• March 13, 2015

UK traffic diverted through Ukraine

On the heels of the BGP leak yesterday that briefly impaired Google services around the world, comes another routing incident that impacted some other important Internet services.

Beginning on Saturday, Ukrainian telecom provider, Vega, began announcing 14 British Telecom (BT) routes, resulting in the redirection of Internet traffic through Ukraine for a handful of British Telecom customers.  Early yesterday morning, Vega announced another 167 BT prefixes for 1.5 hours resulting in the rerouting of additional traffic destined for some of BT's customers, including the UK's Atomic Weapons Establishment, the "organization responsible for the design, manufacture and support of warheads for the United Kingdom's nuclear deterrent."


In early 2013, Ukrainian provider Vega (AS12883) became a reseller of BT services, but prior to Saturday had never announced any BT routes.  Then, in the middle of a weekend night in Europe (02:37 UTC on Saturday, March 7th), Vega began announcing 14 prefixes typically announced by AS2856 of BT.  These prefixes are listed below. Thales Transport and Security Ltd (Barnet, GB) Thales Transport and Security Ltd (Ealing, GB)  Royal Mail Group Limited (Sheffield, GB)  Royal Mail Group Limited (Chesterfield, GB) Black & Veatch (Manchester, GB) BT - 21CN (GB)  Svenska Cellulosa Aktiebolaget SCA  (GB)   Tilbury Container Services Ltd  (Tilbury, GB)  Allen and Overy LLP     Tower (Hamlets, GB)   The Guinness Partnership (Oldham, GB)   AstraZeneca PLC (GB)  The Carphone Warehouse Limited (Westminster, GB)  AEA Technology Plc (Islington, GB) Servcorp SmartOffice (Tower Hamlets, GB)


The Royal Mail group is the postal service company of the UK.  While the Royal Mail's website offers a handy "Redirect your mail" link, it was their electronic mail that was being redirected over the past week, because one of the impacted networks contains the IP addresses of their email servers, which are shown next.

$ dig +short royalmail.com MX
10 cscmaanot02.royalmail.com.
10 cscmaanot01.royalmail.com.
$ dig +short cscmaanot02.royalmail.com. A
$ dig +short cscmaanot01.royalmail.com. A

The following graphics display the percentage of our peers over time that saw either BT (AS2856) or Vega (AS12883) announce routes for the Royal Mail service.  Both of these routes are covered by, which is announced by British Telecom (AS2856). So for about five days, a significant portion of the Internet was sending traffic destined for these routes to Vega in the Ukraine. Our traceroutes show that traffic continued on to British Telecom after passing through Kiev.

Hijacked Nuke Networks


Then at 03:03 UTC yesterday morning, Vega (AS12883) began announcing 167 additional BT prefixes, including the following prefixes of the UK's Atomic Weapons Establishment.  After routing all of these prefixes for 90+ minutes, Vega stopped announcing any BT prefixes at 04:36 UTC. Atomic Weapons Establishment GB Atomic Weapons Establishment GB Atomic Weapons Establishment GB Atomic Weapons Establishment GB Atomic Weapons Establishment GB Atomic Weapons Establishment GB Atomic Weapons Establishment GB Atomic Weapons Establishment GB Atomic Weapons Establishment GB Atomic Weapons Establishment GB Atomic Weapons Establishment GB   Atomic Weapons Establishment GB

Next, we illustrate the route propagation profiles for two of the aforementioned AWE prefixes.  Since these routes were already globally distributed by BT, only a small portion of the Internet believed that Vega was a better alternative.   (Another noteworthy network impacted at the same time was that of defense contractor Lockheed Martin, apparently hosting an external VPN service at evpnuk1a.external.lmco.com, which resolves to

The above Atomic Weapons Establishment address space contains the IP addresses of their email servers, namely: awe.co.uk mta1.awe.co.uk awe.co.uk mta2.awe.co.uk

To illustrate this traffic redirection, we will consider the normal and altered traceroute paths from one location in the US to AWE.  On the day prior, the traceroute shown below goes from Houston via Softlayer to the Telehouse facility in New York City, and then onto BT and AWE.

trace from Houston, TX to Atomic Weapons Establishment at 12:40 Mar 11, 2015
1  *
2 ae12.dar02.sr02.hou02.networklayer.com      0.28
3    ae9.bbr01.sr02.hou02.networklayer.com       0.28
4  ae3.bbr01.eq01.dal03.networklayer.com       6.13
5  ae0.bbr01.eq01.chi01.networklayer.com      26.17
6  ae0.bbr02.tl01.nyc01.networklayer.com      48.188
7  ae7.bbr01.tl01.nyc01.networklayer.com      51.295
8   (TELEHOUSE, New York)                      46.511
9   t2c3-xe-11-3-1-0.uk-lon1.eu.bt.net        114.113
10  166-49-211-243.eu.bt.net                  114.354
11 host213-121-193-151.ukcore.bt.net         114.142
12   core2-pos1-0.birmingham.ukcore.bt.net     239.692
13     vhsaccess1-pos8-0.birmingham.fixed.bt.net 121.198
14   Atomic Weapons Establishment              134.476

During the hijack on the next day, a traceroute from the same location gets diverted to Vega's interface at DECIX in Frankfurt, Germany (Ucomline is Vega's international brand).  From there, it was passed to Vega's interface with its Russian transit provider, RETN, before traveling back to the London Internet Exchange and finally to its intended destination at AWE via BT.

trace from Houston, TX to Atomic Weapons Establishment at 03:22 Mar 12, 2015
1  *
2 ae12.dar02.sr02.hou02.networklayer.com      2.948
3    ae9.bbr02.sr02.hou02.networklayer.com         0.3
4  ae3.bbr02.eq01.dal03.networklayer.com       8.133
5  ae1.bbr01.tl01.atl01.networklayer.com      28.524
6  ae0.bbr01.eq01.wdc02.networklayer.com      42.033
7  ae7.bbr02.eq01.wdc02.networklayer.com      40.167
8    ae0.bbr01.eq01.ams02.networklayer.com     118.838
9    ae0.bbr02.xn01.fra01.networklayer.com     124.983
10    ae7.bbr01.xn01.fra01.networklayer.com     124.133
11   edge-3-2-5-231.kiev.ucomline.net          154.988
12  ae2-241.RT.NTL.KIV.UA.retn.net            155.174
13  ae2-10.RT.TC2.LON.UK.retn.net             158.221
14   linx1.ukcore.bt.net                       161.442
15   (BTnet inter-pop routes, GB)              166.986
16   core1-pos1-1.birmingham.ukcore.bt.net     163.205
17     vhsaccess1-pos7-0.birmingham.fixed.bt.net 164.139
18   (Atomic Weapons Establishment, GB)        177.4

The 167 hijacked prefixes (listed below) also included more innocuous networks like those of Pepsi Cola ( and Wal-Mart UK ( and  However, these networks do host domains with "VPN" and "mail" in their names, implying they provide important services for these companies.  Does this list represent some curious mistake or something more?  Either way, it redirected a portion of Internet traffic bound for networks, at a minimum resulting in poor performance for some customers. csukvpn01.wal-mart.com uksslvpngw.wal-mart.com csukvpn02.wal-mart.com    emea.webmail.intl.pepsico.com    emea.webmail.intl.pepsico.com


Unlike yesterday's Google routing leak that was remediated after only 20 minutes, Vega's errant announcement of BT's networks went on for five days.  As we've chronicled in the blog in past, route hijacking has become a growing and ever-present concern.  As a result, enterprises must monitor their routes to ensure uninterrupted Internet connectivity for their customers — no one else is going to do it for them.  Whether for security or performance, tools like Dyn Internet Intelligence were built to address this need.

Below is a complete listing of the 167 leaked prefixes from yesterday: Cofunds Ltd (GB) Department for Environment, Food and Rural Affairs (DEFRA) (GB) Servcorp (GB) BT Infrastructure Layer (GB) BT Infrastructure Layer (GB) Marks and Spencer PLC (GB) Dabs Direct PLC (GB) Department for Environment, Food and Rural Affairs (DEFRA) (GB) Submission Technology Ltd (GB) AgustaWestland Ltd (GB) BT Infrastructure Layer (GB) INFONET Services Corporation (GB) Various Registries (Maintained by ARIN) (GB) Continental DataGraphics Ltd (GB) Atomic Weapons Establishment (GB) BUILDING DESIGN PARTNERSHIP LIMITED (GB) Dairy Crest Ltd (GB) Virgin Money plc (GB) Allen and Overy LLP (GB) Avago Technologies U.S. Inc. (GB) BT Public Internet Service (GB) BT Public Internet Service (GB) Atomic Weapons Establishment (GB) BT Public Internet Service (GB) Evolving Systems Limited (GB) Cognizant Technology Solution India Pvt Ltd, India (GB) BT Public Internet Service (GB) The Football Association Ltd (GB) Satellite Applications Catapult Limited (GB) BT Public Internet Service (GB) British Telecommunications PLC (GB) Adaptec, Inc. (GB) TEVA UK HOLDINGS LIMITED (GB) Pinewood Technologies Plc (GB) Hogg Robinson PLC (GB) Uniserv Group (GB) Office of Communications (GB) Wal-Mart Stores, Inc. (GB) MAID PLC (GB) Tektronix, Inc. (GB) Lafarge Tarmac Holdings Limited (GB) Atomic Weapons Establishment (GB) Telme Online Limited (GB) AAH Pharmaceuticals Ltd (GB) Atomic Weapons Establishment (GB) Curtis Instruments, Inc. (GB) Shire Pharmaceuticals Limited (GB) RWE NPower (GB) Biznet IIS Ltd. (GB) CGI IT UK Ltd. (GB) British Telecommunications PLC (GB) Cornwall Council (GB) Quantum Corporation (GB) CIBC World Markets (GB) BONTBLOCK (GB) BT Infrastructure Layer (GB) Doculynx Inc. (GB) Computer Generation (GB) Pepsi-Cola International (GB) CSC IT Ltd (GB) Department for Environment, Food and Rural Affairs (DEFRA) (GB) British Telecommunications PLC (GB) WWRD United Kingdom Ltd (GB) BT Public Internet Service (GB) Sandwell Metropolitan Borough Council (GB) British Telecommunications PLC (GB) SAS Global Communications Ltd. (GB) Atomic Weapons Establishment (GB) Viad Corp (GB) WCMC 2000 (GB) WSP Europe (GB) BT Public Internet Service (GB) Aircraft Research Association Limited (GB) CNA Insurance (GB) ARC - Chicago (GB) Atomic Weapons Establishment (GB) British Telecommunications PLC (GB) KCOM BT sub-allocation (GB) Pinewood Technologies Plc (GB) Significant (UK) Ltd (GB) PGDS UK ONE - BT Internet - PG1 DC (GB) British Telecommunications PLC (GB) British Telecommunications PLC (GB) AgustaWestland Ltd (GB) Fruit of the Loom, Inc. (GB) AgustaWestland Ltd (GB) Department for Environment, Food and Rural Affairs (DEFRA) (GB) WSP Europe (GB) Isoft Health Ltd (GB) Atomic Weapons Establishment (GB) Allianz Insurance plc (GB) Wal-Mart Stores, Inc. (GB) Significant (UK) Ltd (GB) British Telecommunications PLC (GB) Lockheed Martin Corporation (GB) BT Public Internet Service (GB) Thus PLC t/a Demon Internet (GB) Avago Technologies U.S. Inc. (GB) Metropolitan Networks UK Ltd (GB) British Telecommunications PLC (GB) BT-CENTRAL-PLUS (GB) BT Public Internet Service (GB) SANTANDER UK PLC (GB) Data Research Associates, Inc. (GB) British Telecommunications PLC (GB) BT Public Internet Service (GB) KCOM Group Public Limited Company (GB) Toronto Dominion Bank (GB) BT Public Internet Service (GB) British Telecommunications PLC (GB) Hitachi Europe Ltd (GB) Northern Ireland Civil Service (GB) Viad Corp (GB) BT Public Internet Service (GB) British Telecommunications PLC (GB) AgustaWestland Ltd (GB) BT Public Internet Service (GB) BT Public Internet Service (GB) BT Public Internet Service (GB) Websense SC Operations Limited (GB) Ashridge (Bonar Law Memorial) Trust (GB) AgustaWestland Ltd (GB) Eurodollar (UK) Limited (GB) British Telecommunications PLC (GB) Intuitiv Ltd. (GB) BUILDING DESIGN PARTNERSHIP LIMITED (GB) Atomic Weapons Establishment (GB) Net Energy Internet Ltd. (GB) Toshiba Information Systems (UK) Ltd (GB) MAID PLC (GB) The Statistics Board (GB) DMZ at Bacton. (GB) INFONET Services Corporation (GB) O2 Reference (UK) (GB) BT Public Internet Service (GB) KCOM Group Public Limited Company (GB) The Statistics Board (GB) The Statistics Board (GB) British Telecommunications PLC (GB) Atomic Weapons Establishment (GB) Atomic Weapons Establishment (GB) Atomic Weapons Establishment (GB) Allergan, Inc. (GB) Unipath Limited (GB) Northern Ireland Civil Service (GB) British Telecommunications PLC (GB) TRW Automotive (GB) AgustaWestland Ltd (GB) CIBC World Markets (GB) NATS (GB) BT Public Internet Service (GB) Royal Bank of Scotland plc (GB) Smith and Nephew - Endoscopy (GB) Softlab GmbH, Muenchen (GB) British Telecommunications PLC (GB) Sir Robert McAlpine Ltd (GB) Syntellect Inc. (GB) Global Crossing VHSDR service (GB) Atomic Weapons Establishment (GB) The Statistics Board (GB) Allen and Overy LLP (GB) NCC Services Ltd (GB) SIX CONTINENTS LIMITED (GB) Servcorp (GB) Allianz Insurance plc (GB) CIBC World Markets (GB) AWE PLC (GB)

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha