Google G Suite yesterday had much of its traffic re-routed through Russia and dropped at China Telecom, according to the network intelligence company Thousand Eyes.
Thousand Eyes at this time reported Google was victimized by a Border Gateway Protocol (BGP) hijacking attack. Google confirmed there was an issue, but does not believe it was done intentionally.
Thousand Eyes came across the possibly malicious issue when it began suffering connectivity issues with G Suite, Google Analytics and Google Search that impacted its entire workforce starting at about 1 p.m. PST and lasting for three hours. Even more concerning was this caused a massive denial of service situation for Google Search and G Suite and routed information through nation’s known to monitor internet traffic for their own purposes.
“What caught our attention was that traffic to Google was getting dropped at China Telecom. Why would traffic from a San Francisco office traversing to Google go all the way to China? We also noticed a Russian ISP in the traffic path, which definitely sparked some concerns,” said Ameet Naik, Thousand Eyes technical marketing manager, in a blog post.
“Traffic from Paris to www.google.com resolved to 184.108.40.206. While Google announces many /24 prefixes to cover its IP address range, this address was not covered by a /24 prefix. Instead, it was covered by a /19 prefix. We saw a suspicious announcement for 220.127.116.11/19 appear after about 12:45 pm PST with a convoluted AS path that included TransTelecom (AS 20485) in Russia, China Telecom (AS 4809) in China and MainOne (AS 37282), a small ISP in Nigeria,” Naik said.
Once the traffic hit China Telecom it stopped and did not continue on to its actual destination.
In total Thousand Eyes detected more than 180 prefixes covered by the leak. The company believes the leak originated at the BGP peering relationship between MaineOne and China Telecom. The issue primarily affected business-grade traffic and had little impact on consumers.
There is now a conflict of opinion over whether or not this incident was malicious or an error. Thousand Eyes said it cannot make a determination one way or the other, but others are willing to offer an opinion.
Kris Beevers, co-founder and CEO of NS1, is leaning toward it being intential.
“A bad actor used BGP to announce that its network can be used to reach IP addresses that belong to Google, including Google Public DNS IP addresses. This is causing some parts of the internet to direct traffic for those IP addresses to the bad actor. Fortunately, companies can mitigate the damage by using DNSSEC, which secures the domain name system (DNS) as used on IP networks. DNSSEC helps by cryptographically verifying that the answers are from a legitimate source not the bad actor,” he told SC Media.
Cloudflare CEO Matthew Prince, whose company owned many of the misdirected IP addresses, told ARS Technica he believes this was due to an error and not a deliberate act.