Some Internet traffic in and out of Twitter on Monday was briefly funneled through Russia after a major ISP in that country misconfigured the Internet’s routing table, network monitoring services said.
The mishap lasted for about 45 minutes before RTCOMM, a leading ISP in Russia, stopped advertising its network as the official way for other ISPs to connect to the widely used Twitter IP addresses. Even before RTCOMM dropped the announcement, safeguards prevented most large ISPs from abiding by the routing directive.
A visualization of what the event looked like is illustrated on this page from BGPStream.
The border gateway protocol is the means by which ISPs in one geographical region locate and connect to ISPs in other areas. The system was designed in the early days of the Internet, when operators of one network knew and trusted their peers running other networks. Typically, one engineer would use BGP table to “announce” that their network—known as an “autonomous system” in BGP parlance—was the correct path to send and receive traffic to specific networks.
As the Internet grew, BGP could sometimes become unwieldy. A misconfiguration in one country could quickly spill over and cause major outages or other problems. In 2008, for instance, YouTube became unavailable to the entire Internet following a change an ISP in Pakistan made to BGP tables. The ISP had been trying to block YouTube inside Pakistan but wasn’t careful in implementing the change. Last year, an ISP trying to block Twitter to citizens in Myanmar ended up hijacking the very same range of Twitter IP addresses caught up in Monday’s event—with a similar outcome.
Some BGP misconfigurations, however, are believed to be intentional acts of malice. In 2013, researchers revealed that huge chunks of Internet traffic belonging to US-based financial institutions, government agencies, and network service providers had repeatedly been diverted to distant locations in Russia. The unexplained circumstances stoked suspicions the engineers in that country intentionally rerouted traffic so they could surreptitiously monitor or modify it before passing it along to the final destination. Something similar occurred a year later
Similar BGP mishaps have repeatedly redirected massive amounts of US and European traffic to China under similarly suspicious circumstances.
Financially motivated threat actors have also been known to use BGP hijacking to take control of desirable IP ranges.
Doug Madory, the director of Internet analysis at network analytics company Kentik, said that what little information is known about Monday’s BGP event suggests that the event was the result of the Russian government attempting to block people inside the country from accessing Twitter. Likely by accident, one ISP made those changes apply to the Internet as a whole.
“There are multiple ways to block traffic to Twitter,” Madory explained in an email. “Russian telecoms are on their own to implement the government-directed blocks, and some elect to use BGP to drop traffic to certain IP ranges. Any network that accepted the hijacked route would send their traffic to this range of Twitter IP space into Russia—where it likely was just dropped. It is also possible that they could do a man-in-the-middle and let the traffic continue on to its proper destination, but I don’t think that is what happened in this case.”
The prevalence of BGP leaking and hijacking and the man-in-the-middle attacks they make possible underscores the crucial role HTTPS and other forms of encrypted connections play in securing the Internet. The protection assures that even if a malicious party takes control of IP addresses belonging to Google, for example, the party won’t be able to create a fake Google page that doesn’t get flagged for having a valid HTTPS certificate.
Madory said that protections known as Resource Public Key Infrastructure and Route Origin Authorizations—both of which are designed to protect the integrity of BGP routing tables—prevented most ISPs from following the path advertised by RTCOMM. Instead, the measures asserted that AS13414—the autonomous system belonging to Twitter—was the rightful origin.
That doesn’t mean all ASes ignored the announcement. Mingwei Zhang, a network engineer and founder of the BGPKIT tool, said the ASes that propagated the route included AS60068 (UK), AS8447 (Austria), AS1267 (Italy), AS13030 (Switzerland), and AS6461 (US).
Madory, meanwhile, said that other ASes that were affected were AS61955 (Germany), AS41095(UK), AS56665 (Luxembourg), and AS3741 (South Africa), AS8359 (Russia), AS14537 (US), AS22652 (Canada), AS40864 (Canada), AS57695 (US), AS199524 (Luxembourg), and AS211398 (Germany). Some of these ASes, however, are known as route collectors, meaning they may simply have received the faulty route rather than propagating it.