Orbit

So that was a wild leak. Looking at raw dump shows massive number of impacted ASNs and prefixes. I have put all prefix/ASNs impacted globally here https://docs.google.com/spreadsheets/d/e/2PACX-1vTcz0bVJa_SGI1jLZHKCQd10LYQRtyeEH1Z9F9UOvD0jc8riW7ExWV3TP19cZ5azREUR1eFxyuodkjt/pubhtml?gid=708309862&single=true (warning heavy page with 20,000+ rows).

1600+ Indian prefixes were impacted from 46 Indian ASNs which are:

10199 | TATA-AS Tata Communications Ltd, IN 131215 | SANCHARONLINE-IN 116 MADHAV DARSHAN, IN 132116 | ANINETWORK-IN Ani Network Pvt Ltd, IN 132215 | POWERGRID-IN Power Grid Corporation of India Limited, IN 132573 | SAINGN-AS-IN SAI NGN Network Services, IN 133278 | ENETSOLS-AS-IN Dehradun Enet Solutions Private Ltd, IN 134293 | KUTCHTELELINK-AS-IN Kutch Telelink Private Limited, IN 134540 | TTML-AS-AP Tata Teleservices (Maharashtra) Ltd, IN 134913 | JETWAYBROADBANDINDIA-AS JETWAY BROADBAND INDIA PVT LTD, IN 134927 | VIL-AS-AP Vodafone Idea Ltd, IN 135133 | PDPL-AS-AP PI DATA CENTERS PRIVATE LIMITED, IN 135772 | POWERNETCOMM-AS Powernet Communications Pvt.ltd., IN 136334 | VNPL-AS Vortex Netsol Private Limited, IN 136946 | WEEBO-AS-AP Weebo networks Pvt Ltd, IN 137130 | ITDPNB-AS Punjab National Bank, IN 17488 | HATHWAY-NET-AP Hathway IP Over Cable Internet, IN 17625 | BLAZENET-IN-AP BlazeNet_s Network, IN 17762 | HTIL-TTML-IN-AP Tata Teleservices Maharashtra Ltd, IN 17903 | COGNIZANT-IN-AP Cognizant Technology Solutions India Pvt Ltd, IN 17917 | QTLTELECOM-AS-AP Quadrant Televentures Limited, IN 203020 | HOSTROYALE, IN 23772 | ORTELNET-AS M/s Ortel Communications Ltd, IN 24554 | FIVE-NET-AS-IN Fivenetwork Solution India Pvt Ltd Internet, IN 38266 | VODAFONE-IN Vodafone India Ltd., IN 45117 | INPL-IN-AP Ishan_s Network, IN 45194 | SIPL-AS Syscon Infoway Pvt. Ltd., IN 45271 | ICLNET-AS-AP Idea Cellular Limited, IN 45415 | VASAICABLEPVTLTD-AS-IN Vasai Cable Pvt. Ltd., IN 45528 | TIKONAIN-AS Tikona Infinet Ltd., IN 45582 | VAINAVIINDUSTRIESLTD-IN VAINAVI INDUSTIES LTD, INTERNET SERVICE PROVIDER, INDIA, IN 45648 | BELLTELE-AS-IN Bell Teleservices India Pvt Ltd., ISP having own OFC network in Bangalore, India., IN 45769 | DVOIS-IN D-Vois Broadband Pvt Ltd, IN 45775 | WISHNET-AS-AP WISH NET PRIVATE LIMITED, IN 45820 | TTSL-MEISISP Tata Teleservices ISP AS, IN 45916 | GTPL-AS-AP Gujarat Telelink Pvt Ltd, IN 45942 | SIKKANET-AS-AP Sikka Broadband Pvt. Ltd., IN 46071 | PIONEER-CDN-AS-IN Pioneer Elabs Ltd., IN 4755 | TATACOMM-AS TATA Communications formerly VSNL is Leading ISP, IN 55441 | TTSLMEIS-AS-AP TTSL-ISP DIVISION, IN 55448 | GLOBALLOGIC-IN GlobalLogic India Ltd., IN 55644 | VIL-AS-AP Vodafone Idea Ltd, IN 55836 | RELIANCEJIO-IN Reliance Jio Infocomm Limited, IN 55847 | NKN-EDGE-NW NKN EDGE Network, IN 59179 | MINS-AS MINS Technologies Private Limited, IN 9498 | BBIL-AP BHARTI Airtel Ltd., IN 9583 | SIFY-AS-IN Sify Limited, IN

Quite a bad day on routing security for India. :(

On Sat, Apr 17, 2021 at 12:54 AM Anurag Bhatia me@anuragbhatia.com wrote:

Turns out they did not leak just this one. It was hijack impacting over 30,000 prefixes.

https://twitter.com/DougMadory/status/1383138595112955909?s=20

On Fri, Apr 16, 2021 at 11:40 PM Anurag Bhatia me@anuragbhatia.com wrote:

...

Hello,

Anyone here from Vodafone India (and/or their upstream Airtel AS9498). Seems like Vodafone AS55410 (likely accidentally) hijacked a Brazilian pool 24.152.117.0/24.

https://twitter.com/bgpstream/status/1383115813004181504?s=20

It was visible on RIPE RIS rrc05.ripe.net at VIX, Vienna.

Raw MRT dump show this:

anurag@devops01:~/tmp$ bgpscanner -e '24.152.117.0/24' latest-bview.gz | awk -F '|' '{OFS="|"; print $2,$3}' 24.152.117.0/24|35369 http://24.152.117.0/24%7C35369 2914 3356 28598 263362 263362 263362 263362 270497 24.152.117.0/24|48362 http://24.152.117.0/24%7C48362 3356 28598 263362 263362 263362 263362 270497 24.152.117.0/24|47147 http://24.152.117.0/24%7C47147 2914 3356 28598 263362 263362 263362 263362 270497 24.152.117.0/24|47692 http://24.152.117.0/24%7C47692 33891 6461 9498 55410 55410 55410 24.152.117.0/24|51184 http://24.152.117.0/24%7C51184 47692 33891 6461 9498 55410 55410 55410 24.152.117.0/24|59890 http://24.152.117.0/24%7C59890 3356 28598 263362 263362 263362 263362 270497 24.152.117.0/24|8218 http://24.152.117.0/24%7C8218 6461 3356 28598 263362 263362 263362 263362 270497 24.152.117.0/24|6720 http://24.152.117.0/24%7C6720 1853 6939 28598 263362 263362 263362 263362 270497 24.152.117.0/24|13237 http://24.152.117.0/24%7C13237 2914 174 28598 263362 263362 263362 263362 270497 anurag@devops01:~/tmp$

So besides Vodafone AS55410 hijacking it, seems like Airtel AS9498 carried it to AS6461 i.e upto default free zone. If not an hijack, then they should get the IRR route object updated (which right now shows AS270497 in origin).

*Details about the pool:* inetnum: 24.152.116.0/22 aut-num: AS270497 abuse-c: RUMCU12 owner: RUTE MARIA DA CUNHA ownerid: 13.974.251/0001-19 responsible: RUTE MARIA DA CUNHA country: BR owner-c: RUMCU12 tech-c: RUMCU12 created: 20200312 changed: 20200312

nic-hdl-br: RUMCU12 person: RUTE MARIA DA CUNHA e-mail: rute@hrnet.slz.br country: BR created: 20200307 changed: 20210220

*IRR Check: * anurag@devops01:~$ whois -h whois.radb.net 24.152.117.0/24 route: 24.152.117.0/24 descr: CLARO S.A. Customer origin: AS270497 remarks: Proxy Object notify: irradmin@embratel.net.br mnt-by: MAINT-AS4230 changed: irradmin@embratel.net.br 20201204 source: RADB anurag@devops01:~$

Thanks.

-- Anurag Bhatia anuragbhatia.com

-- Anurag Bhatia anuragbhatia.com