Google hit by apparent BGP misrouting attack

November 13, 2018 // 11:05 a.m.

Tags: #attack #autonomous-system #bgp #border-gateway-protocol #china #flaw #insecurity #internet-protocol #russia #security #vulnerability

Companies: #alphabet #google

Google has confirmed an issue with its cloud services which, reports have claimed, saw traffic routed through Russian and Chinese IP addresses for around an hour - apparently as a result of a border gateway protocol (BGP) hijack attack.

Designed to assist networks with routing around inaccessible systems, the border gateway protocol (BGP) allows for the broadcast of routing and reachability information for a given autonomous system (AS). Sadly, while currently in revision four, the standard comes with few protections: Routers with BGP enabled will accept any broadcast BGP messages by default, meaning that a properly-equipped attacker can - temporarily, at least - broadcast spurious BGP messages and reroute traffic without the AS owner's consent.

That, it has been reported in the Wall Street Journal and elsewhere, is exactly what happened late last night to Google's multifarious cloud services: A BGP attack was carried out successfully, re-routing Google's traffic through third-party IP addresses located in Russia and China.

Google, for its part, has not confirmed the details of the issue, but has confirmed what it describes as 'Google Cloud Networking Incident #18018' which saw 'Google Cloud IP addresses being erroneously advertised by internet service providers other than Google' for a period of around an hour. 'The issue with Google Cloud IP addresses being erroneously advertised by internet service providers other than Google has been resolved for all affected users as of 14:35 US/Pacific,' the company confirmed in a follow-up report. 'Throughout the duration of this issue Google services were operating as expected and we believe the root cause of the issue was external to Google. We will conduct an internal investigation of this issue and make appropriate improvements to our systems to help prevent or minimize future recurrence.'

While there are additional protections in place to prevent misrouted traffic from disclosing personal information - such as the use of transport layer security (TLS), which will encrypt traffic and reject certificates that don't match the target domain name - it's not yet known whether the apparent attack was able to make off with any important data from affected users.

UPDATE 20181114:

Nigerian ISP MainOne has stepped forward to take blame for the issue, claiming that it wasn't an attack but a simple misconfiguration of its network - and further highlighting issues surrounding the security of BGP. It's a claim backed by the RIPE NCC,  the Regional Internet Registry for Europe, the Middle East and parts of Central Asia: 'A look at our RIPE Atlas data suggests that the ISP in question was reconfiguring their network rather than anything malicious. These reconfigurations happen every day in global routing and mistakes can happen, especially since the configuration of routers is error prone and often still requires manual input which is prone to "fat fingers,"' explains RIPE NCC senior research engineer Emile Aben. 'The MANRS [Mutually Agreed Norms for Routing Security] project, which has gained a lot of traction recently, contains guidelines for ISPs to apply better filtering to their routers. ISPs following these guidelines will likely reduce the impact of these events in the future.'


Discuss this in the forums

QUICK COMMENT

bit-tech Mod of the Year 2018 in Association with Corsair - Nominate Your Favourite Mods!

Week in review

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU