How a Nigerian ISP Accidentally Hijacked the Internet

For 74 minutes, traffic destined for Google and Cloudflare services was routed through Russia and into the largest system of censorship in the world, China's Great Firewall.

Marc Laliberte, Senior Security Analyst, WatchGuard Technologies

April 25, 2019

5 Min Read
Dark Reading logo in a gray background | Dark Reading

On November 12, 2018, a small ISP in Nigeria made a mistake while updating its network infrastructure that highlights a critical flaw in the fabric of the Internet. The mistake effectively brought down Google — one of the largest tech companies in the world — for 74 minutes.

To understand what happened, we need to cover the basics of how Internet routing works. When I type, for example, HypotheticalDomain.com into my browser and hit enter, my computer creates a web request and sends it to Hypothtetical.Domain.com servers. These servers likely reside in a different state or country than I do. Therefore, my Internet service provider (ISP) must determine how to route my web browser's request to the server across the Internet. To maintain their routing tables, ISPs and Internet backbone companies use a protocol called Border Gateway Protocol (BGP).

BGP is a dynamic routing protocol, meaning it automatically updates routing tables as changes occur. The Internet isn't a single straight line from one point to another. There are generally a few different paths a connection can take from point A to point B. BGP's job is to decide which path is the "best" path (shortest) to reach any given destination network, and update routers accordingly. This path can change as routers are taken down and brought back up online. BGP handles all of these route changes automatically.

The Internet is broken up into a number of autonomous systems (ASs), exactly 6,3954 at this time of writing. Each AS is assigned an autonomous system number (ASN) by the Internet Assigned Numbers Authority (IANA). Your ISP has at least one ASN, likely even more. Big companies like Google also maintain their own border routing infrastructure and have their own ASN.

Autonomous systems form connections with their neighbors, called peers. Through these peer connections, ASs advertise the routes — or "network prefixes," as they are called — that they know how to reach. Neighbors forward on these advertisements to their other neighbors to propagate them across the Internet backbone. Eventually, because of these route advertisements, an ISP in Seattle can learn a route all the way to a web server hosted in Sydney.

Ground Zero: Internet Exchange Point, Nigeria
So, what exactly happened on November 12? It all starts with an organization called the Internet Exchange Point of Nigeria (IXPN). Internet exchange points (IXPs) are common, especially in developing countries. They provide a central location for regional ISPs to peer with each other and share data at reduced bandwidth costs. Without IXPs, regional ISPs might not have a direct connection with each other. This means traffic between them may travel an overly long distance, possibly even leaving the country before coming back in.

IXPs also act as a single point of connection for larger remote companies and services. In the case of IXPN, Google maintains a peering connection with participating Nigerian ISPs, allowing direct connections from their networks to Google's services. To facilitate this, Google announces its network prefixes (routes) to its ISP peers in Nigeria. Think of it like building a highway straight to Google instead of having to take a winding country road up through Europe.

These peering agreements and route advertisements are generally for the benefit of the ISPs and their customers alone, so they use route filters to prevent accidently advertising the prefixes beyond their own networks. Without these route filters, the ISP routers, using BGP, would continue to propagate the routes to their other neighbors across the Internet and risk changing how global Internet traffic routes to Google.

Next Stop China
On November 12, 2018, at around 21:13 UTC, MainOne Cable Company in Nigeria was performing routine maintenance on its routing infrastructure. During this maintenance, it accidently misconfigured its route filters, causing it to announce 212 Google prefixes (and several Cloudflare prefixes) to its other BGP neighbors.

China Telecom, one of MainOne's BGP peers, accepted the route advertisement and relayed it to its neighbors. Transtelecom, based in Russia, accepted this advertisement and relayed it to its peers. At this point, the advertisement had made it far enough into the Internet that many ASs began accepting it.

For around 74 minutes, most traffic destined for Google and Cloudflare services from around the world was routed through Russia, into China, and on to MainOne in Nigeria. Cloudflare was quick to spot the issue and update its routing topography to mitigate the problem. Many users attempting to access Google services, however, had their connections crash right into the largest system of censorship in the world, China's Great Firewall. Everyone else suffered extreme latency as their connections were routed across the world to Nigeria before reaching Google.

Why is this a big deal? This accident highlights a critical vulnerability in the fabric of the Internet. BGP relies on the trust system. Peers trust that their neighbors are advertising accurate routes. If a neighbor starts advertising routes to prefixes it doesn't own, it could start intercepting and man-in-the-middling connections to any connection it wants. A single small ISP from Nigeria managed to disrupt traffic to the largest company on the Internet because of a simple mistake. Now imagine what a malicious, coordinated BGP hijack could accomplish.

The good news is that there is a fix out there. Resource Public Key Infrastructure (RPKI) uses cryptographic signatures to authenticate BGP route advertisements, similar to how websites use certificates. Route origin validation (ROV) confirms that prefix advertisements come from the actual owner. Unfortunately, only 13% of advertised prefixes use RPKI, and less than 1% of ASs validate route advertisements. If our Internet service providers and other participants on the Internet backbone don't start adopting these standards soon, the next BGP hijack might not be an accident — and will likely be much worse.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

About the Author

Marc Laliberte

Senior Security Analyst, WatchGuard Technologies

Marc Laliberte is a senior security analyst at WatchGuard Technologies. Specializing in networking security protocols and Internet of Things technologies, Marc's day-to-day responsibilities include researching and reporting on the latest information security threats and trends. He has discovered, analyzed, responsibly disclosed and reported on numerous security vulnerabilities in a variety of IoT devices since joining the WatchGuard team in 2012. With speaking appearances at industry events including RSA and regular contributions to online IT, technology and security publications, Marc is a thought leader who provides insightful security guidance to all levels of IT personnel.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights