In a reminder of how important it is for major ISPs to examine internet traffic routes and filter customers, BGPMon, a network monitoring and routing security firm, recently noticed that 80 prefixes for popular destinations were re-routed via Russia.
BGPMon noticed that the 80 prefixes that were re-routed via Russia were normally announced by the likes of Google, Apple, Facebook, Microsoft and Riot Games.
BGPMon announced its findings via a post on its website and said that all the prefixes that were re-routed via Russia were prefixes for ‘well known and high traffic internet organizations’. The re-routing occurred twice in three hours and even though such sessions were short-lived, they were picked up by a large number of peers.
‘Starting at 04:43 (UTC) 80 prefixes normally announced by organizations such Google, Apple, Facebook, Microsoft, Twitch, NTT Communications and Riot Games were now detected in the global BGP routing tables with an Origin AS of 39523 (DV-LINK-AS), out of Russia,’ the firm said.
‘What makes this incident suspicious is the prefixes that were affected are all high profile destinations, as well as several more specific prefixes that aren’t normally seen on the Internet. This means that this isn’t a simple leak, but someone is intentionally inserting these more specific prefixes, possibly with the intent the attract traffic,’ it added.
According to BGPMon, all the affected prefixes have a Russian 39523 AS as their origin, where Equinox, Google and Verizon use 32007, 15169 and 701 as their origin. The firm adds that Google did learn a path to a Kohls Department Store via the Russian AS but despite the prefix having a Russian origin, Google continues to use the same prefix.
The firm termed the re-routing as a Border Gateway Protocol (BGP) routing incident. A Border Gateway Protocol (BGP) is used to make routing decisions based on paths, network policies, or rule-sets configured by a network administrator and is used by most ISPs to establish routing between one another.
‘Whatever caused the incident today, it’s another clear example of how easy it is to re-route traffic for 3rd parties, intentionally or by accident. It also is a good reminder for every major ISP to filter customers,’ it warned.
This isn’t the first time that suspicious re-routing of internet traffic has been observed by the network monitoring firm. Back in August, the firm noticed that instead of routing traffic to a Verizon AS directly as was the norm, the Jastel AS started transiting traffic to Verizon via Google which is not a transit provider by its very nature.
This erroneous re-routing resulted in massive outages in Internet traffic, particularly in Japan where the Internal Affairs and Communications Ministry had to initiate an investigation into the root cause of the outage.
‘BGP leaks continue to be a great risk to the Internet’s stability. It’s easy to make configuration mistakes that can lead to incidents like this. In this case it appears a configuration error or software problem in Google’s network led to inadvertently announcing thousands of prefixes to Verizon, who in turn propagated the leak to many of its peers,’ the firm added.