Incorrect Border Gateway Protocol (BGP) announcements by Vodafone India’s network had ripple effects on the global internet over the weekend, with many networks facing downtime as their internet traffic suddenly started getting routed through Vodafone’s network, according to reports over the weekend by the Internet Society, Bleeping Computer, and network researcher Anurag Bhatia. The incident, first spotted by Doug Madory, lasted for a few minutes starting from 7:15pm IST on April 17; while Vodafone itself fixed the routes, within minutes, “some announcements were still making the rounds globally,” per a post on ISOC’s MANRS website.
“We have done complete analysis of the reported matter and have not observed any issue in routing security at our end. A wrong advertising of the routing table publishing made by one of our Enterprise customers had led to this incident. This was responded to immediately and rectified,” a Vodafone Idea Ltd spokesperson told MediaNama.
BGP hijacks are incidents where internet networks, such as those belonging to ISPs, incorrectly announce that they can route requests to another network, such as a content provider. In this particular instance, Vodafone briefly made such announcements for networks such as those belonging to Google, Microsoft, Fastly and several more. One such BGP hijack caused a ban on YouTube in Pakistan in 2008 to leak over to other parts of the world, where access to the website was disrupted because a Pakistani telecom operator incorrectly mapped the route to the website through their networks, which couldn’t route requests to a blocked website.
Network researcher Aftab Siddiqui pointed out on the ISOC report that Vodafone, which originated only 824 routes before, had suddenly started originating over 31,000 such routes. These routes exited through Bharti Airtel. The impact was on networks around the world:
We know the number of affected prefixes (30,000+) but here is the map to show you from where they belong. EVERYWHERE
(This is based on route object/originating AS registration).https://t.co/HdUp2pGFam https://t.co/S1jQMp226m pic.twitter.com/rTblipqy00
— Aftab Siddiqui (@aftabsiddiqui) April 19, 2021
“Clearly, AS9498 [Airtel] should have blocked these announcements easily through AS [Autonomous System] filtering, knowing AS55410 [Vodafone India] should not in any way originate these prefixes,” Siddiqui wrote. “It is extremely important that network operators implement effective route filtering based on verifiable information about which networks are legitimately authorized to originate which number resources (AS numbers and IP prefixes).”
Such incidents happen on the global internet quite often because it is not designed with security from the ground up — efforts like the Mutually Agreed Norms for Routing Security have stepped in to fill the gap, to convince networks to voluntarily adhere to some norms to prevent incidents such as BGP hijacking.
Update (3:45pm): Added details on who initially spotted the breach and when it started.
Update (4:28pm): Added statement from Vodafone Idea Ltd.
- Addressing Challenges With Network Security Preparedness
- Russian ISP Briefly Hijacks Large Portion Of Web Traffic Through Its Network