In the News: A BGP Hijacking Technical Post-Mortem

This blog post was authored by Senior Security Analyst Zach Julian; you can connect with him on Twitter here.

In the first week of 2017, Iranian ISP Telecommunication Infrastructure Company (TIC) performed a BGP hijack affecting Their goal was to censor select websites residing on the /24 block from Iranian internet users. However, the BGP hijack leaked on to the greater internet, resulting in the IP range becoming inaccessible to users outside of Iran, including from India, Russia, Indonesia, and Hong Kong [1].

In this blog post, I’ll show how the attack began, propagated, and was finally countered. Readers unfamiliar with BGP hijacking should refer to “An Overview of BGP Hijacking."

We can analyze this event using RIPE NCC’s BGPlay, a tool for visualizing BGP routing information.

Start and Spread of the Attack, which contains victim subnet, is announced from MojoHost-operated Autonomous System 27589. Below, we can see typical paths when traffic to is routing properly. At this point, the legitimate origin AS27589, marked in red, is peered with AS13030, AS5580, and AS174, among others:


Figure 1 - Typical Routing for AS27589

Around 12:00 UTC (15:30 Iran time) on Thursday, January 5th, AS12880 (TIC) and AS65050 (Private ASN) began making malicious route announcements for Because is more specific than the prefix AS27589 typically advertises,, other routers will prefer this path, making it advantageous for BGP hijacking. Shortly after, this route was propagated to AS8529, Omantel, as shown below:

Figure 2 - Beginning of BGP Hijack

Omantel AS8529 then advertised the malicious route to its peers, resulting in the bogus route affecting more and more of the Internet. The screenshot below shows additional malicious routes announced to other Autonomous Systems a short time later.

Figure III - During the BGP Hijack

The below animation shows new malicious routes being propagated:

Figure 4 - Malicious Routes Propagating

How the Attack Was Stopped

The attack continued until about 16:00 UTC on Friday, January 6th, when two steps were taken to end the hijacking. First, the legitimate AS27589 began making an announcement for A static route was configured between AS27589 (MojoHost) and AS25152 (RIPE NCC), which the DNS K-root server belongs to. The new route can be seen below:


Figure 5 - Legitimate AS27589 Announcing

Shortly thereafter, AS8529 (Omantel) ceased announcing the malicious route to its peers. After about an hour, AS27589 was back in control of As shown below, the BGP routes for that prefix change from AS12880 and AS65050 to the legitimate AS27589:

Figure 6 - BGP Paths Adjusting to the Legitimate AS

This incident is another example of BGP’s technical limitations being exploited to restrict internet access. It’s also a unique instance of one country’s laws spilling outside their jurisdiction.

To protect their respective IP space, providers should consider implementing RPKI.