A Border Gateway Protocol (BGP) routing incident saw a
bunch of high-profile Internet destinations mis-routed through Russia
on Tuesday, US time.
In what BGPMon called a “suspicious” event, “Starting at 04:43 (UTC) 80 prefixes normally announced by organisations such Google, Apple, Facebook, Microsoft, Twitch, NTT Communications and Riot Games were now detected in the global BGP routing tables with an Origin AS of 39523 (DV-LINK-AS), out of Russia.”
The glitch happened twice, the monitoring organisation reported: Once between 04:43 and 04:46 UTC on December 12, and then between 07:07 and 07:10.
BGPMon said in spite of the brevity of the events, they matter because the announcements were “picked up by a large number of peers and because of several new more specific prefixes that are not normally seen on the Internet.”
Peers that accepted the announcements and made them reachable included Hurricane Electric and Zayo in the US, Scandinavian international collaboration Nordunet, and Telstra in Australia.
The autonomous system (AS) that made the announcements had been largely dormant for years.
“This means that this isn’t a simple leak, but someone is intentionally inserting these more specific prefixes, possibly with the intent the attract traffic”, BPGMon's Andree Toonk wrote.
“AS 39523 has only recently been assigned,” he continued, but “while going through our historical data, we also noticed that AS 39523 was in fact once active earlier this year.”
That incident took place during a route leak between Google and Verizon in August 2017, which black-holed Japanese traffic.
“Interestingly one of the paths that appeared during that leak was the prefix 66.232.224.0/24 with the following ASpath 701 15169 32007 39523”, the post noted, and “39523 is the same Russian AS that appeared as the origin AS today”.
BGPMon doesn't name its suspicions, but recommends that major ISPs filter their customers to avoid such events.
Source
In what BGPMon called a “suspicious” event, “Starting at 04:43 (UTC) 80 prefixes normally announced by organisations such Google, Apple, Facebook, Microsoft, Twitch, NTT Communications and Riot Games were now detected in the global BGP routing tables with an Origin AS of 39523 (DV-LINK-AS), out of Russia.”
The glitch happened twice, the monitoring organisation reported: Once between 04:43 and 04:46 UTC on December 12, and then between 07:07 and 07:10.
BGPMon said in spite of the brevity of the events, they matter because the announcements were “picked up by a large number of peers and because of several new more specific prefixes that are not normally seen on the Internet.”
Peers that accepted the announcements and made them reachable included Hurricane Electric and Zayo in the US, Scandinavian international collaboration Nordunet, and Telstra in Australia.
The autonomous system (AS) that made the announcements had been largely dormant for years.
“This means that this isn’t a simple leak, but someone is intentionally inserting these more specific prefixes, possibly with the intent the attract traffic”, BPGMon's Andree Toonk wrote.
“AS 39523 has only recently been assigned,” he continued, but “while going through our historical data, we also noticed that AS 39523 was in fact once active earlier this year.”
That incident took place during a route leak between Google and Verizon in August 2017, which black-holed Japanese traffic.
“Interestingly one of the paths that appeared during that leak was the prefix 66.232.224.0/24 with the following ASpath 701 15169 32007 39523”, the post noted, and “39523 is the same Russian AS that appeared as the origin AS today”.
BGPMon doesn't name its suspicions, but recommends that major ISPs filter their customers to avoid such events.
Source