Internet Traffic To Major Tech Firms Mysteriously Rerouted To Russia

wiredmikey writes: Internet traffic to some of the world's largest tech firms was briefly rerouted to Russia earlier this week in what appeared to be a Border Gateway Protocol (BGP) attack. Internet monitoring service BGPmon noticed that 80 IP prefixes for organizations such as Google, Microsoft, Apple, Facebook, NTT Communications, Twitch and Riot Games had been announced by a Russian Autonomous System (AS).

It happened twice on Tuesday and each time it only lasted for roughly three minutes. The first event took place between 04:43 and 04:46 UTC, and the second between 07:07 and 07:10 UTC. Despite being short-lived, BGPmon said the incidents were significant, including due to the fact that the announcements were picked up by several peers and some large ISPs, such as Hurricane Electric and Zayo in the U.S., Telstra in Australia, and NORDUnet, which is a joint project of several Nordic countries. The incident is rather suspicious, as the prefixes that were affected are all high profile destinations, as well as several more specific prefixes that aren't normally seen on the Internet.

Re:Russia is a Problem

[um...+Lucas]

If we have someone if office that broke the law, we shouldn't leave them in out of fear that their successor's policies are worse. That makes it even more political. If they did something wrong, they did something wrong, that's it. Not "it's illegal, but we'll selectively not enforce the law because..."

Re:Russia is a Problem

[jellomizer]

I have more faith that Pence will be working towards are national interests vs Trump who is out for Trump.
I much rather be displeased about the choice the President Made, vs Scared of the choice the President had made.

Re:Russia is a Problem

[fahrbot-bot]

The Constitution has provisions to handle this unfortunately and if Mike Pence isn't impeached as well, he's in and there's a pecking order as to who gets in determined as well if I recall correctly.

Wikipedia has the current line of Presidential Succession:

• 1 Vice President - Mike Pence (R)
• 2 Speaker of the House of Representatives - Paul Ryan (R)
• 3 President pro tempore of the Senate - Orrin Hatch (R)
• 4 Secretary of State - Rex Tillerson (R)
• 5 Secretary of the Treasury - Steven Mnuchin (R)
• 6 Secretary of Defense - Jim Mattis (I)
• 7 Attorney General - Jeff Sessions (R)
• 8 Secretary of the Interior - Ryan Zinke (R)
• 9 Secretary of Agriculture - Sonny Perdue (R)
• 10 Secretary of Commerce - Wilbur Ross (R)
• 11 Secretary of Labor - Alex Acosta (R)
• 12 Secretary of Health and Human Services - Eric Hargan (R) Acting
• 13 Secretary of Housing and Urban Development - Ben Carson (R)
• – Secretary of Transportation - Elaine Chao (R) [ ineligible, not natural-born US citizen ]
• 14 Secretary of Energy - Rick Perry (R)
• 15 Secretary of Education - Betsy DeVos (R)
• 16 Secretary of Veterans Affairs - David Shulkin (I)
• 17 Secretary of Homeland Security - Kirstjen Nielsen (I)

See *anyone* in there you'd really like to see as President?

Re:BGP vs. Root name servers?

[dissy]

BGP vs. Root name servers?
I don't know the relationship (if any) between the two, but is it just coincidence this is happening less than a month after this:

No direct relationship, other than DNS servers like all servers have an IP address, and the backbone routers need to know how to get your traffic to said IP.
BGP is how the backbone knows where to send packets to get to the destination.

Normally if you try to go to say Googles web server, the BGP tables list Googles IP space and point to the backbone routers that directly connect (peer) with Googles routers.

In cases of hijacking like this, Russia updated those route tables to say Google is directly connected to one of their own routers, so any packets you send to a Google IP end up going to Russia first.
Then they can do whatever they want, like record it and then pass the packets back to the routers originally listed in BGP before the hijack.

Root DNS servers would be similar, although there are many root DNS servers around the world and any lookups you make tend to semi-randomly pick one from the list for each query.

Another quirk with the root servers is how they are distributed and that they use a logical/physical separation, primarily to be extremely efficient but it can help in cases like this too.
There are 13 "logical" root servers, named with the letters A to M, each for the most part under the control of a different organization/entity.
However for any one of those logical names, there can be many physical servers that answer for it.
They also don't use unicast IP addressing like nearly every server you're used to, but a type of addressing called anycast.

So for example, the "A" server is run by Verisign (from back when they were Internic), and the "E" server is run by NASA.
But "A" actually points to many physical servers distributed around the US.

Anycast provides one IP for each of those many separated servers, and that IP is actually answered by many different networks and ISPs, each having many redundant physical servers to distribute the load over.
Which cluster of servers you get mainly depends on which of those networks is closest to you on the network. So you querying the anycast IP on the west coast will have completely different networks and servers responding than if I queried that same IP on the east cost.

That makes it pretty difficult to hijack in a useful way, and to hijack enough of those routes and servers in a physical area on a single anycast IP, let alone more than one of the server clusters, and let alone again more than one "letter" designated root.