Internet traffic for some of the world’s largest tech firms was briefly rerouted to Russia earlier this week in what appeared to be a Border Gateway Protocol (BGP) attack.
OpenDNS-owned Internet monitoring service BGPmon reported the incident on Tuesday. BGPmon noticed that 80 IP prefixes for organizations such as Google, Microsoft, Apple, Facebook, NTT Communications, Twitch and Riot Games had been announced by a Russian Autonomous System (AS).
It happened twice on Tuesday and each time it only lasted for roughly three minutes. The first event took place between 04:43 and 04:46 UTC, and the second between 07:07 and 07:10 UTC.
Despite being short-lived, BGPmon said the incidents were significant, including due to the fact that the announcements were picked up by several peers and some large ISPs, such as Hurricane Electric and Zayo in the U.S., Telstra in Australia, and NORDUnet, which is a joint project of several Nordic countries.
Another interesting aspect was that all the targeted traffic was associated with high-profile organizations. Experts also pointed out that the Russian AS (AS39523) had not been seen making announcements for several years before this incident.
“What makes this incident suspicious is the prefixes that were affected are all high profile destinations, as well as several more specific prefixes that aren’t normally seen on the Internet. This means that this isn’t a simple leak, but someone is intentionally inserting these more specific prefixes, possibly with the intent the attract traffic,”
BGPmon said in a blog post.
“Whatever caused the incident today, it’s another clear example of how easy it is to re-route traffic for 3rd parties, intentionally or by accident. It also is a good reminder for every major ISP to filter customers,” the company added.
Robert Hamilton, director of product marketing at Imperva, said it’s hard to say what the goal was in this specific case considering that the attack was short-lived, but he noted that these types of attacks can be used for various things, “like spoofing websites in order to get visitors to download malicious content or to give up personal details or financial information.”
Chris Morales, head of security analytics at Vectra, a California-based provider of automated threat management solutions, pointed out that users accessing online resources of Google, Apple, Facebook, Microsoft and the other impacted companies trust that their communications are secure because of the use of HTTPS. However, entities that are capable of manipulating the BGP routing protocol to perform man-in-the-middle (MitM) attacks can also
manipulate the TLS/SSL encryption and eavesdrop on users.
