Despite the robust structure of the Internet, it is still susceptible to misconfigurations and/or intentional updates that prevent network traffic from being routed to its intended destination. In this work we study three such large-scale disruptions and analyze how they impact the Internet topology. We use distributed views to generate temporal graphs of the routing dynamics of the Internet at the Autonomous System (AS) level. We analyzed the topological properties of reconstructed AS-level graphs before, during, and after these incidents. We examine the Indosat hijacking event in April of 2014; the Telecom Malaysia leak in June of 2015; and the Bharti Airtel Ltd. hijack in November of 2015. We use observations from the AS-level graph topology to illustrate that these incidents are visible as anomalies before they are widely diffused. Furthermore, our findings show: (1) a view that is geographically close to the incident experiences more pronounced changes in the graph structure and (2) a view that is constructed from a smaller number of feeders is not as robust and changes in similarity may have a larger range and persist after the event. The number of feeders corresponds to the scope of the view. We confirm and demonstrate that distributed views of the Internet at the AS-level can be used for early detection of large-scale Internet disruptions despite their distributed and incomplete nature. The three case studies (Indonesia, Malaysia, and India) show that the events are visible as anomalies in the similarities of sequential graphs built from time series of announced routes. This method has potential for early detection of large-scale control-plane anomalies possibly enabling quicker mitigation.
