Insiden Hijack oleh “AS4761” Indosat

Berkaitan berita insiden Hijack oleh “AS4761” Indosat seperti dikutip dari tanggal April 3, 2014.


Hijack event today by Indosat

Posted by Andree Toonk – April 3, 2014

Today we observed a large-scale ‘hijack’ event that affected many of the prefixes on the Internet. This blog post is to provide you with some additional information.

What happened?
Indosat, AS4761, one of Indonesia’s largest telecommunication networks normally originates about 300 prefixes. Starting at 18:26 UTC (April 2, 2014) AS4761 began to originate 417,038 new prefixes normally announced by other Autonomous Systems such as yours. The ‘mis-origination’ event by Indosat lasted for several hours affecting different prefixes at different times until approximately 21:15 UTC.

What caused this?
Given the large scale of this event we presume this is not malicious or intentional but rather the result of an operational issue. Other sources report this was the result of a maintenance window gone bad. Interestingly we documented a similar event involving Indosat in 2011, more details regarding that incident can be found here:

The impact of this event was different per network, many of the hijacked routes were seen by several providers in Thailand. This means that it’s likely that communication between these providers in Thailand (as well as Indonesia) and your prefix may have been affected.
One of the heuristics we look at to determine the global impact of an event like this is the number of probes that detected the event. In this case, out of the 400k affected prefixes, 8,182 were detected by more than 10 different probes, which means that the scope and impact of this event was larger for these prefixes.
The screenshot below is an example of a Syrian prefix that was hijacked by Indosat where the ‘hijacked’ route was seen from Australia to the US and Canada.


Full alert detail

What was the impact for my network?
By clicking on the alert details link in the alert email or portal you will see the number of probes that detected the hijacked route update. It also shows you where in the world these updates were seen so you’ll have an idea of the geographical scope of the event.
Users with a premium account also have access to all the individual BGP updates as well as the full AS path. This will tell you in detail what networks selected this bad route and the exact timestamps. Some of you also received a phone call to inform you of the events immediately after detection.

BGP probe and peering
A BGP probe in this case means one of our peering partners. You too can become a peering partner and get access to our PeerMon service, for more details see:

Questions and more information
I hope this provides you with some useful additional information regarding this event. Feel free to contact us should you have any follow up questions or would like to have more information for the purpose of further forensics.




‘Hijack’ by AS4761 – Indosat, a quick report

Posted by Andree Toonk – January 15, 2011

This is just a quick post to address some of the emails I’ve received today. Quite a bit of users have received a notification regarding a possible hijack of their address space.

On Friday January 14th AS4761, INDOSAT-INP-AP, started to originate a large number of new prefixes. A quick check show that AS4761 originated approximately 2800 new unique prefixes of 824 unique Autonomous systems. Whereas normally they originate approximately 100 prefixes.
The announcements happened between 12:19 and 12:57 PM UTC. Some prefixes were affected longer than others,

The geographic impact of these announcements varies per prefix. Some were seen by only a few peers, where others were seen by up to 50 peers geographically dispersed all over the world. Some of the networks affected are (Google open resolver), a number of AS20940 Akamai prefixes, Amazon prefixes, Cisco, DoD, US Senate, American Express, General Electric and many others.

Wondering if your network was affected by this? Here you’ll find a list of all affected networks.

A number of the transit providers of AS4761 accepted these prefixes. This is the distribution:


Number of unique prefixes transit_AS AS Name
2211 AS9505 TWGATE-AP Taiwan Internet Gateway
1142 AS3491 PCW Global  / BTN-ASN – Beyond The Network America, Inc.
685 AS4657 STARHUBINTERNET-AS StarHub Internet Exchange
584 AS7018 ATT-INTERNET4 – AT&T Services, Inc.
330 AS1273 CW Cable and Wireless Worldwide plc
154 AS6453 GLOBEINTERNET TATA Communications
88 AS9304 HUTCHISON-AS-AP Hutchison Global Communications




Indosat fat-thumbs route announcements (again)

Networks go dark on AS4761 ‘hijack’


Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:


You are commenting using your account. Logout /  Ubah )

Foto Google+

You are commenting using your Google+ account. Logout /  Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout /  Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout /  Ubah )


Connecting to %s

%d blogger menyukai ini: