Apple network traffic takes mysterious detour through Russia
Land of Putin capable of attacking routes in cyberspace as well as real world
Apple's internet traffic took an unwelcome detour through Russian networking equipment for about twelve hours between July 26 and July 27.
In a write-up for MANRS (Mutually Agreed Norms for Routing Security), a public interest group that looks after internet routing, Internet Society senior internet technology manager Aftab Siddiqui said that Russia's Rostelecom started announcing routes for part of Apple's network on Tuesday, a practice referred to as BGP (Border Gateway Protocol) hijacking.
BGP is the glue that links multiple networks together to form the internet. Unfortunately, the protocol is too credulous. When an autonomous system (AS) – a group of networks managed by a single entity – announces routes for groups of IP addresses (IP prefixes) that it does not own, internet traffic will generally adapt to those routes if the rogue announcement isn't filtered out.
Some bad route announcements are accidental and a result of something like a configuration blunder, and some announcements are straight-up malicious.
For example, in 2018 cyberthieves used BGP hijacking to meddle with Amazon's Route 53 DNS service and redirect internet traffic from a cryptocurrency website to a phishing site hosted in Russia.
The redirection of Apple's networking traffic began about 2125 UTC on Tuesday, according to Siddiqui, when Rostelecom’s AS12389 network began announcing 126.96.36.199/19, which is part of Apple's 188.8.131.52/8 block. The /19 block is usually announced as part of Apple's 184.108.40.206/9 range, according to MANRS.
- After config error takes down Rogers, it promises to spend billions on reliability
- Cloudflare's outage was human error. There's a way to make tech divinely forgive
- Big Tech's private networks and protocols threaten the 'net, say internet registries
- Facebook rendered spineless by buggy audit code that missed catastrophic network config error
The routing change was detected by BGPstream.com (Cisco Works), which identified the block as AS714 APPLE-ENGINEERING, US, and by GRIP Internet Intel (GA Tech). And it lasted just over 12 hours.
Apple did not respond to a request for comment and The Register is unaware of any public statement the company may have made about the hijacking of its network traffic.
"It is not clear which services were impacted by this incident," said Siddiqui. "Unless we get more details from Apple or other researchers, we can only guess."
Siddiqui said Rostelecom (AS12389) has been involved in previous BGP hijackings, and emphasized that network operators implement effective route filtering based on reliable information to thwart these shenanigans.
The Register asked MANRS whether anyone there had heard anything from Apple since its post was published and a spokesperson replied, "We have not heard anything from Apple yet on this issue. The MANRS team is reaching out privately to learn more about the incident."
In 2020, Cloudflare created the website Is BGP safe yet? while knowing full well that it is not. At the time this story was filed, the answer to that question was still, "No." ®