The traffic was hijacked through Russia, China and Nigeria
A BGP leak caused the lack of availability of Google service on Monday; the traffic was redirected through Russia, China and Nigeria, as reported by specialists in digital forensics from the International Institute of Cyber Security. It is still unclear whether the incident was the result of an error or because of a cyberattack on the BGP protocol.
Route hijacking, also known as BGP hijacking, occurs when routing tables for IP address groups are intentionally or accidentally corrupted.
Recently, Chris C. Demchak and Yuval Shavitt, specialists in cybersecurity and digital forensics, revealed that in recent years, China Telecom has been misdirecting Internet traffic through China. China Telecom is currently present in North American networks with 10 Points of Presence (PoPs) – eight in the United States and two in Canada – which cover the main exchange points.
The two investigators noted that the telecomm company uses the PoPs to hijack traffic through China, which has happened several times in recent years. “Within BGP’s forwarding tables, the administrators of each AS announce to their neighbors as the IP address blocks of their AS, either to use them as a destination or as a convenient transit node”, the investigators indicate.
“Errors can occur given the complexity of BGP’s configuration, and these possible errors offer hackers an opportunity to hijack traffic. If the AS1 network announces erroneously through its BGP that it possesses an IP blocking which is actually owned by the AS2 network, the traffic of an Internet part destined to AS2 will be routed through AS1. If the erroneous announcement was maliciously fixed, there is a BGP hijacking,” the experts on cybersecurity and digital forensics mention.
BGP’s most recent leaks were reported for the first time by the ThousandEyes network monitoring firm, traffic to Google services, including Google Search, G Suite and various Google Cloud services, went through TransTelecom in Russia, the Internet service provider from Nigeria MainOne, and China Telecom.
“On November 12th, 2018, between 1:00 pm and 2:23 pm PST, ThousandEyes noticed problems connecting to G Suite, a critical application for our organization. In reviewing the ThousandEyes Endpoint Agent Statistics, we noticed that this was affecting all users in the ThousandEyes office,” mentions the firm’s report.
“The interruption not only affected G Suite, but also Google Search, as well as Google Analytics. What caught our attention was that the traffic to Google Search was being reduced in China Telecom. Why does traffic from a San Francisco office running through Google reach China? We also noticed a Russian Internet service provider on the traffic route, which definitely generated some concerns for our teams”.
The cybersecurity and digital forensics community speculates that the origin of this leak was the BGP matchmaking relationship between the Nigerian supplier MainOne and China Telecom, however it is unclear whether BGP leaks were the result of an intentional attack or poor configuration in MainOne.
On the other hand, Google has confirmed that the root cause of the incident was external to the company’s systems and has started an internal investigation in this regard.
