Thousands of Big Networks and Websites Around the World Disrupted by A Major BGP Leak
Following the BGP leak, U.S. Companies, Including Google, Were Affected.
Yet another unfortunate event has focused attention on Border Gateway Protocol (BGP) internet routing. Due to a huge BGP leak that happened this weekend, thousands of major networks and websites around the world’s connectivity were disrupted.
BGP, as described in RFC 1163 and RFC 1267, is the internet protocol that authorizes independently operated networks, known as autonomous systems (AS), to notify each other about their reachability.
Every time a BGP router announces its reachability, also called IP prefix, to its neighbor, the freshly obtained information is compared against the router’s stored knowledge. If this new announcement provides a better way to get to an established network, the information is updated locally and the closest neighbors are notified.
In other words, networks all over the world can reach each other, constituting the elaborate topology of the international internet.
According to some sources, even though this BGP routing leak happened in Vodafone’s independent network (AS55410) located in India, it has also affected American organizations such as Google. The incident seems to have persisted from a little before 13:50 to around 14:00 UTC on April 16, 2021.
This incident only affected traffic for about 10 minutes, but during that time there were likely countless internet connection problems for users around the world.
During last weekend, Cisco’s BGPMon has noticed a difference in an internet routing system, most likely showing BGP hijacking activity occurring. In an announcement, they stated:
Prefix 24.152.117.0/24, is normally announced by AS270497 RUTE MARIA DA CUNHA, BR.
But beginning at 2021-04-16 15:07:01, the same prefix (24.152.117.0/24) was also announced by ASN 55410.
BGP route hijacking happens when a malicious entity manages to “falsely advertise” to other routers that they own a specific set of IP addresses when they don’t. When this happens, chaos occurs.
Besides, Doug Madory, director of Internet analysis at Kentik established these findings stating that the autonomous system ASN 55410 was seeing a 13 times spike in inbound traffic directed to it.
This happened from the network wrongly announcing that it held up over 30,000 BGP prefixes or routes, when it didn’t, leading to the internet overloading this network with traffic that was not intended to go through it.
The autonomous network (AS55410) is the property of Vodafone India Limited.
Large BGP routing leak out of India this morning.
AS55410 mistakenly announced over 30,000 BGP prefixes causing a 13x spike in inbound traffic to their network according to @kentikinc netflow data.
(cc: @anurag_bhatia, @aftabsiddiqui, @jaredmauch) pic.twitter.com/PQ4iiTKD2Q
— Doug Madory (@DougMadory) April 16, 2021
In an email interview, Doug told BleepingComputer that “Anyone trying to reach web resources configured with the IP addresses in the routes that were leaked would have had their traffic misdirected to AS55410 in India and then dropped.”
According to Madory, the BGP leak extended all over the world even if it initially affected misdirection of internet traffic for the 30,000+ announced routes and Indian internet customers.
Following the BGP leak, more than 20.000 prefixes belonging to global autonomous networks were affected, an analysis by a BGP expert shows.
How Can You Protect Yourself Against a BGP Leak?
As the number of devices connected to the Internet is increasing, BGP hijacking can constitute a major security risk to the public Internet.
The advantages of Border Gateway Protocol Security (BGPsec) execution can only be acquired once a large number of Autonomous Systems (ASes) use it, which in its turn depends on individual ASes business objectives.
Combining RPKI and Prefix Filtering can seriously diminish the number of BGP hijacking episodes, ameliorating the general state of routing security, so it should be considered essential.