Internet traffic routing errors made by U.S. operators Sprint and Windstream on the same day last week underscore a long-known Internet weakness, posing both security and reliability issues.
Both of the errors involved Border Gateway Protocol (BGP), an aging but crucial protocol that is used by networking equipment to route traffic between different providers. Traffic routes are “announced” using BGP, and the changes are then taken up by routers around the world.
But network providers frequently make erroneous announcements—known as “route hijacking”—which can shut off services, causing reliability issues or be used for certain kinds of cyberattacks.
For about a day starting last Tuesday, Sprint made a BGP announcement that directed Internet traffic from an ISP in Macedonia through its own network, wrote Doug Madory, a senior analyst with Dyn’s Renesys division, which monitors how global Internet traffic is routed.
On the same day, Windstream commandeered traffic destined for Saudi Telecom, and then a day later for networks in Gaza and Iceland, besides three in China, Madory wrote.
It’s not uncommon for operators to make such errors through misconfiguration. But Madory wrote that the problem of BGP route hijacking “has gone from bad to downright strange.”
“While we now detect suspicious routing events on an almost daily basis, in the last couple of days we have witnessed a flurry of hijacks that really make you scratch your head,” he wrote.
In the case of Sprint, the traffic destined for the Macedonian ISP Telesmart did actually make it there, albeit through a circuitous route. Renesys did a trace route, an exercise that involves watching how traffic flows from one location to another.
Traffic that originated in Sofia, Bulgaria, should only take about 6 milliseconds to end up at Telesmart in Skopje, Macedonia.
But during the time the traffic was under Sprint’s control, the traffic went from Sofia to Frankfurt, then to Paris, back to Frankfurt, through Munich and Vienna, back to Sofia and then to Skopje. That scenic route took 10 times longer than it should have, Madory wrote.
Windstream’s takeover of Saudi Telecom’s traffic, however, made that network unavailable for any ISP that accepted Windstream’s BGP announcements, he wrote.
Sprint and Windstream officials could not immediately be reached for comment on Sunday.
There’s nothing to suggest that either Sprint or Windstream had malicious intentions. But such traffic diversions could give malicious actors visibility to the traffic passing through their equipment, known as a man-in-the-middle attack. That could pose privacy and security issues if the traffic isn’t encrypted.
Even if the text of an email is encrypted, subject lines and metadata—such as the email address that is sending the communication and the email address of its intended recipient—would be in such a traffic stream.
Security analysts have long warned that BGP is vulnerable, as it lacks a way to authenticate that a particular network route belongs to a specific entity, allowing the route to be easily taken over.
There are fixes, such as using whitelisting and cryptography, but it is questionable if ISPs would see an economic incentive to make changes, wrote Sharon Goldberg an assistant professor in the Computer Science Department at Boston University, on the Association for Computing Machinery’s website.