People's connections in the US to Google – including its cloud, YouTube, and other websites – were suddenly rerouted through Russia and into China in a textbook Border Gateway Protocol (BGP) hijacking attack.
That means folks in Texas, California, Ohio, and so on, firing up their browsers and software and connecting to Google and its services were instead meandering through systems in Russia and China, and not reaching servers belonging to the Silicon Valley giant. Netizens outside of America may also have been affected.
The Chocolate Factory confirmed that for a period on Monday afternoon, from 1312 to 1435 Pacific Time, connections to Google Cloud, its APIs, and websites were being diverted through IP addresses belonging to overseas ISPs. Sites and apps built on Google Cloud, such as Spotify, Nest, and Snapchat, were also brought down by the interception.
Specifically, network connectivity to Google was instead routed through TransTelekom in Russia (
mskn17ra-lo1.transtelecom.net), and into a China Telecom gateway (
ChinaTelecom-gw.transtelecom.net) that black-holed the packets. Both hostnames have since stopped resolving to IP addresses.
The black-hole effect meant Google and YouTube, and apps and sites that relied on Google Cloud, appeared to be offline to netizens. It is possible information not securely encrypted could have been intercepted by the aforementioned rogue nodes, however, our understanding is, due to the black-hole effect, it's likely most if not all connections weren't spied on: TCP connections would fail to establish, and no information would be transferred. That's the best case scenario, at least.
Essentially, someone advertised to the core systems that direct the internet's highways that packets bound for Google IP addresses would be best served by going through TransTelekom and into China Telecom. A third rerouting attempt through an ISP in Nigeria was attempted, though it doesn't appear to have succeeded. How exactly routes are commandeered is explained here, and the technique is not new – it's just that the world's backbone networks hope it doesn't happen too often. It's usually by accident, with one network inadvertently acting as a conduit for someone else's traffic, although it typically lasts a few seconds rather than more than an hour.
"Throughout the duration of this issue Google services were operating as expected and we believe the root cause of the issue was external to Google," said the web ad giant, which declined to name names. "We will conduct an internal investigation of this issue and make appropriate improvements to our systems to help prevent or minimize future recurrence."
The search goliath earlier noted:
While Google was hesitant to draw any conclusions, cloud security experts have little doubt that the BGP hijacking was intentional, rather than a brief typo in a config file or a fat finger in a terminal, and that the people behind it were almost certainly up to no good by intercepting Google Cloud connections.
"Our analysis is, given the size and scope and given the countries involved, it is highly unlikely it was accidental," Ameet Naik, senior technical marketing manager at cloud networking monitoring biz ThousandEyes, told The Register today.
"When you have an attack involving Google in countries like Russia and China, you might call that grand theft internet."
Naik said the packet thieves could have been looking to do anything from temporarily disabling Google platforms and APIs, to potentially snooping on traffic from users on Google's services. He noted that the same technique was used back in April to reroute Amazon cloud traffic in an attempt to get at crypto-currency wallets. China Telecom also has form in misdirecting traffic by advertising new routes.
Such BGP attacks can be trivial to pull off for miscreants within ISPs, or governments holding guns to telco admins' heads, given the open nature of BGP, which networks use to effectively route traffic between service providers around the world.
"The internet is built on such an open chain of trust that it is not hard for anybody to inject fake information," Naik said. "It really is that simple." ®