With so many people’s attention focused on the net neutrality vote, it was easy to miss an unusual, and suspicious, event that took place earlier this week. On December 12, traffic to some of the world’s largest tech companies was briefly rerouted through an “unused” Russian ISP.
BGPMon, which monitors events on the Internet's Border Gateway Protocol (BGP), said Eighty prefixes associated with companies including Google, Apple, Facebook, Microsoft, Twitch, NTT Communications and Riot Games were affected. The autonomous Russian system added itself to entries in BGP tables, claiming it was the rightful origin of the prefixes.
Other automated Internet routing systems proceeded to pass data to the Russian ISP Origin AS 39523, believing it to be associated with the targeted companies, while ISPs including PJSC MegaFon, Hurricane Electric, Zayo, Nordunet, and Telstra picked up the new route.
BGPMon writes that two incidents both lasting three minutes took place at 04:43 and 07:07. Qrator Labs said this was actually one event that lasted two hours, though it reports that the number of hijacked prefixes varied from 40 to 80 during this time.
As noted by Ars Technica, despite the BGP system being responsible for routing large amounts of internet traffic, its security is often based on trust and word of mouth.
Although BGP rerouting errors do occur because of human mistakes, this one has been marked as “suspicious” and “deliberate” for several reasons. Not only did it affect some of the largest, most influential firms, but some of the IP addresses were split into smaller blocks than those announced by the companies.
The event marks the second time in 2017 that the automated AS 39523 system has sprung to life, despite being dormant for many years. In April, it was involved in another BGP incident that saw traffic from companies and financial services including Visa, MasterCard and Google briefly redirected through a Russian ISP.