On Monday, Google’s web traffic was unintentionally routed through abnormal gateways, raising suspicions that the traffic had been hijacked.
Network monitoring organization, ThousandEyes, tweeted Monday evening, “BREAKING: Potential hijack underway. ThousandEyes detected intermittent availability issues to Google services from some locations. Traffic to certain Google destinations appears to be routed through an ISP in Russia & black-holed at a China Telecom gateway router.”
BREAKING: Potential hijack underway. ThousandEyes detected intermittent availability issues to Google services from some locations. Traffic to certain Google destinations appears to be routed through an ISP in Russia & black-holed at a China Telecom gateway router. pic.twitter.com/Tz7shf7cOy
— ThousandEyes (@thousandeyes) November 12, 2018
The incident consisted of traffic involving numerous Google applications becoming rerouted to foreign service providers, while creating an outage for consumers, and “put[ting] valuable Google traffic in the hands of ISPs in countries with a long history of Internet surveillance,” according to ThousandEyes.
“Our analysis indicates that the origin of this leak was the BGP peering relationship between MainOne, the Nigerian provider, and China Telecom,” ThousandEyes said. “MainOne has a peering relationship with Google via IXPN in Lagos and has direct routes to Google, which leaked into China Telecom. These leaked routes propagated from China Telecom, via TransTelecom to NTT and other transit ISPs.”
“We also noticed a Russian ISP in the traffic path, which definitely sparked some concerns,” ThousandEyes added.
ThousandEyes also said that the issue affected “business-grade transit providers” primarily, and did not affect consumer networks.
Google first reported connectivity issues Monday afternoon, and some 35 minutes later, they deemed the issue resolved.
“The issue with Google Cloud IP addresses being erroneously advertised by internet service providers other than Google has been resolved for all affected users as of 14:35 US/Pacific,” Google stated. “Throughout the duration of this issue Google services were operating as expected and we believe the root cause of the issue was external to Google. We will conduct an internal investigation of this issue and make appropriate improvements to our systems to help prevent or minimize future recurrence.”
Nigerian telecom company MainOne took the blame for the issue, saying a vulnerability was caused due to an error during a misconfiguration.
“We have investigated the advertisement of @Google prefixes through one of our upstream partners. This was an error during a planned network upgrade due to a misconfiguration on our BGP filters. The error was corrected within 74mins & processes put in place to avoid reoccurrence,” MainOne tweeted.
We have investigated the advertisement of @Google prefixes through one of our upstream partners. This was an error during a planned network upgrade due to a misconfiguration on our BGP filters. The error was corrected within 74mins & processes put in place to avoid reoccurrence
— MainOne (@Mainoneservice) November 13, 2018
Just last week, two reports revealed that China had successfully hijacked global web traffic using points of presence (PoPs) across North American internet systems to hijack and divert web traffic, while copying valuable information from it.
Since the internet is a web of many networks – many of which are not interconnected – networks rely on communications from one another to determine which one will help transmit their data the fastest.
China was able to hijack these networks through border gateway protocol (BGP) hijacking – using their own network to communicate with other networks, and presenting theirs as a shortcut that other networks flock to for the sake of faster transmission.
It’s unclear whether they used the same tactic in this week’s traffic diversion.
ThousandEyes noted that BGP hijacking incidents are on the rise, adding that, “Even corporations like Google with massive resources at their disposal are not immune from this sort of BGP leak or malicious hijacks.”