Traffic intended for more than 200 of the world's largest content delivery networks (CDNs) and cloud hosting providers was recently redirected through Russia's state-owned telecoms provider Rostelecom.
While the incident only lasted for about an hour, it affected more than 8,800 internet traffic routes from over 200 networks. The companies impacted by the BGP hijack include Google, Amazon, Facebook, Akamai, Cloudflare, GoDaddy, Digital Ocean, Joyent, LeaseWeb, Hetzner, Linode and others.
BGP (Border Gateway Protocol) is the de-facto system used to route internet traffic between internet networks worldwide. However, the system has a major flaw as any of the participant networks can lie and publish an announcement (BGP route) in which they claim that other company's servers are on their network. Other internet entities will see the announcement as legitimate and then send all of a company's traffic to the hijacker's servers.
- Russia just disconnected itself from the Internet
- China Telecom outage takes down Apple, Microsoft and AWS for 7 hours
- US telecoms regulator cracks down on sale of real-time location data
Before HTTPS was widely adopted, BGP hijacks allowed attackers to run man-in-the-middle (MitM) attacks and intercept and alter internet traffic. These days BGP hijacks still remain a threat because they allow an attacker to log traffic in order to analyze and decrypt it at a later date once the encryption used to secure it has been broken.
According to experts, not all BGP hijacks are malicious as they can often be the result of a human operator mistyping an ASN (autonomous system number) and hijacking a company's internet traffic accidentally. However, some telecoms continue to regularly be behind BGP hijacks which suggests that they are more than just accidents.
China Telecom is currently behind the most BGP hijacks but Rostelecom is also behind many similarly suspicious incidents.
Back in 2017, Russia's state-owned telecoms provider hijacked BGP routes for some of the world's largest financial companies including Visa, Mastercard, HSBC and more. Cisco's BGPMon division described the incident as “curious” at that time because it appeared to only impact financial services as opposed to ransom ASNs.
Regarding the latest incident, the jury is still out as BGPMon founder Andree Toonk published a post on Twitter to explain that the hijack may have occurred after an internal Rostelecom traffic shaping system might have accidentally exposed the incorrect BGP routes on the public internet, saying:
“For what it's worth: I don't think they intended to announce this to the rest of the world (hijack). What we saw here, by accident, is that they treat these (new more specific) prefixes special inside their network. Likely for some kind of "Traffic Engineering" reason.”
However, experts have pointed out in the past that it is possible to make an intentional BGP hijack appear as an accident which could be the case here.
- Also check out our complete list of the best VPN services
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.