DDoS Globe Internet Map Traffic

Earlier this week, traffic meant for more than 200 of the world’s largest content delivery networks (CDNs) and cloud hosting providers was suspiciously redirected through Rostelecom, Russia’s state-owned telecommunications provider.

The incident affected more than 8,800 internet traffic routes from 200+ networks.

Impacted companies are a who’s who in the cloud and CDN market, including big names such as Google, Amazon, Facebook, Akamai, Cloudflare, GoDaddy, Digital Ocean, Joyent, LeaseWeb, Hetzner, and Linode.

[For a full list of victim networks, see this filtered Twitter stream.]

The incident is a classic “BGP hijack.”

BGP stands for the Border Gateway Protocol and is the de-facto system used to route internet traffic between internet networks across the globe.

The entire system is extremely brittle because any of the participant networks can simply “lie” and publish an announcement (BGP route) claiming that “Facebook’s servers” are on their network, and all internet entities will take it as legitimate and send all the Facebook traffic to the hijacker’s servers.

In the old days, before HTTPS was broadly used to encrypt traffic, BGP hijacks allowed attackers to run man-in-the-middle (MitM) attacks and intercept and alter internet traffic.

Nowadays, BGP hijacks are still dangerous because it lets the hijacker log traffic and attempt to analyze and decrypt it at a later date when the encryption used to secure it has weakened due to advances in cryptography sciences.

BGP hijacks have been an issue for the internet backbone since the mid-90s, and efforts to bolster the BGP protocol’s security have been underway for years, with projects like ROV, RPKI, and — more recently — MANRS.

Yet, progress on adopting these new protocols has been slow, and BGP hijacks continue to happen on a regular basis.

For example, in November 2018, a small Nigerian ISP hijacked traffic meant for Google’s network, while in June 2019, a large chunk of European mobile traffic was rerouted through China Telecom, China’s state-owned and largest telecom operator.

Rostelecom, a repeat offender

Experts have pointed out many times in the past that not all BGP hijacks are malicious. Most incidents can be the result of a human operator mistyping an ASN (autonomous system number, the code through which internet entities are identified), and hijacking that company’s internet traffic by accident.

However, some entities continue to be behind BGP hijacks on a regular basis, and behind incidents that many experts are labeling as suspicious, suggesting that they are more than just accidents.

China Telecom is currently considered the biggest offender on this front [1, 2].

While not involved in BGP hijacks as common as China Telecom, Rostelecom (AS12389) is also behind many similarly suspicious incidents.

The last major Rostelecom hijack that grabbed headlines happened in 2017 when the telco hijacked BGP routes for some of the world’s largest financial entities, including Visa, Mastercard, HSBC, and more.

At the time, Cisco’s BGPMon division described the incident as “curious,” since it appeared to impact only financial services, rather than random ASNs.

This time, the jury is still out. BGPMon founder Andree Toonk is giving the Russian telco the benefit of the doubt. On Twitter, Toont said he believes the “hijack” happened after an internal Rostelecom traffic shaping system might have accidentally exposed the incorrect BGP routes on the public internet, rather than Rostelecom’s internal network.

Unfortunately, this small mistake was exacerbated when Rostelecom’s upstream providers took the newly announced BGP routes and re-broadcast them all over the internet, amplifying the BGP hijack within seconds.

But, as many internet experts have also pointed out in the past, it is possible to make an intentional BGP hijack appear as an accident, and nobody could tell the difference.

BGP hijacks happening at state-controlled telecom entities in autocratic countries like China and Russia will always be considered suspicious — primarily due to politics, rather than technical reasons.

Article updated 30 minutes after publication to clarify that the incident happened only once, not twice. The BGPMon stream re-announced the April 1 hijacks again today, giving the impression of a repeat of the original incident. ZDNet regrets the error.