Some Twitter traffic briefly funneled through Russian ISP, thanks to BGP mishap

Network monitoring services said that some internet traffic was briefly diverted through Russia after a major internet service provider in that country misconfigured the internet's routing table.

The problem lasted for 45 minutes before the leading Russian internet service provider stopped advertising its network as the official way for other internet service providers to connect to the popular social networking site. Before the announcement was dropped, safeguards prevented most large ISPs from obeying the directive.

A visualization of what the event looked like can be found on this page.

Remember BGP

The border gateway protocol is used to locate and connect to internet service providers in other areas. The system was designed in the early days of the internet when operators of one network knew and trusted their peers running other networks. Typically, one engineer would use a BGP table to announce that their network was the correct path to send and receive traffic.

BGP could become unwieldy as the internet grew. A misconfiguration in one country could cause a lot of problems. In 2008, the entire Internet became unavailable to viewers because of a change in Pakistan's internet service provider. The change to blocking YouTube inside Pakistan was not carefully implemented by the ISP. A year ago, an internet service provider tried to block citizens from using the social networking site in the country, but ended up hijacking the very same range of addresses caught up in Monday's event.

Some BGP misconfigurations, however, are believed to be intentional acts of malice. In 2013, researchers revealed that huge chunks of Internet traffic belonging to US-based financial institutions, government agencies, and network service providers had repeatedly been diverted to distant locations in Russia. The unexplained circumstances stoked suspicions the engineers in that country intentionally rerouted traffic so they could surreptitiously monitor or modify it before passing it along to the final destination. Something similar occurred a year later Advertisement Similar BGP mishaps have repeatedly redirected massive amounts of US and European traffic to China under similarly suspicious circumstances. Financially motivated threat actors have also been known to use BGP hijacking to take control of desirable IP ranges.

Ham-fisted censorship

The director of Internet analysis at Kentik, Doug Madory, believes that the event was the result of the Russian government trying to block people in the country from accessing the internet. The changes applied to the Internet as a whole.

Madory explained that there are multiple ways to block traffic to Twitter. Any network that accepted the hijacked route would send their traffic to Russia, where it likely was dropped. It is possible that they could do a man-in-the-middle and let the traffic go on, but I don't think that happened in this case.

The man-in-the-middle attacks and leaking of BGP highlight the importance of secure connections on the internet. The protection assures that even if a malicious party takes control of the addresses, they won't be able to create a fake page that doesn't get flagged for having a valid certificate.

The protections known as Resource Public Key Infrastructure and Route Origin Authorizations prevented most internet service providers from following the path that was advertised. The measures claimed that AS13414 was the rightful origin.

It doesn't mean that all ASes ignored the announcement. According to a network engineer and founder of the B GPKIT tool, the ASes that spread the route included AS6188 (UK), AS8447 (Austria), AS1267 (Italy), and AS13030 (Switzerland).

Madory said that other ASes that were affected were AS61955 (Germany), AS41095(UK), AS56665 (Luxembourg), and AS3741 (South Africa). Some of these ASes are known as route collectors, which means they may have received the wrong route rather than propagating it.