Get best of the week

How Rostelecom mistakenly redirected traffic to Google, AWS, Cloudflare, etc.

Earlier this week (April 1-5, 20) traffic destined for more than 200 of the world's largest CDN and cloud providers was suspiciously redirected through Rostelecom (Russia's main telecommunications provider).

The incident affected more than 8,800 Internet traffic routes out of 200+ networks and lasted about an hour.

Affected companies are those who are in the cloud and CDN market, including big names such as Google, Amazon, Facebook, Akamai, Cloudflare, GoDaddy, Digital Ocean, Joyent, LeaseWeb, Hetzner and Linode.

Technical details



The incident is the classic BGP hijack .

BGP stands for Border Gateway Protocol and is a de facto system used to route Internet traffic between Internet networks around the world.

The entire Internet routing system is still extremely fragile, because any of the participating networks can simply “lie” and publish an advertisement (BGP route) stating that the “Facebook servers” are on their network, and many providers will consider it legal and send all Facebook traffic to the "trickster" servers.

History tour


In the old days, before HTTPS was widely used to encrypt traffic, BGP hackers allowed attackers to carry out “ man-in-the-middleattacks and intercept / modify Internet traffic.

Currently, BGP hacks are still dangerous because they allow an attacker to register traffic, analyze and decrypt it later, when the encryption used to protect it was weakened due to advances in cryptography.

BGP hacks have been a problem for the Internet backbone since the mid-90s, and efforts to strengthen the security of the BGP protocol have been made over the years, with projects such as ROV, RPKI, and most recently, MANRS .

However, progress in adopting new protocols is slow, and BGP spoofing continues to occur on a regular basis.

For example, in November 2018, a small Nigerian Internet service provider intercepted traffic destined for the Google network, and in June 2019 most of the European mobile traffic was redirected through China Telecom , the state-owned and largest telecom operator in China.

Rostelecom - a repeated offender


In the past, experts have repeatedly noted that not all BGP “hijackers” acted purposefully. Most incidents can be the result of a human factor: the operator sealed up when dialing the ASN (the code by which Internet entities are identified) and accidentally stole the Internet traffic of this company.

However, organizations that regularly monitor BGP hijackings, as well as incidents that many experts call suspicious, suggest that these are often not just random errors.

China Telecom is currently considered the largest criminal on this front [ 1 , 2 ].

Despite the fact that Rostelecom ( AS12389) does not participate in BGP “hijackings” as widespread as China Telecom, it is also behind many similar suspicious incidents.

The last major hijacking of Rostelecom occurred in 2017, when BGP routes were replaced for several of the world's largest financial institutions, including Visa, Mastercard, HSBC and many others.

At that time, Cisco BGPMon described the incident as “curious,” since it apparently only affected financial services, not random ASNs.

This time, everything is ambiguous: BGPMon founder Andree Toonk doubts the focus of the Russian operator and tweetedthat the “hacking” occurred after the internal traffic management subsystem of Rostelecom could accidentally reveal the wrong BGP routes on the public Internet, and not on the internal network of Rostelecom.

On the whole situation


As many Internet experts have noted in the past, deliberate hijacking of BGP may look like an accidental error, and no one can notice the difference.

BGP abductions at state-controlled telecommunications organizations in autocratic countries such as China and Russia will always be considered suspicious, primarily because of politics, not technical reasons.

More links:
more about this leak of routes from April 2: habr.com/ru/company/qrator/blog/495274
media response and Rostelecom’s response: tjournal.ru/news/156008-zhurnalist-poprosil-rostelekom-obyasnit-peregruzku- seti-iz-za-karantina-press-sluzhba-otvetila-emu-a-potom-oskorbila
tech.slashdot.org/story/20/04/07/0018229/russian-telco-hijacked-internet-traffic-of-google-aws-cloudflare-and-others

More articles:


All Articles