Hey, don't route the messenger! Telegram redirected through Iran by baffling BGP leak

Updated A bunch of Telegram messages went the long way round on Monday: a BGP leak sent people's Telegram chat communications via systems in Iran.

Flagged by OpenDNS's BGPMon as a possible BGP hijack, the cockup could also have been a simple case of a sysadmin typo, since the redirection of packets only lasted two hours and fifteen minutes.

Essentially, ten Telegram route prefixes, among more than 100 prefixes, were run through networks in Iran rather than, well, where they normally go. Most of the other routes were owned by Iranian networks.

The temporary redrawing of the internet's highways was triggered by a BGP announcement from incumbent telco Telecommunications Company of Iran's ASN 58224 network.

For those who don't know: BGP, aka the Border Gateway Protocol, is the mechanism that glues the internet as we know it together. It is used by the 'net's routers and switches to direct packets of data around the world so that when you, say, try to visit a website, your computer or handheld connects to the correct server.

Oracle's Internet Intelligence team tweeted:

At 06:28 UTC earlier today (30-Jul), an Iranian state telecom network briefly leaked over 100 prefixes. Most were Iranian networks, but the leak also included 10 prefixes of popular messaging app @telegram (8 were more-specifics). pic.twitter.com/MjN2itdpTS

— InternetIntelligence (@InternetIntel) July 30, 2018

BGP fat-thumb events are extremely common. The BGP Stream homepage currently lists 1,680 events since June 16, of which 223 are described as “BGP leak” and 540 as “possible hijack.”

However, speculation that this redirection was deliberate stems from Iran's well-known hostility to Telegram: the rerouting therefore could either be an attempt to eavesdrop on the encrypted chats by intercepting packets, or block users of the software in the county by black-holing them – assuming the switch-a-roo was deliberate.

In 2016, Iran's Supreme Council of Cyberspace banned the encrypted messenger application, and the nation's government has tried to get the app maker to hand over details of its estimated 20 million users in the country. During deadly street protests at the end of 2017 and the start of 2018, Telegram was swept up in widespread internet blockades in the country.

Earlier this month, Oracle Internet Intelligence reported on a two-day internet outage in nearby Iraq, also attributed to a government response to a week of anti-corruption protests. During the state of emergency, the government shut down Iraq's incoming fibre connection.

The ancient BGP route distribution protocol has long been criticized for being too easy for the careless or malicious to pipe internet traffic where it shouldn't go. Initiatives such as MANRS (Mutually Agreed Norms for Routing Security) and ARTEMIS (Automatic and Real-Time dEtection and MItigation System) offer ways to improve BGP. However, internet infrastructure changes slowly.

Better security for BGP was on the agenda at July's IETF 102 meeting – Geoff Huston summarises the discussions at length here – but we're a long way from getting rid of fat fingers, route leaks, hijacks, and black holes. ®

Updated to add

Iran's comms minister Mohammad-Javad Azari Jahromi has reportedly ordered an inquiry into the cockup.