Rostelecom in Russia found to have hijacked Internet traffic from companies such as Google/AWS/Cloudflare

Earlier this week, traffic from the world’s more than 200 content transmission networks (CDNs) and cloud hosting providers was suspected of being forwarded through Rostelecom, Russia’s state-owned telecoms operator. The incident affected more than 8,800 Internet traffic routes across more than 200 networks. The companies affected are well-known companies in the cloud and CDN markets, including Google, Amazon, Facebook, Akamai, Cloudflare, GoDaddy, Digital Ocean, Joyent, LeaseWeb, Hetzner and Linode.

The full list of victimnetworks can be found at this Twitter feed stream address:

https://twitter.com/search?q?AS12389%20 (from%3Abgpstream)%20until%3A2020-04-07%20since%3A2020-04-01-src-typed_query

This incident is a typical “BGP hijacking”, BGP is the abbreviation of the border gateway protocol, BGP is the global Internet network between the Internet traffic routing system, from the design, the entire system is very fragile, because any participating network can simply “lie” to publish a BGP routing notice, such as claiming that “Facebook servers” on their network, and then all Internet entities will take it as a legitimate target, This sends all of Facebook’s traffic to the hijacker’s server.

Rostelecom in Russia found to have hijacked Internet traffic from companies such as Google/AWS/Cloudflare

In the past, BGP hijacking allowed attackers to carry out man-in-the-middle (MitM) attacks to intercept and alter Internet traffic before HTTPS was widely used to encrypt traffic.

Today, BGP hijacking is still dangerous because it allows hijackers to record traffic and try to analyze and decrypt it in later days, and encryption to protect traffic has been weakened by advances in cryptography.

BGP hijacking has been an issue on the internet backbone since the mid-1990s, and communications practitioners have been working to enhance the security of BGP protocols for years, resulting in ROV, RPKI, and, more recently, MANRS. However, progress in adopting these new protocols has been slow, with BGP hijackings still occurring.

Experts have repeatedly pointed out in the past that not all BGP hijackings are malicious. Most of the incidents may have been man-made operators who mistakenly entered an ASN (autonomous system number, the identification code for an Internet entity) that accidentally hijacked the company’s Internet traffic.

However, some entities are still behind the BGP hijackings, and many experts have been labelled suspiciously behind the incidents, suggesting that these incidents are more than just accidents.

Rostelecom (AS12389) has not been directly and deliberately involved in the BGP hijacking, as has been the case with operators in some previous countries, but there are many similar suspicious incidents behind it.

Rostelecom in Russia found to have hijacked Internet traffic from companies such as Google/AWS/Cloudflare

Rostelecom in Russia found to have hijacked Internet traffic from companies such as Google/AWS/Cloudflare

The last major hijacking of Rostelecom, which grabbed the headlines, occurred in 2017, when the telco hijacked BGP routes from the world’s largest financial entities, including Visa, Mastercard and HSBC.

This time, the communications industry has yet to reach a conclusion. Andree Toonk, the founder of BGPMon, is giving Russian telecoms companies a reason to doubt. Toont said on Twitter that he believed the “hijacking” occurred because the traffic shaping system inside Rosneof may have accidentally exposed the wrong BGP route on the public Internet, rather than the overall problem with the internal network of Rosneof.

Unfortunately, this small mistake was further aggravated by Rostelecom’s upstream vendor re-circulating the newly published BGP route on the Internet, which amplifies the BGP hijacking in a matter of seconds.

However, many Internet experts have pointed out in the past that deliberate BGP hijacking is possible because no one can tell the difference. BGP hijackings in state-controlled telecommunications entities have always been considered suspicious – mainly political rather than technical.