Rostelecom which is Russia’s state-owned telecommunications provider, hijacked all the traffic that is meant for more than 200 of the world’s largest content delivery networks (CDNs) and cloud hosting providers.
This incident which occurred earlier this week had impacted over 8,800 internet traffic routes from 200+ networks and it lasted for almost an hour.
The impacted companies include big companies like Google, Amazon, Facebook, Akamai, Cloudflare, GoDaddy, Digital Ocean, Joyent, LeaseWeb, Hetzner, and Linode.
This incident is called a BGP hijack. BGP is Border Gateway Protocol and is the system used to route internet traffic between internet networks across the globe.
The system is extremely brittle as any of the participant networks can simply “lie” and publish an announcement (BGP route) claiming that “Facebook’s servers” are on their network. Then all internet entities consider it as legitimate and send all the Facebook traffic to the hijacker’s servers.
Earlier, before the use of HTTPS to encrypt traffic, BGP hijacks let attackers to run man-in-the-middle (MitM) attacks and intercept and alter internet traffic.
Now with BGP hijacks the hijacker can log traffic and try to analyze and decrypt it at a later date when the encryption used to secure it has weakened due to advances in cryptography sciences.
Several efforts have been made to strengthen the security of the BGP protocol such as projects like ROV, RPKI, and MANRS. But the progress on adopting these new protocols has been slow, and BGP hijacks continue to occur.
Security experts have reported that all BGP hijacks are not malicious. Sometimes, it occurs accidentally due to a human operator mistyping an ASN (autonomous system number, the code through which internet entities are identified), and hijacking that company’s internet traffic by mistake.
Rostelecom is involved in many BGP hijacks. The last major Rostelecom hijack occurred in 2017 when they hijacked BGP routes for some of the world’s largest financial entities, including Visa, Mastercard, HSBC, and more.
Cisco’s BGPMon founder, Andree Toonk tweeted that he believes the “hijack” happened after an internal Rostelecom traffic shaping system might have accidentally exposed the incorrect BGP routes on the public internet, rather than Rostelecom’s internal network.
But this mistake worsened when Rostelecom’s upstream providers took the new BGP routes and re-broadcast them all over the internet, thereby increasing the BGP hijack within seconds.
Some experts have also reported that it is also possible to make a planned BGP hijack to look like an accident. BGP hijacks at state-controlled telecom entities in countries like China and Russia are always considered as suspicious mainly due to politics.