On-going BGP Hijack Targets Palestinian ISP

January 9, 2015 Doug Madory

It’s a new year, but some things never change. In the past few days we have observed a spate of incidents of routing misbehavior including two man-in-the-middle routing hijacks conducted in the past couple of days by A2B Internet out of the Netherlands.

Beginning at 00:33:44 UTC on Thursday, 8 January, we began observing a routing hijack of IP address space normally announced by Mada Telecom (AS51047), a Palestinian ISP with presence in both Gaza and the West Bank. Beginning at that time, A2B Internet B.V. (AS51088) began announcing, which is a more-specific route of, normally announced by Mada.

Traceroutes directed to this address space are presently being re-directed to A2B Internet’s network in the Netherlands before continuing on to Palestine. For example:

trace from Cyberjava, Malaysia to Mada Telecom, PS on Jan 09, 2015
1                                                              *
2  x.x.x.x         (Cyberjaya, Malaysia)                   3.442
3   (Extreme Broadband, Malaysia)           0.696
4  (Extreme Broadband, Malaysia)           1.222
5  global.hgc.com.hk                      35.854
6   global.hgc.com.hk                      36.742
7 (Hutchison, Singapore)                 41.628
8   (Hutchison, Amsterdam)                190.787
9   (Tata, Amsterdam, NL)                 213.494
10      (A2B Internet, NL)                    200.990
11    (GTT, Amsterdam)                      268.366
12      xe-5-0-1.edge3.Amsterdam.Level3.net   300.909
13     ae-236-3612.edge5.London1.Level3.net  268.586
14     ae-234-3610.edge5.london1.Level3.net  269.017
15 ADOBE-SYSTE.edge3.London15.Level3.net 362.157
16     (Mada Telecom, Palestine)             329.861
17   (Mada Telecom, Palestine)             408.753

The on-demand traceroute functionality in Dyn Internet Intelligence shows the redirection through A2B Internet. The view from Vienna is highlighted below:


Below is a topological view of our traceroutes going through A2B Internet en-route to Mada Telecom.


This isn’t the first MITM hijack we have observed involving AS51088 in the last couple of days. About two hours earlier starting at 22:23:09 UTC on 7 January, we observed AS51088 announce – a network that hosts over 3,000 domains including IPs associated with Bitcoin.

Below is a sampling of our traceroutes from yesterday that were redirected through AS51088 en-route to SIT Internetdiensten (AS61044).


We’ve alerted the impacted parties and will update this blog if we receive any additional information.

As I noted in my September blog,

Regardless of the cause of each of these incidents, the problem is a very real and growing one. Perhaps documenting these incidents will promote a greater understanding of the extent and nature of the problems around the trust-based Internet routing system in global use today.

The post On-going BGP Hijack Targets Palestinian ISP appeared first on Dyn Research.


About the Author

Doug Madory is a Director of Internet Analysis at Dyn where he works on Internet infrastructure analysis projects. Doug has a special interest in mapping the logical Internet to the physical lines that connect it together, with a special interest on submarine cables.

Follow on Twitter More Content by Doug Madory
Previous Article
Internet for the Next 3 Billion
Internet for the Next 3 Billion

Last month, I traveled to Doha, Qatar to participate in the ITU’s Telecom...

Next Article
Someone Disconnects North Korea – Who?
Someone Disconnects North Korea – Who?

North Korea went off the Internet Monday, 22 December 2014, and Dyn illustrates the fragility of their netw...