nanog mailing list archives

Previous By Date Next
Previous By Thread Next

[BGP Hijack] AS202734 hijacked multiple Chinese Carriers on May 16-17 – Full evidence and attribution

From: me via NANOG <nanog () lists nanog org>
Date: Thu, 21 May 2026 23:57:00 +0800
Charlie,
Thanks for the technical questions. The full evidence archive (with PII redacted) is available. 

To directly answer your requests:

UTC timestamps & affected prefixes:

Hijack window: 2026-05-16 to 2026-05-17 UTC.
The attacker's own BIRD config shows manual injection of China Telecom's IPv6 backbone (240e::/20) on May 1 (premeditation).
Full list of the 3,948 hijacked IPv4 prefixes is from Hurricane Electric's BGP data, timestamped on May 16-17. 

Traceroutes/MTRs:
From my network (victim) to the attacker's infrastructure: as20473--nrt6.global.tianshome.net (log available in the archive).
From attacker's Shanghai Looking Glass to my home IP: direct trace available in the archive. 

BGP collector / looking-glass sources:

Hurricane Electric: https://bgp.he.net/AS202734

RIPE RIS data confirms the hijack peak during May 16-17.

Attacker's own Looking Glass: https://lg.tianshome.net
The complete evidence archive (PII redacted, including raw logs and emails) is available upon request to avoid cluttering the list. I will not attach files directly here. 

Thank you for helping validate this incident.
_______________________________________________
NANOG mailing list https://lists.nanog.org/archives/list/nanog () lists nanog org/message/6XX3QOI33A3JJGWC4XLVVIYUF2TFG5TV/
Previous By Date Next
Previous By Thread Next

Current thread: