Some Twitter Traffic Briefly Funneled Through Russian ISP, Thanks To BGP Mishap (arstechnica.com) 14
An anonymous reader quotes a report from Ars Technica: Some Internet traffic in and out of Twitter on Monday was briefly funneled through Russia after a major ISP in that country misconfigured the Internet's routing table, network monitoring services said. The mishap lasted for about 45 minutes before RTCOMM, a leading ISP in Russia, stopped advertising its network as the official way for other ISPs to connect to the widely used Twitter IP addresses. Even before RTCOMM dropped the announcement, safeguards prevented most large ISPs from abiding by the routing directive. A visualization of what the event looked like is illustrated on this page from BGPStream.
Doug Madory, the director of Internet analysis at network analytics company Kentik, said that what little information is known about Monday's BGP event suggests that the event was the result of the Russian government attempting to block people inside the country from accessing Twitter. Likely by accident, one ISP made those changes apply to the Internet as a whole. "There are multiple ways to block traffic to Twitter," Madory explained in an email. "Russian telecoms are on their own to implement the government-directed blocks, and some elect to use BGP to drop traffic to certain IP ranges. Any network that accepted the hijacked route would send their traffic to this range of Twitter IP space into Russia -- where it likely was just dropped. It is also possible that they could do a man-in-the-middle and let the traffic continue on to its proper destination, but I don't think that is what happened in this case."
Doug Madory, the director of Internet analysis at network analytics company Kentik, said that what little information is known about Monday's BGP event suggests that the event was the result of the Russian government attempting to block people inside the country from accessing Twitter. Likely by accident, one ISP made those changes apply to the Internet as a whole. "There are multiple ways to block traffic to Twitter," Madory explained in an email. "Russian telecoms are on their own to implement the government-directed blocks, and some elect to use BGP to drop traffic to certain IP ranges. Any network that accepted the hijacked route would send their traffic to this range of Twitter IP space into Russia -- where it likely was just dropped. It is also possible that they could do a man-in-the-middle and let the traffic continue on to its proper destination, but I don't think that is what happened in this case."
Long-distance hate-ray temporarily off the mark (Score:2)
But yeah, that's a good explanation too.
Re: (Score:2)
I'm sure someone else who knows a hell of a lot more about it than I do will chime in, but it's because routing information is transmitted to routers that act on it in realtime. Historically there weren't any protections to speak of and this stuff happened even more often (as compared to the amount of hosts.) Like the summary says, though, not all hosts accepted the route.
Re: (Score:2)
It makes sense that a misconfigured router could prevent people in Russia from accessing the Internet. But how can that possibly affect anyone outside of Russia?
It's because information from misconfigured routers propagates out until it is filtered or rejected. So if the BGP config is a but too "trusting" on some routers outside Russia, you can see the routes propagate to them. See this article [darkreading.com] for more information on accidental and deliberate "hijacking".
Re: (Score:2)
It makes sense that a misconfigured router could prevent people in Russia from accessing the Internet. But how can that possibly affect anyone outside of Russia?
The Border Gateway Protocol is from a kinder, gentler era, when only a small number of nerds globally were using the Internet. It didn't need any security because of course everyone operating an ISP of any kind was a fine upstanding citizen of impeccable taste and unimpeachable reputation. The standard is from 1989 and has been in regular use since 1994. It has been revised to include CIDR support in 2006, but otherwise hasn't changed since. Notably, it lacks any authentication or access restrictions wh
Re: (Score:1)
Meanwhile there's a war on, and Ukrainians have been posting to Twitter. 45 minutes of data was intercepted from at least part of the world. The naive fellow quoted in the fine summary must have fallen off the turnip truck yesterday, because you don't route traffic to yourself when you're trying to blackhole a route. You route it to nowhere. That's why it's called a blackhole. That BGP change was for interception and no other purpose.
I agree. Im not sure how he rationalizes an accident here. I had some issues after downloading the list of 620 FSB agents from the Ukrainian Defense Ministry Site. These agents are supposedly operating in Europe and the hack could've been cause for retaliation. Lots more to come as Russia pulls in its best ransomware actors for highly paid gubment work.
Re: (Score:2)
The Border Gateway Protocol is from a kinder, gentler era, when only a small number of nerds globally were using the Internet. It didn't need any security because of course everyone operating an ISP of any kind was a fine upstanding citizen of impeccable taste and unimpeachable reputation.
It has been revised to include CIDR support in 2006, but otherwise hasn't changed since. Notably, it lacks any authentication or access restrictions whatsoever. Anyone can advertise any route for any subnet at any time. As long as they're recognized as being an ISP, the whole world will accept their routing updates, automatically. It has been this way from the very beginning and, as referenced in the summary, people are trying to fix it by violating the standard, not fixing the standard.
While your facts are wrong on nearly every front (see references below) the gist of the issue with BGP and security is the nature of physical reality. If professionals can't trust the peers they are physically interconnecting with they are screwed no matter what because security without trust is meaningless. Likewise where there is trust in an operator and their physical interconnections adding security is redundant and achieves nothing.
If most operators in the DFZ can't be sufficiently trusted to collabo
RPKI limited the blast radius (Score:1)
Thanks to (Score:2)
BGP "mishap", maybe it wasn't a mishap.
Re: (Score:2)
BGP "mishap", maybe it wasn't a mishap.
Russia involved in another border-related incident, who'd a thought? :-)
BGP seems deeply flawed (Score:2)
It seems incredibly stupid to trust a network when that network says "hey, I'm the new route to the following block of addresses". That's the same general problem that many/most of the really egregious security bugs have exploited - naively trusting the client.
I'm not sure what the solution is in this case, though.
Re: (Score:2)
The fix exists. There is RPKI BGP [cloudflare.com]
It's just that not everyone has implemented it yet.
Russia vulnerable - kick until lifeless (Score:1)