Targeted tampering
The incident was disclosed in a blog post by Internet monitoring service BGPMon. The company monitors events on the Internet’s Border Gateway Protocol, the system used to send requests over the global Internet. The protocol is responsible for routing Internet traffic between ISPs and major networks in different countries, letting you access files stored in remote datacentres from wherever you are.
During two brief windows on Tuesday, Internet traffic flowing to companies including Apple, Facebook, Google and Microsoft was rerouted to pass through an unknown ISP in Russia. The activity began at 04:43 UTC and lasted for about three minutes. A few hours later, at 07:07 UTC, the activity resumed for another three minute period. No other events have occurred since.
The rerouting was obeyed by other servers and web clients because the Russian ISP added itself to entries in BGP tables. These define where traffic should be directed to as it heads across the global Internet.
The Russian ISP Origin AS 39523 suddenly claimed to be the origin of around 80 BGP prefixes assigned to the affected Internet providers. Other automated Internet routing systems then passed their data to AS 39523, believing it to be associated with the companies being targeted.
“Intentional” rerouting
BGP rerouting errors do occur and are commonly the result of human error. However, several characteristics of the incident mark it as “suspicious.” Beyond the targeting of some of the world’s top Internet companies, the rerouted traffic was split into smaller blocks than is normally requested by the providers. This suggests the rerouting was a deliberate act with the aim of passing large amounts of web traffic through Russia.
The incident is made stranger by the identity of AS 39523. It’s known to be an automated system but has been dormant for “many years.” It woke on one other occasion this year, participating in another sequence of strange BGP events that were similar to this week’s rerouting. During April, traffic to several major Internet companies and financial services – including Visa, MasterCard and Google – was briefly redirected through a Russian ISP.
READ NEXT: Digital transformation in telcoms to create agile “open telcos”
AS 39523’s motives in rerouting the traffic remain unknown. It’s also impossible to ascertain what the system has done with the terabytes of data it would have acquired during its six minutes of operation this week. Experts have warned that more similar incidents are likely to occur in the future because BGP itself lacks robust security.
Web servers and Internet providers have no way of verifying that rerouting rules are legitimate, forcing them to accept AS 39523’s claims on the basis of trust. This trust model now seems to be at risk of being undermined, potentially putting the integrity of the global Internet at risk.
