Internet traffic for some of the world’s largest tech firms was briefly rerouted to Russia earlier this week in what appeared to be a Border Gateway Protocol (BGP) attack.
OpenDNS-owned Internet monitoring service BGPmon reported the incident on Tuesday. BGPmon noticed that 80 IP prefixes for organizations such as Google, Microsoft, Apple, Facebook, NTT Communications, Twitch and Riot Games had been announced by a Russian Autonomous System (AS).
It happened twice on Tuesday and each time it only lasted for roughly three minutes. The first event took place between 04:43 and 04:46 UTC, and the second between 07:07 and 07:10 UTC.
Despite being short-lived, BGPmon said the incidents were significant, including due to the fact that the announcements were picked up by several peers and some large ISPs, such as Hurricane Electric and Zayo in the U.S., Telstra in Australia, and NORDUnet, which is a joint project of several Nordic countries.
Another interesting aspect was that all the targeted traffic was associated with high-profile organizations. Experts also pointed out that the Russian AS (AS39523) had not been seen making announcements for several years before this incident.
“What makes this incident suspicious is the prefixes that were affected are all high profile destinations, as well as several more specific prefixes that aren’t normally seen on the Internet. This means that this isn’t a simple leak, but someone is intentionally inserting these more specific prefixes, possibly with the intent the attract traffic,” BGPmon said in a blog post.
“Whatever caused the incident today, it’s another clear example of how easy it is to re-route traffic for 3rd parties, intentionally or by accident. It also is a good reminder for every major ISP to filter customers,” the company added.
Robert Hamilton, director of product marketing at Imperva, said it’s hard to say what the goal was in this specific case considering that the attack was short-lived, but he noted that these types of attacks can be used for various things, “like spoofing websites in order to get visitors to download malicious content or to give up personal details or financial information.”
Chris Morales, head of security analytics at Vectra, a California-based provider of automated threat management solutions, pointed out that users accessing online resources of Google, Apple, Facebook, Microsoft and the other impacted companies trust that their communications are secure because of the use of HTTPS. However, entities that are capable of manipulating the BGP routing protocol to perform man-in-the-middle (MitM) attacks can also manipulate the TLS/SSL encryption and eavesdrop on users.
BGP is a protocol used for exchanging routing information between independent networks on the Internet, also known as Autonomous Systems, particularly determining the most efficient route between them. Each AS announces a list of IP address spaces that are known as prefixes, and shares data with its neighbors (peers) to help determine the most efficient path.
Jason Kent, CTO of security consulting firm AsTech, has provided a simple explanation of how it all works and why the “suspicious” event spotted by BGPmon was possible.
“The routers [that peer with these big organizations] all communicate with one another to create the largest routing tables. When a member of a new group of routers announces its routes, to the other members, they all update a table. When a user goes to apple.com, really they are going to one of Apple’s web servers with IP addresses like 188.8.131.52, but the user’s ISP has to figure out where that is. So the ISP has this big routing table that says, basically, the way to get to 105.x.y.z is via this peer, and sends it the traffic,” Kent explained.
“The big routing table is kept updated by announcements from other devices. Basically a large community of routers within the Internet all tell one another the places they know how to go,” Kent said. “These announcements and updates are performed over a system [BGP] that is both old and rarely updated. It’s possible to spoof the announcements, in the right way and method, and fool all devices that route traffic, that your controlled device knows where to take it and has the best path.”
BGP hijacking attacks have been conducted for many years and while protections against such threats do exist for ISPs, they can often be bypassed by both cybercriminals and state-sponsored actors.
“For example, governments can use it for restricting internet access to particular websites or filtering content like advertisements that they deem illegal,” explained Joseph Carson, chief security scientist at PAM solutions provider Thycotic. “One of the most well-known cases was when in 2008 Pakistan attempted to block YouTube access and took YouTube down completely and brought their own internet access to its knees.”
“For cybercriminals, it is typically used to replace content from third party website requests like advertisements with infected websites used to distribute malware,” Carson added. “You could also use it to take down websites or even direct web traffic to a country causing a DDOS attack.”