Traffic intended for more than 200 of the world’s largest content delivery networks (CDNs) and cloud hosting providers was recently redirected through Russia’s state-owned telecoms provider Rostelecom.
While the incident only lasted for about an hour, it affected more than 8,800 internet traffic routes from over 200 networks. The companies impacted by the BGP hijack include Google, Amazon, Facebook, Akamai, Cloudflare, GoDaddy, Digital Ocean, Joyent, LeaseWeb, Hetzner, Linode and others.
BGP (Border Gateway Protocol) is the de-facto system used to route internet traffic between internet networks worldwide. However, the system has a major flaw as any of the participant networks can lie and publish an announcement (BGP route) in which they claim that other company’s servers are on their network. Other internet entities will see the announcement as legitimate and then send all of a company’s traffic to the hijacker’s servers.
Before HTTPS was widely adopted, BGP hijacks allowed attackers to run man-in-the-middle (MitM) attacks and intercept and alter internet traffic. These days BGP hijacks still remain a threat because they allow an attacker to log traffic in order to analyze and decrypt it at a later date once the encryption used to secure it has been broken.
According to experts, not all BGP hijacks are malicious as they can often be the result of a human operator mistyping an ASN (autonomous system number) and hijacking a company’s internet traffic accidentally. However, some telecoms continue to regularly be behind BGP hijacks which suggests that they are more than just accidents.
China Telecom is currently behind the most BGP hijacks but Rostelecom is also behind many similarly suspicious incidents.
Back in 2017, Russia’s state-owned telecoms provider hijacked BGP routes for some of the world’s largest financial companies including Visa, Mastercard, HSBC and more. Cisco’s BGPMon division described the incident as “curious” at that time because it appeared to only impact financial services as opposed to ransom ASNs.
Regarding the latest incident, the jury is still out as BGPMon founder Andree Toonk published a post on Twitter to explain that the hijack may have occurred after an internal Rostelecom traffic shaping system might have accidentally exposed the incorrect BGP routes on the public internet, saying:
“For what it’s worth: I don’t think they intended to announce this to the rest of the world (hijack). What we saw here, by accident, is that they treat these (new more specific) prefixes special inside their network. Likely for some kind of “Traffic Engineering” reason.”
However, experts have pointed out in the past that it is possible to make an intentional BGP hijack appear as an accident which could be the case here.
- Also check out our complete list of the best VPN services