Internet BGP Hijack Takes Down Google G Suite, Analytics And Search
Tuesday, November 13, 2018, 02:13 PM EDT
Some of Google's major services unexpectedly went offline for a period of time on Monday, apparently resulting from a tiny ISP in Nigeria inadvertently hijacking certain internet traffic. Referred to as a BGP (Border Gateway Protocol) hijack, traffic that should have found its way to Google's servers instead pinged Nigerian ISP MainOne Cable Company.
At issue is that MainOne Cable was hosting over 200 Google network prefixes, resulting in traffic not going to where it was supposed to.
This is what we know: Starting at 2018-11-12 21:12 UTC Nigerian ISP AS37282 'MainOne Cable Company' leaked 212 @google prefixes to China telecom. Causing traffic to be redirected and dropped.
Leaked BGP Paths via Tier1 ISP NTT disappeared at 22:32 UTC.
"We have investigated the advertisement of @Google prefixes through one of our upstream partners. This was an error during a planned network upgrade due to a misconfiguration on our BGP filters. The error was corrected within 74 minutes and processes put in place to avoid re-occurence," MainOne Cable said.
The "error" caused certain traffic to ping MainOne Cable's network rather than travel the route it should have taken. It affected Google's G Suite, Analytics, and Search. In addition, it also stirred up initial concern that something foul was taking place. Security researchers at ThousandEyes noticed traffic to Google was getting dropped at China Telecom, and that a Russian ISP was in the path as well.
BREAKING: Potential hijack underway. ThousandEyes detected intermittent availability issues to Google services from some locations. Traffic to certain Google destinations appears to be routed through an ISP in Russia & black-holed at a China Telecom gateway router. pic.twitter.com/Tz7shf7cOy
"This incident at a minimum caused a massive denial of service to G Suite and Google Search. However, this also put valuable Google traffic in the hands of ISPs in countries with a long history of Internet surveillance. Overall ThousandEyes detected over 180 prefixes affected by this route leak, which covers a vast scope of Google services," ThousandEyes stated in a blog post.
It's also worth noting that China Telecom has been accused of BGP hijacks in the past, notably in an academic paper published by the US Naval War College and Tel Aviv University. On the surface, it appeared that the state-owned telecom might have been up to no good.
While MainOne Cable is chalking this up to an error, it still knocked vital services offline from around 1:00 pm PST to 2:23 pm PST. Unfortunately, the bigger problem is BGB itself, as this latest incident further demonstrates.
"BGP was designed to be a chain of trust between well-meaning ISPs and universities that blindly believe the information they receive. It hasn’t evolved to reflect the complex commercial and geopolitical relationships that exist between ISPs and nations today," ThousandEyes said.