Yeah it was quite unfortunately and impact was visible across the globe.
Besides Vodafone AS55410 who made the mistake, it was issue with their upstream Airtel AS9498 which carried those prefixes further. Almost all hijacks were visible behind/routed via Airtel AS9498. This could have been avoided to great extent by atleast having prefix limit on the BGP session from Airtel end and that would have acted as circuit breaker. Besides many other usual things like prefix filters, RPKI ROA based filters etc.

Lack of all those resulted in the issue.
Click to expand...
I agree.. Airtel (AS9498) could have controlled it.. even MANRS suggested that
But I guess they could have potential contractual obligations to accept everything from VIL as both are large Mobile operators also, otherwise it is normally a best practice to limit the number of prefixes from the customer

www.manrs.org

A Major BGP Hijack by AS55410-Vodafone Idea Ltd - MANRS

Received a Saturday morning ping on Twitter from Doug Madory, Director of Internet Analysis at Kentik, highlighting a major Border Gateway Protocol (BGP) hijack event overnight. My weekend is sorted, but let’s dig into this incident and learn from the lesson. AS55410 belongs to Vodafone Idea...
www.manrs.org www.manrs.org
 
Last edited:
No one would have contractual obligation to accept anything.
It was just missing protection rules at various steps (Vodafone end, Airtel end and even Zayo end which ultimately carried it to the default free zone).
 
You must log in or register to reply here.
Back