Last June, there was a media frenzy following a “massive rerouting” of European internet traffic through state-owned China Telecom. Earlier this month, hundreds of content delivery networks, servicing the likes of Facebook, Google and Amazon, were redirected through state-owned Rostelecom in Russia. Welcome to the world of BGP leaks or, worse, BGP hijacks, get ready to join the call for better security.
The Border Gateway Protocol, BGP, is the “postal service of the internet.” Just like FedEx or DHL, the internet needs a system to find efficient routes from A to B, hopping from point to point across the autonomous systems that span the globe.
BGP mistakes are common. But when they result in our traffic routing through state-owned systems in China and Russia we should take note. Most mistakes last seconds—but the China Telecom incident persisted for two hours—and “two hours is a long time for a routing leak of this magnitude to stay in circulation, degrading global communications,” warned Oracle’s head of internet analysis.
The U.S. government now wants China Telecom banned from providing services in the U.S., citing “substantial and unacceptable national security and law enforcement risks associated with China Telecom’s operations.”
The dangers of hijacked internet traffic have diminished with encryption. But if data flows through a state actor’s systems, it can be sucked into storage, analyzed for weaknesses, even attacked later with new tools and techniques. The fact that Russia and China seem more at fault than others might just be a coincidence. Or it might be that they’re exactly where you don’t want your traffic taking a detour.
Thankfully, there are measures that can now put an end to this risk—but only if everyone plays along. “The internet is too vital to allow this known problem to continue any longer,” Cloudflare, the web infrastructure and CDN player, warned in a blogpost on Friday (April 17). “It’s time to make BGP safe. No more excuses.”
Cloudflare advocates the widespread adoption of RPKI, Resource Public Key Infrastructure, which has been around for some time but seems slow to catch on. “Hundreds of networks of all sizes have done a tremendous job over the last few years, but there is still work to be done. If we observe the customer-cones of the networks that have deployed RPKI, we see around 50% of the Internet is more protected against route leaks. That’s great, but it’s nothing like enough.”
And so the company has launched a new service—is BGP safe yet—which enables internet users to test whether their internet service providers are secure, and if not to publicize the fact. Clearly we’re in fairly niche territory here, we won’t see millions pick this up, but a few high-profile tweets and media reports might focus minds and prompt more ISPs into action.
The twist with BGP errors is that it’s tricky to differentiate malicious attacks from dumb mistakes. On the malicious side, though, the lack of security tempts state actors to present false information to the internet, tricking traffic into heading its way. “A BGP hijack,” Cloudflare explains, “occurs when a malicious node deceives another node, lying about what the routes are for its neighbors.”
The distributed nature of the internet means such false information “can propagate from node to node, until a large number of nodes now know about, and attempt to use these incorrect, nonexistent, or malicious routes.”
RPKI is a crypto-based validation tool which means nodes don’t have to rely on what they’re being told by others, potentially malicious, nodes. They can verify that what they’re being told is true and bypass nodes when that’s not the case. “RPKI allows the network to protect itself by invalidating the malicious routes.”
BGP made safe
As with data and DNS encryption, tracking bans and internet security more broadly, this is important. The internet evolved over decades as a fragmented, unplanned group-think. We are now applying bandages to the obvious weaknesses and attempting surge for the more glaring problems. In the meantime, it won’t hurt for you to test your ISP and nudge them in the right direction while stuck at home.