On-Prem

Networks

OK Google, why was your web traffic hijacked and routed through China, Russia today?

BGP hijacking committed 'grand theft internet'


Updated People's connections in the US to Google – including its cloud, YouTube, and other websites – were suddenly rerouted through Russia and into China in a textbook Border Gateway Protocol (BGP) hijack.

That means folks in Texas, California, Ohio, and so on, firing up their browsers and software to connect to Google and its services were instead meandering through systems in Russia and China, and not reaching servers belonging to the Silicon Valley giant. Netizens outside of America may also have been affected.

The Chocolate Factory confirmed that for a period on Monday afternoon, from 1312 to 1435 Pacific Time, connections to Google Cloud, its APIs, and websites were being diverted through IP addresses belonging to overseas ISPs. Sites and apps built on Google Cloud, such as Spotify, Nest, and Snapchat, were also brought down by the interception.

Specifically, network connectivity to Google was routed through TransTelekom in Russia (mskn17ra-lo1.transtelecom.net), and into a China Telecom gateway (ChinaTelecom-gw.transtelecom.net) that black-holed the packets. Both hostnames have since stopped resolving to IP addresses.

The black-hole effect meant Google and YouTube, and apps and sites that relied on Google Cloud, appeared to be offline to netizens. It is possible information not securely encrypted could have been intercepted by the aforementioned rogue nodes, however, our understanding is, due to the black-hole effect, it's likely few if any connections were spied on: TCP connections would fail to establish, and no information would be transferred. That's the best case scenario, at least.

Suspicious

Essentially, someone advertised to the core systems that direct the internet's highways that packets bound for Google IP addresses would be best served by going through TransTelekom and into China Telecom. How exactly routes are commandeered is explained here, and the technique is not new – it's just that the world's backbone networks hope it doesn't happen too often. It's usually by accident, with one network inadvertently acting as a conduit for someone else's traffic, although it typically lasts a few seconds rather than more than an hour.

"Throughout the duration of this issue Google services were operating as expected and we believe the root cause of the issue was external to Google," said the web ad giant, which declined to name names. "We will conduct an internal investigation of this issue and make appropriate improvements to our systems to help prevent or minimize future recurrence."

The search goliath earlier noted:

We've received a report of an issue with Google Cloud Networking as of Monday, 2018-11-12 14:16 US/Pacific. We have reports of Google Cloud IP addresses being erroneously advertised by internet service providers other than Google. We will provide more information by Monday, 2018-11-12 15:00 US/Pacific.

While Google was hesitant to draw any conclusions, cloud security experts have little doubt that the BGP hijacking was intentional, rather than a brief typo in a config file or a fat finger in a terminal, and that the people behind it were almost certainly up to no good by intercepting Google Cloud connections.

Oracle 'net-watcher agrees, China Telecom is a repeat offender for misdirecting traffic

READ MORE

"Our analysis is, given the size and scope and given the countries involved, it is highly unlikely it was accidental," Ameet Naik, senior technical marketing manager at cloud networking monitoring biz ThousandEyes, told The Register today.

"When you have an attack involving Google in countries like Russia and China, you might call that grand theft internet."

Naik said the packet thieves could have been looking to do anything from temporarily disabling Google platforms and APIs, to potentially snooping on traffic from users on Google's services. He noted that the same technique was used back in April to reroute Amazon cloud traffic in an attempt to get at crypto-currency wallets. China Telecom also has form in misdirecting traffic by advertising new routes.

Such BGP attacks can be trivial to pull off for miscreants within ISPs, or governments holding guns to telco admins' heads, given the open nature of BGP, which networks use to effectively route traffic between service providers around the world.

"The internet is built on such an open chain of trust that it is not hard for anybody to inject fake information," Naik said. "It really is that simple." ®

Updated to add

The BGP hijack was caused by a blunder at a West African ISP.

Send us news
76 Comments

Google blocked 1,000-plus pro-China fake news websites from its search results

Beijing's propaganda buddies aren't just using social media

Severity of the risk facing the UK is widely underestimated, NCSC annual review warns

National cyber emergencies increased threefold this year

Why Google's Chrome monopoly won't crack anytime soon

Haven't we heard this story before?

How US Dept of Justice's cure for Google could inflict collateral damage

Remedies should be refined with an eye toward broad platform rights and responsibilities

Google must face £7B UK class action over search engine dominance

Ad slinger alleged to have abused position, resulting in higher prices for consumers

Chinese ship casts shadow over Baltic subsea cable snipfest

Danish military confirms it is monitoring as Swedish police investigate. Cloudflare says impact was 'minimal'

Google sues Pixel engineer who allegedly posted trade secrets online

'See you in court', defendant posts

Russia arrests one of its own – a cybercrime suspect on FBI's most wanted list

The latest in an unusual change of fortune for group once protected by the Kremlin

DoJ wants Google to sell off Chrome and ban it from paying to be search default

Filing also suggests it flogging off Android, stops scraping content for AI without opt-out

Google India probed after driver fatally followed Maps route over unfinished bridge

Plus: 95 percent of Chinese broadband tops 100 megabits; Yahoo Japan photo album privacy breach; and more

Google earns fresh competition scrutiny from two nations on a single day

India unhappy about treatment of some games, Canada upset by adware monopoly

Beijing wants Chinese outfits to seek alternatives to US silicon

And American components may be in short supply as Middle Kingdom bans rare earth exports