BGP Hijack By Russian AS Impacts Google, Facebook and Apple

In mid-December, network monitoring service BGMON reported on a BGP hijack for numerous high profile organizations, including Google, Facebook, Apple and Twitter, meaning that their incoming and outgoing traffic was briefly routed through a previously unknown Russian Internet provider.

BGPMON security writer Andree Toonk noted that its systems “detected a suspicious event where many prefixes for high profile destinations were being announced by an unused Russian Autonomous System”. Toonk pointed out that what makes this incident suspicious is that the prefixes affected were all high profile web destinations, plus several other specific prefixes that aren’t usually seen on the web, suggesting that “someone is intentionally inserting these more specific prefixes”, likely with the intent to re-route traffic for third parties. He suggested it was “a good reminder for every major ISP to filter customers”.

The unexplained Russian BGP hijack is the latest in a string of incidents that raise questions of concern about the trust and reliability of communications sent across the web. BGP routes high volume traffic among Internet backbones, ISPs and other large networks; however, despite the sensitivity of the data it controls, BGP’s security is frequently left to trust and word of mouth. Anomalies in the BGP protocol are common and usually the result of human error; but recent incidents have suggested human tampering at play.

Eight months previously, it was reported that large sections of network traffic belonging to MasterCard, Visa and over two dozen other financial services were briefly routed via a Russian government-controlled telecom, under similarly suspicious circumstances to the BGP hijack on December 12. Engineers at BGPMON also were the first to discover the previous five-to-seven minute BGP hijack, and believed it was a “curious” incident because of how the underlying prefixes of some of the affected networks were manually inserted into BGP tables. Doug Madory, director of Internet analysis at network management firm Dyn, said “I would classify this as quite suspicious… this would appear to be targeted to financial institutions”.

Job Snijders, Internet Architecture at NTT Communications, wrote a Medium post following the December BGP hijack entitled ‘What to do about BGP hijacks’. He pointed out that because the BGP protocol has no inherent safety

mechanism, it is the responsibility of the network operator to ensure adequate layers of protection are in place between their own network and the Internet.

In Snijder’s view, many networks don’t make routing security a priority until after suffering the consequences of a security incident, seeing it as a nuisance rather than a safeguard. “The moment it becomes socially unacceptable to operate an Internet network without adequate protections in place”, Snijders wrote, “there is economic incentive to view routing security efforts as a competitive advantage rather than a nuisance.”

Madory also wrote a post for Dyn about the recent Russian routing leak, specifically to report back on “how well NTT (AS2914) did in this particular incident”. He noted that NTT didn’t contribute to the leaking of any of the major Internet companies and that he saw a pattern begin to emerge for each one of the leaked routes.

“On 12 December 2017, AS39523 announced 80 prefixes (only one of which was theirs) for two different 3-4 minute intervals”. In Madory’s analysis, he discovered that some prefixes were already in circulation, while others were more-specifics or less-specifics that were not normally routed.

The leaked Russian networks were carried by Russian transit provider Megafon; however, for the prefixes belonging to Facebook, Google, YouTube, Microsoft, Apple, Twitch and Riotgames, only Hurricane Electric, among Megafon’s transit providers, carried the routes onto the wider Internet. This led Madory to conclude, “it appears that Hurricane Electric was alone in failing to implement the type of route filtering that would have prevented this leak from being circulated across the broader internet”. If Hurricane Electric had blocked the erroneous BGP announcements related to the major Internet companies, “we might not be discussing this incident at all”.

Digiprove sealCopyright secured by Digiprove © 2018