LLMpediaThe first transparent, open encyclopedia generated by LLMs

2013 AS 7007 incident

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: BGP Hop 4
Expansion Funnel Raw 38 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted38
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
2013 AS 7007 incident
Title2013 AS 7007 incident
DateApril 2013
LocationUnited States
TypeInternet routing leak
CauseMisconfiguration of Border Gateway Protocol announcements
AffectedGlobal Internet routing

2013 AS 7007 incident

The 2013 AS 7007 incident was a major Border Gateway Protocol routing leak that caused widespread Internet reachability problems across North America and parts of Europe and Asia for several hours in April 2013. Network operators and researchers tracing the event included personnel from Level 3 Communications, Cogent Communications, AT&T, Verizon Communications, and major content providers such as Google, Facebook, and Akamai Technologies. The episode prompted coordinated emergency meetings among the Internet Engineering Task Force, the North American Network Operators' Group, and regional Internet registries including ARIN and RIPE NCC.

Background

In the years preceding April 2013, interdomain routing relied on the Border Gateway Protocol as specified by the Internet Engineering Task Force in RFCs developed by working groups such as IDR Working Group. Backbone carriers including Sprint Corporation, Level 3 Communications, NTT Communications, and Cogent Communications exchanged numeric Autonomous System prefixes allocated by Internet Assigned Numbers Authority and regional registries like ARIN and RIPE NCC. Incidents such as the 2008 YouTube Pakistan incident and the 2005 YouTube Pakistan incident demonstrated how prefix hijacks and misconfigurations could disrupt services for providers and content networks including YouTube, Akamai Technologies, Netflix, and Amazon Web Services.

The 2013 AS7007 Route Leak

On an April day in 2013, a small transit provider operating under Autonomous System number 7007 originated thousands of prefixes that it did not own, causing a massive propagation of false route announcements across peering fabrics and transit links involving networks like Level 3 Communications, Cogent Communications, NTT Communications, Sprint Corporation, AT&T, and Verizon Communications. The leak resulted from misconfigured route filtering and improper use of route maps and prefix-lists on Border Gateway Protocol sessions, affecting reachability to address blocks registered with ARIN and other registries. Operational logs reviewed by network engineers from Réseaux IP Européens (RIPE) and participants at North American Network Operators' Group meetings showed rapid withdrawal and re-advertisement of prefixes that resembled past incidents such as the 2008 YouTube Pakistan incident and the 2005 YouTube Pakistan incident.

Immediate Impact and Network Disruptions

The propagation of the incorrect announcements caused traffic blackholing and route flapping that impacted major content delivery networks including Akamai Technologies and cloud providers like Amazon Web Services and Google. Users experienced packet loss and degraded connectivity to services operated by Facebook, Microsoft, Yahoo!, and smaller regional ISPs connected via exchange points such as AMS-IX, LINX, and DE-CIX. Router control planes in large carriers such as Level 3 Communications and Cogent Communications experienced increased CPU load and BGP table churn documented in incident reports circulated at IETF sessions and NANOG mailing lists.

Technical Analysis and Root Causes

Post-incident analyses by engineers from ARIN, RIPE NCC, IETF, NANOG, and operators at Level 3 Communications identified the proximate cause as the improper origin attribute and lack of prefix filtering on BGP announcements from AS7007. The event illustrated weaknesses in operational practices around Route Origin Authorization deployment and Resource Public Key Infrastructure concepts promoted by IETF working groups. Contributing factors included absent or misapplied import and export filters, aggressive route acceptance policies by Tier 1 carriers like AT&T and Verizon Communications, and insufficient use of ROA objects in registries maintained by ARIN and RIPE NCC.

Responses and Mitigations

During and after the incident, operators from Level 3 Communications, Cogent Communications, NTT Communications, Sprint Corporation, AT&T, and Verizon Communications coordinated through channels such as NANOG and IETF to withdraw the rogue announcements and apply emergency route filters and route dampening. The episode accelerated deployment of operational best practices including strict prefix-lists, route flap damping policies, and corrective adoption of Resource Public Key Infrastructure measures advocated by IETF and implemented via registries like ARIN, RIPE NCC, and APNIC. Vendors of routing platforms such as Cisco Systems, Juniper Networks, and Arista Networks published configuration guidance to help operators prevent recurrence.

Consequences and Policy Changes

The incident led to renewed emphasis on global routing security, influencing policy discussions at IETF, NANOG, ISOC, and regional registries including ARIN and RIPE NCC. Operators accelerated adoption of RPKI and ROA publication, and industry groups produced operational recommendations distributed through NANOG and working groups of the IETF. The event reinforced the need for cooperation among carriers such as Level 3 Communications, Cogent Communications, AT&T, and content operators like Google and Facebook to maintain resilient interdomain routing and informed subsequent exercises and incident response playbooks circulated within NANOG and regional network operator groups.

Category:Internet incidents Category:Border Gateway Protocol