Aussie telco Telstra says soz after accidentally diverting traffic meant for encrypted email biz through its servers
Resource Public Key Infrastructure now, bellows ProtonMail
Aussie telco Telstra has apologised after a Border Gateway Protocol (BGP) routing oddity caused traffic destined for encrypted email service ProtonMail to wrongly pass through Telstra's servers.
Switzerland-headquartered ProtonMail raged in a blog post that Telstra had engaged in "BGP hijacking" through what it described as "incompetence and not malice", complaining that "around 30 per cent of the global internet looking for us got pointed to Telstra instead".
Despite the "hijacking", ProtonMail's operators were "able to divert all mail and web traffic along unimpacted internet routes" and "no user data was lost or breached", so all was well. By falling back to backup subnets "and IPs which were not being hijacked", the email provider was able to shift "the bulk of our traffic" back onto non-Telstra sources.
BGP hijacking, as Reg readers know, is an exploit of the way the internet is designed to route packets from sender to destination. To oversimplify it a bit, BGP traffic routing defaults to the fastest way for packets to get from A to B. This relies on the digital equivalent of network operators putting up signs saying "motorway over here!" If somebody wants to divert internet traffic – say, a malicious person or state-sponsored agency – they can put up their own sign saying "motorway with higher speed limit and no toll gates over here!" to scoop some of that traffic for themselves.
The process is explained in technical detail on Bishop Fox Labs' website, which states: "Internet-level BGP hijacking is performed by configuring an edge router to announce prefixes that have not been assigned to it. If the malicious announcement is more specific than the legitimate one, or claims to offer a shorter path, the traffic may be directed to the attacker."
A Telstra spokesman told The Register: "Due to a technical error early on Wednesday morning (AEST), approximately 500 IPv4 prefixes were incorrectly advertised as Telstra's. The incident was triggered by Telstra running post verification testing to address an unrelated software bug in Telstra Internet Direct provisioning tools. A previous test verification prefix-set was incorrectly loaded against a production service. This resulted in the network impact, due to the way BGP propagates."
He added that "minimal traffic was actually received by Telstra" and that the telco reversed the changes once it realised what it had done. The ISP apologised "for any service issues experienced by other parties".
ProtonMail also called for Resource Public Key Infrastructure (RPKI) to be implemented as a means of helping to prevent BGP hijacking, something Telstra's spokesman said the telco was "supportive" of – while pointing out that it was "not completely relevant for this issue".
El Reg went into some depth about RPKI when US regional internet registry ARIN proposed making it a binding part of all contracts it signs with operators. As we reported at the time: "RPKI allows ISPs to compare their internet routing tables with validated routes known to ARIN and the other [regional internet registries]. If there is a conflict – in that, an unexpected and non-validated route for internet traffic opens up – then either someone has misconfigured their network, or they are purposefully misrepresenting themselves online, possibly to intercept or block packets."
For now it seems that BGP hijacks, whether intentional or not, will remain part of internet life. ®