Global internet traffic to IP addresses belonging to Google, Facebook, Microsoft, Apple and other high-profile tech companies was rerouted Tuesday through a little-known ISP in Russia. Researchers suspect the traffic was hijacked.
The incident lasted for more than two hours, from 4:44 UTC to 7:19 UTC, according to researchers from Russian DDoS mitigation company Qrator Labs. However, OpenDNS’ BGPmon service only observed two event windows of about three minutes each.
Both companies observed an obscure Russian ISP known as DV-LINK—identified in the global routing ecosystem as AS39523—announcing itself as the origin for around 80 prefixes owned by companies including Google, Facebook, Microsoft, Apple, Twitch, NTT Communications, Riot Games, Mail.ru and Vkontakte. A prefix is a block of publicly accessible IP addresses that identifies a computer network or subnetwork.
AS39523’s rogue announcements were accepted and propagated in the global routing table by its upstream provider, PJSC MegaFon. Other large providers including Level3, Cogent, Telstra, Hurricane Electric, Zayo and Nordunet accepted the announcements and routed traffic to and from those prefixes through the Russian ISP. DV-LINK essentially became a proxy between many users and the services they were trying to access.
Such incidents are known as BGP or prefix hijacking and are possible because the border gateway protocol (BGP), which is used to establish routing paths on the internet, is primarily based on trust between ISPs. Many times routing leaks can be caused by configuration errors or internal testing gone wrong, but there have been cases, like this one, where there’s a high probability the announcements were intentional and the data hijacked.
“What makes this incident suspicious is the prefixes that were affected are all high profile destinations, as well as several more specific prefixes that aren’t normally seen on the internet,” the BGPmon researchers said in a blog post. “This means that this isn’t a simple leak, but someone is intentionally inserting these more specific prefixes, possibly with the intent to attract traffic.”
Encrypted traffic to HTTPS-enabled websites or VPN connections should, in theory, be protected from snooping if properly implemented, even when the traffic is routed through a malicious actor. However, many attacks against TLS and other transport encryption protocols have been discovered over the years, so it’s not out of the question that someone might attempt to exploit an unknown bug using such a prefix hijacking technique.
“The central question is: why these path announcements propagated at all?,” researchers from Qrator Labs said in a blog post. “The fact that the hijacked prefixes propagated to every corner of the internet demonstrates an absence of proper filters between the AS39523 and its direct upstream AS31133 (Megafon), and between AS31133 (Megafon) and its adjacent networks and upstream providers.”
BGP was designed at a time when the Internet was very small and ISPs implicitly trusted each others’ announcements without any additional form of validation. However, as the internet grew larger and the number of prefix hijacking incidents—both intentional and accidental—increased, it became clear that this approach no longer works.
The Internet Engineering Task Force (IETF), together with the U.S. National Institute of Standards and Technology (NIST), the U.S. Department of Homeland Security and others have worked in recent years to secure BGP. A new BGPsec protocol adds AS path validation capabilities through a resource public key infrastructure (RPKI) that’s used to cryptographically sign and verify route announcements or claims of prefix ownership.
Unfortunately, BGPsec adoption is currently low because implementing the new protocol can impact performance and in some cases requires equipment upgrades, as routers need to be capable of cryptographic operations. But there are other less costly measures that can be implemented in the meantime, including filtering.
In 2014, the Internet Society, together with nine network operators, launched an initiative called MANRS, or Mutually Agreed Norms for Routing Security. The initiative has since grown with additional ISPs implementing the MANRS-mandated security controls that prevent the propagation of incorrect routing information through their networks.
The best way to convince more internet service providers to implement routing security is for their customers to ask for it. So, if you’re in a position to procure internet uplinks for your organization, add questions about BGP hijacking and overall routing security to your procurement process.
The results of a survey published in September by the Internet Society showed that over 70 percent of enterprises consider security as a core value and are concerned about traffic being hijacked. Once questioned organizations were introduced to MANRS, over 90 percent of them said they would be willing to pay a premium for internet service from an ISP that’s compliant with its principles. Meanwhile, over 70 percent of ISP respondents said they would consider implementing MANRS if such a requirement would be part of requests for proposal from potential customers.