On-Prem

Networks

OK Google, why was your web traffic hijacked and routed through China, Russia today?

BGP hijacking committed 'grand theft internet'


Updated People's connections in the US to Google – including its cloud, YouTube, and other websites – were suddenly rerouted through Russia and into China in a textbook Border Gateway Protocol (BGP) hijack.

That means folks in Texas, California, Ohio, and so on, firing up their browsers and software to connect to Google and its services were instead meandering through systems in Russia and China, and not reaching servers belonging to the Silicon Valley giant. Netizens outside of America may also have been affected.

The Chocolate Factory confirmed that for a period on Monday afternoon, from 1312 to 1435 Pacific Time, connections to Google Cloud, its APIs, and websites were being diverted through IP addresses belonging to overseas ISPs. Sites and apps built on Google Cloud, such as Spotify, Nest, and Snapchat, were also brought down by the interception.

Specifically, network connectivity to Google was routed through TransTelekom in Russia (mskn17ra-lo1.transtelecom.net), and into a China Telecom gateway (ChinaTelecom-gw.transtelecom.net) that black-holed the packets. Both hostnames have since stopped resolving to IP addresses.

The black-hole effect meant Google and YouTube, and apps and sites that relied on Google Cloud, appeared to be offline to netizens. It is possible information not securely encrypted could have been intercepted by the aforementioned rogue nodes, however, our understanding is, due to the black-hole effect, it's likely few if any connections were spied on: TCP connections would fail to establish, and no information would be transferred. That's the best case scenario, at least.

Suspicious

Essentially, someone advertised to the core systems that direct the internet's highways that packets bound for Google IP addresses would be best served by going through TransTelekom and into China Telecom. How exactly routes are commandeered is explained here, and the technique is not new – it's just that the world's backbone networks hope it doesn't happen too often. It's usually by accident, with one network inadvertently acting as a conduit for someone else's traffic, although it typically lasts a few seconds rather than more than an hour.

"Throughout the duration of this issue Google services were operating as expected and we believe the root cause of the issue was external to Google," said the web ad giant, which declined to name names. "We will conduct an internal investigation of this issue and make appropriate improvements to our systems to help prevent or minimize future recurrence."

The search goliath earlier noted:

We've received a report of an issue with Google Cloud Networking as of Monday, 2018-11-12 14:16 US/Pacific. We have reports of Google Cloud IP addresses being erroneously advertised by internet service providers other than Google. We will provide more information by Monday, 2018-11-12 15:00 US/Pacific.

While Google was hesitant to draw any conclusions, cloud security experts have little doubt that the BGP hijacking was intentional, rather than a brief typo in a config file or a fat finger in a terminal, and that the people behind it were almost certainly up to no good by intercepting Google Cloud connections.

Oracle 'net-watcher agrees, China Telecom is a repeat offender for misdirecting traffic

READ MORE

"Our analysis is, given the size and scope and given the countries involved, it is highly unlikely it was accidental," Ameet Naik, senior technical marketing manager at cloud networking monitoring biz ThousandEyes, told The Register today.

"When you have an attack involving Google in countries like Russia and China, you might call that grand theft internet."

Naik said the packet thieves could have been looking to do anything from temporarily disabling Google platforms and APIs, to potentially snooping on traffic from users on Google's services. He noted that the same technique was used back in April to reroute Amazon cloud traffic in an attempt to get at crypto-currency wallets. China Telecom also has form in misdirecting traffic by advertising new routes.

Such BGP attacks can be trivial to pull off for miscreants within ISPs, or governments holding guns to telco admins' heads, given the open nature of BGP, which networks use to effectively route traffic between service providers around the world.

"The internet is built on such an open chain of trust that it is not hard for anybody to inject fake information," Naik said. "It really is that simple." ®

Updated to add

The BGP hijack was caused by a blunder at a West African ISP.

Send us news
76 Comments

NATO's newest member comes out swinging following latest Baltic Sea cable attack

'Sweden has changed,' PM warns as trio of warships join defense efforts

Brit watchdog probes Google's search, ads empire

Third front opened amid continued scrutiny from US, Euro regulators

Tired of begging, Microsoft now trying to trick users into thinking Bing is Google

If you can't beat 'em, just imitate their branding, hide yours and hope they don't notice

Google and Linux Foundation form Chromium love club

Right as Uncle Sam pushes for Chrome sell-off, eh?

Biden said to weigh global limits on AI exports in 11th-hour trade war blitz

China faces outright ban while others vie for Uncle Sam's favor

Akamai to quit its CDN in China, seemingly not due to trouble from Beijing

Security and cloud compute have so much more upside than the boring business of shifting bits

Google's 10-year Chromebook lifeline leaves old laptops headed for silicon cemetery

Longer support for newer models won't save prior versions from scrapheap

Microsoft invites Chinese software vendors to sell on its marketplace and through its partners

Good luck getting buyers and resellers excited about that

RISC-V is making moves, but it has work to do if it wants to hit the mainstream

Can it topple x86 and Arm, or is the gap too wide to close?

Now Trump's import tariffs could raise the cost of a laptop for Americans by 68%

Make America irate again

Nvidia snaps back at Biden's 'innovation-killing' AI chip export restrictions

'New rule threatens to squander America's hard-won technological advantage' says GPU supremo

Chinese cyber-spies reportedly targeted sanctions intel in US Treasury raid

OFAC, Office of the Treasury Secretary feared hit in data-snarfing swoop