James Steidl - Fotolia
Google BGP route leak was accidental, not hijacking
Despite early speculation, experts concluded the BGP route leak that sent Google traffic through China and Russia was due to an accidental misconfiguration and not malicious activity.
The infosec community seems primed to assume any problem on the internet that involves China and/or Russia is due to malicious activity, but the recent rerouting of Google traffic was merely an accident.
On Monday, various Google services were disrupted for 74 minutes after a Border Gateway Protocol (BGP) misconfiguration at MainOne, an internet service provider based in Nigeria, caused Google traffic to be routed through China and Russia. Similar BGP route leak issues in the past have been attacks aimed at stealing data or money. And early speculation from the infosec community assumed malicious intent in this case, as well.
However, malicious or not, the contents of the data in the BGP route leak should not have been at risk, as it was encrypted in transit via Transport Layer Security. A Google spokesperson also confirmed no Google services were compromised.
"We're aware that a portion of internet traffic was affected by incorrect routing of IP addresses, and access to some Google services was impacted," a Google spokesperson said in a statement. "The root cause of the issue was external to Google, and there was no compromise of Google services."
MainOne said the BGP route leak was due to a misconfiguration, and Cloudflare has since confirmed that diagnosis after inspecting its logs.
"While there might be a temptation to assume that bad actors are at work, incidents like this only serve to demonstrate just how much frailty is involved in how packets get from one point on the Internet to another," Tom Paseka, network strategy at Cloudflare, based in San Francisco, wrote in a blog post.
"It is worth explicitly stating: the fact that Google traffic was routed through Russia and China before going getting to Nigeria and only then hitting the correct destination made it appear to some people that the misconfiguration was nefarious. We do not believe this to be the case," he continued. "Instead, this incident reflects a mistake that was not caught by appropriate network filtering. There was too much trust and not enough verification across a number of networks: this is a systemic problem that makes the Internet more vulnerable to mistakes than it should be."
Jake Williams, founder and president of Rendition Infosec, based in Augusta, Ga., left open the possibility that the BGP route leak was malicious.
I'll take the Nigerians at their word that they didn't intentionally hijack the BGP routes. But if I were China and wanted plausible deniability, I'd use an ISP in a country known for corruption. TL;DR don't take everything at face value.https://t.co/u6dCb6u7u9— Jake Williams (@MalwareJake) November 14, 2018
Many experts, like Rob Joyce, former head of the National Security Agency's Tailored Access Operations and former security adviser to the White House, accepted the explanation by MainOne and noted there have been long-standing security concerns with BGP.
I hope this latest fiasco of traffic rerouting through China is the wakeup call for all of us to get serious about addressing the massive and unacceptable vulnerability inherent in today’s BGP routing architecture. https://t.co/dSTVIOltsF— Rob Joyce (@RGB_Lights) November 13, 2018
Kevin Beaumont, a security architect based in the U.K., agreed with Joyce.
Rob's spot on here. BGP needs some serious work - NTT blindly accepting a BGP change in the US from a tiny company in Africa which routed Google Cloud to China (via Russia too) is a continued sign this one needs some focus. https://t.co/ItCNjQWKGb— Kevin Beaumont (@GossiTheDog) November 13, 2018
Experts contend that while a BGP route leak can occur due to an accidental misconfiguration -- as appears to be the case with the recent Google outage -- a lack of validation of BGP routing data continues to leave open the potential for hijacking attacks. Cloudflare and others have recommended using resource public key infrastructure to cryptographically sign and validate internet routes for years.