Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

4/25/2019
02:30 PM
Marc Laliberte
Marc Laliberte
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How a Nigerian ISP Accidentally Hijacked the Internet

For 74 minutes, traffic destined for Google and Cloudflare services was routed through Russia and into the largest system of censorship in the world, China's Great Firewall.

On November 12, 2018, a small ISP in Nigeria made a mistake while updating its network infrastructure that highlights a critical flaw in the fabric of the Internet. The mistake effectively brought down Google — one of the largest tech companies in the world — for 74 minutes.

To understand what happened, we need to cover the basics of how Internet routing works. When I type, for example, HypotheticalDomain.com into my browser and hit enter, my computer creates a web request and sends it to Hypothtetical.Domain.com servers. These servers likely reside in a different state or country than I do. Therefore, my Internet service provider (ISP) must determine how to route my web browser's request to the server across the Internet. To maintain their routing tables, ISPs and Internet backbone companies use a protocol called Border Gateway Protocol (BGP).

BGP is a dynamic routing protocol, meaning it automatically updates routing tables as changes occur. The Internet isn't a single straight line from one point to another. There are generally a few different paths a connection can take from point A to point B. BGP's job is to decide which path is the "best" path (shortest) to reach any given destination network, and update routers accordingly. This path can change as routers are taken down and brought back up online. BGP handles all of these route changes automatically.

The Internet is broken up into a number of autonomous systems (ASs), exactly 6,3954 at this time of writing. Each AS is assigned an autonomous system number (ASN) by the Internet Assigned Numbers Authority (IANA). Your ISP has at least one ASN, likely even more. Big companies like Google also maintain their own border routing infrastructure and have their own ASN.

Autonomous systems form connections with their neighbors, called peers. Through these peer connections, ASs advertise the routes — or "network prefixes," as they are called — that they know how to reach. Neighbors forward on these advertisements to their other neighbors to propagate them across the Internet backbone. Eventually, because of these route advertisements, an ISP in Seattle can learn a route all the way to a web server hosted in Sydney.

Ground Zero: Internet Exchange Point, Nigeria
So, what exactly happened on November 12? It all starts with an organization called the Internet Exchange Point of Nigeria (IXPN). Internet exchange points (IXPs) are common, especially in developing countries. They provide a central location for regional ISPs to peer with each other and share data at reduced bandwidth costs. Without IXPs, regional ISPs might not have a direct connection with each other. This means traffic between them may travel an overly long distance, possibly even leaving the country before coming back in.

IXPs also act as a single point of connection for larger remote companies and services. In the case of IXPN, Google maintains a peering connection with participating Nigerian ISPs, allowing direct connections from their networks to Google's services. To facilitate this, Google announces its network prefixes (routes) to its ISP peers in Nigeria. Think of it like building a highway straight to Google instead of having to take a winding country road up through Europe.

These peering agreements and route advertisements are generally for the benefit of the ISPs and their customers alone, so they use route filters to prevent accidently advertising the prefixes beyond their own networks. Without these route filters, the ISP routers, using BGP, would continue to propagate the routes to their other neighbors across the Internet and risk changing how global Internet traffic routes to Google.

Next Stop China
On November 12, 2018, at around 21:13 UTC, MainOne Cable Company in Nigeria was performing routine maintenance on its routing infrastructure. During this maintenance, it accidently misconfigured its route filters, causing it to announce 212 Google prefixes (and several Cloudflare prefixes) to its other BGP neighbors.

China Telecom, one of MainOne's BGP peers, accepted the route advertisement and relayed it to its neighbors. Transtelecom, based in Russia, accepted this advertisement and relayed it to its peers. At this point, the advertisement had made it far enough into the Internet that many ASs began accepting it.

For around 74 minutes, most traffic destined for Google and Cloudflare services from around the world was routed through Russia, into China, and on to MainOne in Nigeria. Cloudflare was quick to spot the issue and update its routing topography to mitigate the problem. Many users attempting to access Google services, however, had their connections crash right into the largest system of censorship in the world, China's Great Firewall. Everyone else suffered extreme latency as their connections were routed across the world to Nigeria before reaching Google.

Why is this a big deal? This accident highlights a critical vulnerability in the fabric of the Internet. BGP relies on the trust system. Peers trust that their neighbors are advertising accurate routes. If a neighbor starts advertising routes to prefixes it doesn't own, it could start intercepting and man-in-the-middling connections to any connection it wants. A single small ISP from Nigeria managed to disrupt traffic to the largest company on the Internet because of a simple mistake. Now imagine what a malicious, coordinated BGP hijack could accomplish.

The good news is that there is a fix out there. Resource Public Key Infrastructure (RPKI) uses cryptographic signatures to authenticate BGP route advertisements, similar to how websites use certificates. Route origin validation (ROV) confirms that prefix advertisements come from the actual owner. Unfortunately, only 13% of advertised prefixes use RPKI, and less than 1% of ASs validate route advertisements. If our Internet service providers and other participants on the Internet backbone don't start adopting these standards soon, the next BGP hijack might not be an accident — and will likely be much worse.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Marc Laliberte is a senior security analyst at WatchGuard Technologies. Specializing in networking security protocols and Internet of Things technologies, Marc's day-to-day responsibilities include researching and reporting on the latest information security threats and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.