Some of the internet traffic to and from Twitter on Monday was briefly diverted through Russia after a major ISP in that country misconfigured the internet’s routing table, network surveillance services said.
The accident lasted about 45 minutes before RTCOMM, a leading ISP in Russia, stopped advertising its network as the official way for other ISPs to connect to the commonly used Twitter IP addresses. Even before RTCOMM dropped the announcement, security measures prevented most major ISPs from adhering to the routing directive.
A visualization of what the event looked like is illustrated on this page from BGPSream.
Remember BGP
The border gateway protocol is the means by which ISPs in one geographic region locate and connect ISPs in other regions. The system was designed in the early days of the Internet, when operators on one network knew and trusted their colleagues running other networks. Usually, a technician would use the BGP table to announce that their network — called an “autonomous system” in BGP language — was the correct path to send and receive traffic to specific networks.
As the internet grew, BGP could sometimes become impractical. A misconfiguration in one country can quickly skip and cause major outages or other problems. For example, in 2008, YouTube was no longer available to the entire internet after a change that an ISP in Pakistan made to BGP tables. The ISP had tried to block YouTube in Pakistan but was not careful in implementing the change. Last year, an internet service provider that tried to block Twitter from citizens in Myanmar ended up hijacking the same set of Twitter IP addresses caught up in Monday’s event, with a similar result.
However, it is believed that some BGP misconfigurations are intentionally malicious. In 2013, researchers revealed that massive amounts of internet traffic from US-based financial institutions, government agencies and network service providers had been repeatedly diverted to distant locations in Russia. The unexplained circumstances raised suspicions that the engineers in that country deliberately diverted traffic so they could surreptitiously check or modify it before forwarding it to its final destination. Something similar happened a year later
Similar BGP accidents have repeatedly diverted massive amounts of US and European traffic to China under similarly suspicious circumstances. Financially motivated threat actors are also known to use BGP hijacking to gain control over desired IP ranges.
Ham-fist censorship
Doug Madory, the director of internet analytics at network analytics firm Kentik, said what little information is known about Monday’s BGP event suggests the event was the result of an attempt by the Russian government to restrict people in the country from accessing Twitter. to block. Probably by accident, an ISP made these changes for the Internet as a whole.
“There are multiple ways to block traffic to Twitter,” Madory explained in an email. “Russian telecom companies are only to implement the government-driven blocks, and some choose to use BGP to direct traffic to certain IP ranges. Any network that accepts the hijacked route would send its traffic to this range of Twitter IP -send space to Russia – where it probably just dropped in. It’s also possible they could do a man-in-the-middle and let the traffic go through to the correct destination, but I don’t think that’s in this case happened.”
The prevalence of BGP leaks and hijacks, and the man-in-the-middle attacks they enable, underscore the critical role HTTPS and other forms of encrypted connections play in securing the Internet. The protection ensures that even if a malicious party takes control of IP addresses from, for example, Google, the party cannot create a fake Google page that is not flagged for having a valid HTTPS certificate.
Madory said safeguards known as Resource Public Key Infrastructure and Route Origin Authorizations — both of which are designed to protect the integrity of BGP routing tables — prevented most ISPs from following the path advertised by RTCOMM. Instead, the measures claimed that AS13414 – Twitter’s autonomous system – was the rightful origin.
That doesn’t mean all AS members ignored the announcement. Mingwei Zhanga network engineer and founder of the BGPKIT tool, said the ASes propagating the route were AS60068 (UK), AS8447 (Austria), AS1267 (Italy), AS13030 (Switzerland), and AS6461 (US).
Madory, meanwhile, said other ASs affected were AS61955 (Germany), AS41095 (UK), AS56665 (Luxembourg) and AS3741 (South Africa), AS8359 (Russia), AS14537 (US), AS22652 (Canada), AS40864 . (Canada), AS57695 (US), AS199524 (Luxembourg) and AS211398 (Germany). However, some of these ASs are known as route collectors, which means that they may have just received the faulty route instead of distributing it.