Google G Suite yesterday had much of its traffic re-routed through Russia and dropped at China Telecom, according to the network intelligence com
G Suite yesterday had much of its traffic re-routed through Russia
and dropped at China Telecom, according to the network intelligence
company Thousand Eyes.
Thousand Eyes at this time reported Google was victimized by a Border Gateway Protocol (BGP) hijacking attack. Google confirmed there was an issue, but does not believe it was done intentionally.
Eyes came across the possibly malicious issue when it began suffering
connectivity issues with G Suite, Google Analytics and Google Search
that impacted its entire workforce starting at about 1 p.m. PST and
lasting for three hours. Even more concerning was this caused a
massive denial of service situation for Google Search and G Suite and
routed information through nation’s known to monitor internet traffic
for their own purposes.
“What caught our attention was that traffic to Google was getting dropped at China Telecom. Why would traffic from a San Francisco office traversing to Google go all the way to China? We also noticed a Russian ISP in the traffic path, which definitely sparked some concerns,” said Ameet Naik, Thousand Eyes technical marketing manager, in a blog post.
from Paris to www.google.com resolved
to 126.96.36.199. While Google announces many /24 prefixes to cover
its IP address range, this address was not covered by a /24 prefix.
Instead, it was covered by a /19 prefix. We saw a suspicious
announcement for 188.8.131.52/19 appear after about 12:45 pm PST with
a convoluted AS path that included TransTelecom (AS 20485) in Russia,
China Telecom (AS 4809) in China and MainOne (AS 37282), a small ISP
in Nigeria,” Naik
the traffic hit China Telecom it stopped and did not continue on to
its actual destination.
In total Thousand Eyes detected more than 180 prefixes covered by the leak. The company believes the leak originated at the BGP peering relationship between MaineOne and China Telecom. The issue primarily affected business-grade traffic and had little impact on consumers.
There is now a conflict of opinion over whether or not this incident was malicious or an error. Thousand Eyes said it cannot make a determination one way or the other, but others are willing to offer an opinion.
Kris Beevers, co-founder and CEO of NS1, is leaning toward it being intential.
bad actor used BGP to announce that its network can be used to reach
IP addresses that belong to Google, including Google Public DNS IP
addresses. This is causing some parts of the internet to direct
traffic for those IP addresses to the bad actor. Fortunately,
companies can mitigate the damage by using DNSSEC, which secures the
domain name system (DNS) as used on IP networks. DNSSEC helps by
cryptographically verifying that the answers are from a legitimate
source not the bad actor,” he told SC Media.
Cloudflare CEO Matthew Prince, whose company owned many of the misdirected IP addresses, told ARS Technica he believes this was due to an error and not a deliberate act.