How Putin hijacked the BGP

Putin is being blamed for a lot of things these days. Hijacking a plane, Trump, the American elections, your grandmother’s cat. The latest on this list is probably the one that made the least headlines. However, it could prove to be the one with the most wide-ranging repercussions.

According to this report in Ars Technica, internet traffic from Visa, Mastercard and many other financial service providers was routed through a Russian government controlled telecom provider.

Now, why does it matter that something as nebulous as internet traffic was routed through a Russian telecom provider? Why all the finger pointing about it being hijacked. And BTW what is internet traffic hijacking and how is it done. There are a lot of questions and since this is no longer Soviet Russia we shall get the answers.

What is BGP hijacking

Firstly, what is internet traffic hijacking or BGP hijacking?

Large companies like financial organizations are continuously exchanging internet traffic containing sensitive information over the Internet with their partners. BGP hijacking happens when a malicious third party inserts itself into these regular communications between those two partners by manipulating the core routing protocols of the Internet.

The Internet is a huge mesh of interconnected networks called autonomous systems. Most of these autonomous systems are owned by organizations like companies, financial institutions, educations institutions etc. Internet traffic is exchanged between these AS’es through the border gateway protocol. In some ways, it is like the traffic policeman of the Internet. It decides which route your internet traffic takes through the network.

Internet traffic hijacking can be done in a number of different ways. One which seems to have been employed in this case is to mask your prefixes to look like the intended destination or prefixes.

Usually, BGP makes routing decisions, based on the length of the network path. The path the lowest number of network hops is usually the one chosen.

Companies or organizations exchanging sensitive information do influence BGP routing to route internet traffic over paths with their authorized partners as the hops. They also try to avoid certain geographical regions (I’m looking at you, China). All these partners announce their ownership of these nodes through the BGP.

Russian BGP hijacking case

What seems to have in the Russian BGP hijacking case, is that Roscom appears to have suddenly announced the ownership of certain prefixes belonging to the partners of Symantec and Mastercard among others. This resulted in creating new network paths with Roscom routers as one of the hops.

This would mean that the confidential traffic exchange between these companies and their partners would be flowing right under the nose of Roscom employees. This would give them an unencumbered view into the nature of traffic being exchanged and the parties that were initiating connections to the companies. They could also potentially manipulate this traffic, especially in cases where it was unencrypted.

The hijack whether it was intentional or a result of mistakes in the BGP routing tables makes a case for tighter control of BGP or network routing. For too long organizations have sent their traffic into the dark corners of the Internet without any visibility into the actual route that it follows. This opens up all kinds of chinks into their armor, where their internet traffic can be manipulated.

Controlling the ISPs and the routes that internet traffic takes is particularly important for companies exchanging sensitive information over the public internet.

Show your support

Clapping shows how much you appreciated Datapath.io’s story.