Internet problems in South Africa
An accidental Border Gateway Protocol (BGP) route leak on the network of a major undersea cable firm connecting South Africa to the rest of the world was behind a recent local Internet outage.
Outage tracking website Downdetector showed a surge in reports of connection issues across several Internet service providers (ISPs) and fibre networks just after 21:00 on Friday, 26 December 2025.
Among the affected service providers and fibre infrastructure companies were Afrihost, Atomic Access, Cool Ideas, Vox, Vodacom, Vumatel, Openserve, and Frogfoot.
MyBroadband forum members initially reported high packet loss, which occurs when data packets fail to reach their intended destination across the Internet, before their connections went down completely.
Major ISPs and telecoms industry sources subsequently told MyBroadband the problem was caused by a BGP route leak on the West Indian Ocean Cable Company (WIOCC).
WIOCC is a major investor and owner of fibre pairs on several undersea cables connecting South Africa, including 2Africa, EASSy, Equiano, and WACS.
One source explained that at roughly 21:20, WIOCC’s Autonomous System (AS) 37662 started leaking prefixes and originating other networks’ IP space in different places.
“For example, they learned all Cool ideas and Afrihost’s IP ranges, and they announced it as their own in other places like the London Internet Exchange and NAPAfrica.”
The source said the issue also affected Google as WIOCC leaked their Domain Name System (DNS) IP range.
“This caused a shift in traffic from direct network to network peering to all traffic moving over WIOCC’s network,” the source said.
“Their links must have been instantly saturated as the impact was loss of connectivity and 99% packet loss with very high latency.”
The main impact lasted only about 10 minutes, as the affected Internet exchanges shut down WIOCC’s ports due to prefix limits being reached, a protection mechanism against route leaks.
“There were a few minutes of reconvergence, when the leaked routes were withdrawn, and the correct or alternative routes were preferred again,” the source said.
WIOCC confirmed to MyBroadband that a brief routing incident occurred as a result of a configuration error on a client prefix list.
“WIOCC has established routing rules, filtering policies and monitoring controls in place, which enabled the issue to be quickly identified, escalated and rectified within minutes,” the company said.
“While the underlying policy was correctly defined, a manual human error occurred during its implementation.”
BGP route leaks explained
Cloudflare describes BGP as the postal service of the Internet. “It’s responsible for looking at all of the available paths that data could travel and picking the best route,” the company explains.
A route leak occurs when a BGP announcement goes beyond its intended scope, causing traffic to be sent through an incorrect path, which can often be congested or untrustworthy.
Malicious or accidental BGP misconfigurations can cause major Internet disruptions, and without additional measures, the protocol is not secure.
“It is up to every autonomous system to implement filtering of ‘wrong routes,'” Cloudflare explains. “Leaking routes can break parts of the Internet by making them unreachable”
While commonly the result of misconfigurations, a deliberate BGP hijack can also redirect traffic to another autonomous system to steal information via phishing or passive listening.
In 2017, network traffic meant for Visa, Mastercard, Symantec, Verisign, and Internet Solutions was hijacked by state-owned Russian operator Rostelecom.
In a local incident in 2013, Internet Solutions’ ADSL network suffered multiple days of intermittent or slow connectivity after local cyberattackers hijacked its IP address space.
Cloudflare says that BGP can be made safe if all Autonomous Systems only announce legitimate routes. “A route is defined as legitimate when the owner of the resource allows its announcement,” it states.
Filters can help ensure only legitimate routes are accepted, while another form of protection is a certification system called Resource Public Key Infrastructure (RPKI).
RPKI validates the legitimacy of Internet routing information using cryptographic linking to pair IP addresses and ASNs to their rightful owners.
One ISP that reported the issue to MyBroadband criticised the fact that major IP transit networks impacted by the WIOCC issue seemed to be relying only on RPKI and not implementing filters.
Loading ...