Indosat routing error impacts few but hits Akamai, Chevron
A routing error by one of Indonesia’s largest telecommunications providers on Wednesday made it briefly appear it controlled a large swath of the Internet, according to monitoring firm Renesys.
A technical change made it appear Indosat controlled some 320,000 of 500,000 networks on the Internet for about two hours, wrote Earl Zmijewski, a vice president and general manager for Renesys, on a company blog.
The problem was quickly corrected but still caused problems for companies such as Akamai and Chevron, Zmijewski wrote. It also caused a flood of traffic to hit Indosat’s network.
ISPs and telecommunication providers publish public data on their networks that is used in routers to direct Internet traffic. That data is distributed to other providers using BGP (Border Gateway Protocol), a specification for exchanging such information.
BGP data changes are “announced” and then picked up by other network providers. But errors in BGP data can cause websites and networks to be unreachable. If an ISP claims through BGP to own another provider’s routes, all traffic could be redirected to the ISP rather than to the legitimate operator.
BGP is designed to ensure Internet traffic flows correctly. But Zmijewski wrote one of its problems is that the data is not authenticated or validated, which means an innocent mistake—or a malicious attack—can have far-reaching effects.
“Internet routing allows you to lay claim to any network you want,” Zmijewski wrote.
The most drastic effect of Indosat’s error was on networks run by Akamai, which runs a large content delivery network. “Several hundred” of the routes announced by Indosat were picked up by Akamai, Zmijewski wrote.
A network run by the energy company Chevron in London also began directing traffic to Indonesia as well networks belonging to Stan Telecom of Afghanistan and the city of Santa Monica in California, he wrote.
Most of the several hundred thousand networks that Indosat laid claim to were only minimally affected. BGP changes don’t take effect immediately. Renesys estimated that less than five percent of the networks it monitors picked up Indosat’s BGP’s changes.
But Zmijewski wrote the incident underscores weaknesses in how Internet traffic is routed.
“In short: route leak events like this one, which happen at least once a year, are a good reminder that BGP routing is fragile and error-prone,” Zmijewski wrote. “There are no easy fixes.”