China prefix hijack

Andree Toonk andree+nanog at toonk.nl
Thu Apr 8 17:15:19 UTC 2010


Hi Grzegorz,

.-- My secret spy satellite informs me that at 08/04/10 9:33 AM 
Grzegorz Janoszka wrote:
>
> Just half an hour ago China Telecom hijacked one of our prefixes:
>
> Your prefix: X.Y.Z.0/19:
> Prefix Description: NETNAME
> Update time: 2010-04-08 15:58 (UTC)
> Detected by #peers: 1
> Detected prefix: X.Y.Z.0/19
> Announced by: AS23724 (CHINANET-IDC-BJ-AP IDC, China Telecommunications
> Corporation)
> Upstream AS: AS4134 (CHINANET-BACKBONE No.31,Jin-rong Street)
> ASpath: 39792 4134 23724 23724
>
> Luckily it had to be limited as only one BGPmon peer saw it. Anyone else
> noticed it?
>


Yes many prefixes have been 'impacted' by this. These include prefixes 
for websites such as dell.com and cnn.com.

The event has been detected globally by peers in Rusia, USA, Japan and 
Brazil.
However not all individual prefix 'hijacks' were detected globally, many 
only by one or 2 peers, in one or 2 countries, but some by more.

The common part in the ASpath is
4134 23724

Which are:
AS4134 CHINANET-BACKBONE No.31,Jin-rong Street
AS23724 CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation

ASns peering with AS4134 seem to have picked this up and propagated that 
to their customers.
Some of these ASns include:
AS9002 RETN-AS ReTN.net Autonomous System
AS12956 TELEFONICA Telefonica Backbone Autonomous System
AS209 ASN-QWEST - Qwest Communications Company, LLC
AS3320 DTAG Deutsche Telekom AG
AS3356 LEVEL3 Level 3 Communications
AS7018 ATT-INTERNET4 - AT&T WorldNet Services

All RIS peers that detected this where behind (transit/peer) one of 
those ANS's.

Most 'alerts' have now been cleared, they typically lasted a few minutes.

Cheers,
  Andree




More information about the NANOG mailing list