Google traffic hijacked via tiny Nigerian ISP

A large chunk of the hijacked traffic passed through the network of a controversial Chinese state-owned telecom provider that was previously accused of intentionally misdirecting internet traffic.
Written by Catalin Cimpanu, Contributor

A tiny Nigerian ISP has hijacked internet traffic meant for Google's data centers. The incident, called a BGP hijack, occurred yesterday, on November 12, between 13:12 and 14:35, Pacific time, according to Google.

The incident was first detected and reported by BGPmon, an online service that monitors the routes that internet traffic takes through the smaller internet service provider (ISP) networks that make up the larger internet.

ZDNet: Black Friday 2018 deals: Business Bargain Hunter's top picks | Cyber Monday 2018 deals: Business Bargain Hunter's top picks

According to BGPmon, the incident was caused by a small Nigerian ISP named MainOne Cable Company (AS37282), which announced to nearby ISPs that it was hosting IP addresses that were normally assigned to Google's data center network.

BGPmon says the Nigerian ISP incorrectly announced it was hosting 212 Google network prefixes in five different waves, for a total of 74 minutes.

This bad routing announcement leaked downstream to other ISPs, causing more and more nearby providers to send Google-intended traffic to MainOne's network, instead of the normal BGP routes.

According to experts from ThousandEyes, a cloud security company, the path that this traffic took most often was one via TransTelecom (AS 20485) in Russia and China Telecom (AS 4809) in China.

Image: ThousandEyes

"We noticed that this leak was primarily propagated by business-grade transit providers and did not impact consumer ISP networks as much," said Ameet Naik, a manager for ThousandEyes.

"All the traffic slammed into the great firewall, terminating at China Telecom edge router," Naik added.

Whatever traffic ended up reaching the small Nigerian ISP, was later dropped, resulting in zero Google connectivity for impacted users.

The incident caused quite a stir online, and especially among networking and cyber-security experts. The reason is that of an academic paper published last month which accused China Telecom, a state-owned telecom firm, of repeated BGP hijacks that misdirected the traffic of western countries through its network for no good reason.

The findings of that research paper, which were very controversial and politically charged, were confirmed last week by Oracle's Internet Intelligence division (formerly known as Dyn).

BGP hijacks are considered highly dangerous, as it allows the unauthorized network through which the traffic goes to intercept, analyze, and log sensitive traffic that could be decrypted at a later date.

Yesterday's temporary Google traffic redirection marks just another incident in a long list of BGP hijacks incidents that have been a major problem since the 1990s.

Even if the traffic "misdirection" by the Nigerian ISP was intentional or accidental, the problem still lies with the BGP itself, a protocol developed in the 1980s, which has no security features and is still used today to interconnect ISP networks and relay internet traffic.

Efforts are ongoing to improve BGP with additional security features.

Update, November 13, 11:30am ET: MainOne, the Nigerian ISP that caused this mess, said on Twitter today that the whole incident was an accident.


Best Black Friday 2018 deals:

Editorial standards