Some internet traffic to and from Twitter briefly routed through Russia on Monday after a major ISP in that country misconfigured the internet’s routing table, network monitoring services said.
The mishap previously lasted about 45 minutes RTCOMM, a leading ISP in Russia, stopped promoting its network as an official way for other ISPs to connect to the widely used Twitter IP addresses. Even before RTCOMM dropped the announcement, security measures prevented most major ISPs from complying with the routing policy.
A visualization of what the event looked like is shown on this page by BGPStream.
Table of Contents
Think BGP
the Border Gateway Protocol is the means by which ISPs in one geographic region locate and connect to ISPs in other areas. The system was developed in the early days of the Internet, when the operators of one network knew and trusted their peers who operated other networks. Typically, a technician would use a BGP table to “announce” that their network — known in BGP parlance as an “autonomous system” — is the correct path for sending and receiving traffic to specific networks.
As the Internet grew, BGP could become unwieldy at times. A misconfiguration in one country can quickly spread and cause major outages or other problems. For example, in 2008, YouTube became unavailable across the web after an ISP in Pakistan changed BGP tables. The ISP had tried blocking YouTube in Pakistan but was not careful in implementing the change. Last year, an ISP trying to block Twitter for citizens in Myanmar hijacked the same set of Twitter IP addresses captured at Monday’s event – with a similar result.
However, some BGP misconfigurations are believed to be intentional malicious acts. In 2013, researchers revealed that large portions of internet traffic from US-based financial institutions, government agencies, and network service providers were repeatedly rerouted to remote locations in Russia. The unexplained circumstances fueled suspicions that engineers in that country had deliberately diverted traffic so they could covertly monitor or modify it before forwarding it to its final destination. Something similar happened a year later.
Similar BGP glitches have repeatedly diverted large amounts of US and European traffic to China under similar suspicious circumstances.
Financially motivated threat actors are also known to use BGP hijacking to take control of desirable IP ranges.
Ham-fisted censorship
Doug Madory, director of internet analytics at network analytics firm Kentik, said the little information known about Monday’s BGP event suggests the event was the result of the Russian government’s attempt to block people in the country from accessing Twitter to refuse. Probably by mistake, an ISP adopted these changes for the Internet as a whole.
“There are several ways to block traffic to Twitter,” Madory explained in an email. “Russian telcos must implement the government-mandated bans themselves, and some choose to use BGP to drop traffic to specific IP ranges. Any network accepting the hijacked route would send its traffic to that portion of Twitter’s IP range in Russia. where it was probably just dropped. It’s also possible that they do a man-in-the-middle and let traffic continue to its intended destination, but I don’t think that happened in this case.
The prevalence of BGP leaks and hijacking, and the resulting man-in-the-middle attacks, underscores the critical role that HTTPS and other forms of encrypted connections play in securing the Internet. The protection ensures that even if a malicious party takes control of IP addresses owned by, for example, Google, the party cannot create a fake Google page that is not tagged with a valid HTTPS certificate.
Madory said safeguards are known Resource Public Key Infrastructure and Route Origin Authorizations— both designed to protect the integrity of BGP routing tables — prevented most ISPs from following the path advertised by RTCOMM. Instead, the measures claimed that AS13414 – Twitter’s autonomous system – was the legitimate origin.
This does not mean that all ASes ignored the announcement. Mingwei Zhanga network engineer and founder of the BGPKIT Tool, called ASs propagating the route included AS60068 (UK), AS8447 (Austria), AS1267 (Italy), AS13030 (Switzerland) and AS6461 (USA).
Madory meanwhile said that other affected ASs AS61955 (Germany), AS41095 (UK), AS56665 (Luxembourg), AS3741 (South Africa), AS8359 (Russia), AS14537 (USA), AS22652 (Canada), AS40864 (Canada), AS57695 ( USA), AS199524 (Luxembourg) and AS211398 (Germany). However, some of these ASs are known as route collectors, which means they may have simply received the erroneous route instead of propagating it.
This article was previously published on Source link
