BGPMON Alert Questions

Hi All,

I am a network admin for Aware Corporation AS18356 (Thailand), as
mentioned in the alert.
We operate a BGPMon PeerMon node on our network, which peers with the
BGPMon service as a collector.

It is likely that AS4761 (INDOSAT) has somehow managed to hijack these
prefixes and CAT (Communications Authority of Thailand AS4651) is not
filtering them,
hence they are announced to us and are triggering these BGPMon alerts.

I have had several mails to our NOC about this already and have responded
directly to those.
I suggest contacting Indosat directly to get this resolved.
AS18356 is a stub AS, so we are not actually advertising these learned
hijacked prefixes to anyone but BGPMon for data collection purposes.



Andrew Ashley

Office: +27 21 673 6841

route-views4 / has seen updates that contains large amount of
prefixes at time 1396464452 (04 / 02 / 14 @ 6:47:32pm UTC) with path
[20225, 6939, 4761]

full prefixes list:

is it normal for single update to contain such large amount NLRI info?

yeah you're seeing the impact of a pretty broad prefix injection

indosat's upstream filters seem to be working for the most part.

Just got the same for 5 of my prefixes.

Another 5 of ours just got hit.

Anyone have any ideas on what will be done about it?

Based on the image they tweeted, I don't think they are doing much
filtering; the Syrian prefix was spread to a number of countries and AS. If
you have good US connectivity the impact seems limited due to better AS
Paths winning, but for less well connected prefixes I'm assuming it's more
up in the air.


Yes, I too have alerts for some of our prefixes from the same offending
origin 4761

On Wednesday April 2nd 2014 at 19:59 UTC we detected a Origin AS Change
event for your prefix ( slash 20 bottom of nor cal)
The detected prefix:, was announced by AS4761
(INDOSAT-INP-AP INDOSAT Internet Network Provider,ID)
Alert description: Origin AS Change
Detected Prefix:
Detected Origin AS: 4761
Expected Origin AS: 26803

Bob Evans

I have someone from on the phone and he doesn't speak a lot of English and I don't speak any Thai..... He knew what indosat was and their AS number. He further stated he got my email (never told him who I was), but he said he would be replying ASAP. We only had one /24 announced by indosat.

James Laszko
Mythos Technology Inc

I called into +66 2104-2374

James Laszko
Mythos Technology Inc

They have advertised all of ours now.

Saw this as well on my blocks.

Is this malicious or did someone redistribute all of bgp with bad upstream

where did you get that number ?
aut-num: AS4761
descr: INDOSAT Internet Network Provider
descr: Internet Network Access Point in INDONESIA
country: ID
admin-c: IH151-AP
tech-c: DA205-AP
changed: 20081006
source: APNIC
person: Dewi Amalia
nic-hdl: DA205-AP
address: PT INDOSAT
address: JL. Medan Merdeka Barat 21
address: Jakarta Pusat
phone: +62-21-30444066
fax-no: +62-21-30001073
country: ID
changed: 20080117
source: APNIC
person: INDOSAT INP Hostmaster
nic-hdl: IH151-AP
address: PT Indosat
address: Jl. Medan Merdeka Barat 21
address: Jakarta Pusat
phone: +62-21-30444066
fax-no: +62-21-30001073
country: ID
changed: 20120104
source: APNIC

Bob Evans

Three of ours just got jacked. I have tried to contact via email for update / fix of their end.


Same here:

I emailed a little over an hour ago, and no response
as yet. Anyone having luck making contact with Indosat themselves?

Contacted about this, I urge others to do the same.


We are getting multiple alerts for a mix of our and customers prefixes.

Could someone from HE tell if they started filtering yet ?

Erik Bais

I think that was a number for CAT, AS4651.


They perfectly re-advertized all mine. Loos like a huge mistake. And still

Although this was nice to see:

I got a bounce from Indosat saying:

"Dear Senders,

Thank you for your email, started March,1st 2012 email address for
correspondence with Indosat IP Support & All Support INP will be change and
not active with detail information as follows :
1. Correspondence and complain handling for Indosat Corporate customers
(INP, IDIA and INIX services) please kindly address to : (Service Desk MIDI Indosat Corporate Solution)
2. Correspondence and coordination for upstream and peering purpose please
kindly address to : (SNOC IP Surveillance)
Thank you for your kind cooperation and understanding.
Indosat IP Support"

Perhaps the ³SNOC IP Surveillance² address is better?

For CAT Thailand, the contact details I have are:

NOC call center
CAT Telecom
Tel: 66 2 104 2382
FAX: 66 2 104 2281

As someone mentioned, English may be an issue, especially at this time of
the morning over there.


Andrew Ashley

Office: +27 21 673 6841