Recent Russian Routing Leak was Largely Preventable

Last week, the IP address space belonging to several high-profile companies, including Google, Facebook and Apple, was briefly announced out of Russia, as was first reported by BGPmon.

Following the incident, Job Snijders of NTT wrote in a post entitled, “What to do about BGP hijacks”. He stated that, given the inherent security weaknesses in BGP, things will only improve “the moment it becomes socially unacceptable to operate an Internet network without adequate protections in place” and thus customers would stop buying transit from providers that operate without proper route filtering.

Since Job has presented at NANOG about the various filtering methods employed by NTT, I decided to look into how well NTT (AS2914) did in this particular incident. While a handful of the 80 misdirected routes were ultimately carried on by AS2914 to the greater internet, NTT didn’t contribute to the leaking of any of the major internet companies, such as Facebook, Google, Apple, etc. In fact, when one analyzes the propagation of every one of these leaked routes, a pattern begins to emerge.

Route Leaks by AS39523

On 12 December 2017, AS39523 announced 80 prefixes (only one of which was theirs) for two different 3–4 minute intervals. Below is a visualization of the origins of these prefixes over a three hour span, highlighting the portion that was originated by AS39523. Some prefixes were in circulation already, but some were either more-specifics or less-specifics that were not normally routed — that’s why there are peaks into the white space of the graph when we aggregate across all of the prefixes.

Regardless, AS39523 announced all these routes through Russian transit provider Megafon (AS31133). In Dyn’s IP Transit Intelligence, we track seven international transit providers for Megafon, namely, Cogent, Level3, Deutsche Telekom, Telecom Italia Sparkle, NTT, Hurricane Electric and Telia.

The leaked Russian networks were carried by all of Megafon’s transit providers such as this prefix from Rostelecom (Russian state telecom).

But when it came to prefixes belonging to Facebook, Google (and YouTube), Microsoft, Twitch, Apple, and Riotgames, only Hurricane Electric, among Megafon’s transit providers, carried these routes on to the greater internet. Many of Megafon’s settlement-free peers also accepted these errant routes, but without nearly the global impact.

In the three graphics below, we can see propagation profiles of three prefixes (66.249.80.0/20 of Google, 17.0.0.0/8 of Apple, and 104.237.160.0/19 of YouTube) that were leaked via Megafon. After placing Megafon’s various peers into the “Other” category, Hurricane Electric is the only transit provider that appeared upstream of AS31133 during the leaks.

Yesterday I contacted Telia who confirmed to me that, like NTT, it was their route filtering that prevented them from carrying the leaked prefixes from the major internet companies. Considering all seven of Megafon’s international transit providers, it appears that Hurricane Electric was alone in failing to implement the type of route filtering that would have prevented this leak from being circulated across the broader internet.

Conclusion

If we can aside the “Russia Attacks!” rhetoric around this incident, there are some things we can learn from it. For example, providers need to be more parsimonious in their AS-SET definitions. As Qrator Labs cited in their write-up on this incident, some providers have added so many ASNs to their AS-SETs to render them useless as a tool for route filtering.

But despite this limitation, 6 of the 7 transit providers for Megafon were still able to block erroneous BGP announcements pertaining to numerous major internet companies. Had the 7th also done so, we might not all be discussing this incident at all.

Originally published at blogs.oracle.com on December 22, 2017.