Russian network ‘pirated’ Twitter traffic
In what might either be a mishap or a tried hijack, a Russian telecommunications provider briefly marketed itself as the location for Twitter traffic for more than 2 hours the other day.
As noted by Johannes Ullrich of the SANS Institute: “Previously today, RTComm.ru started to advertise 22.214.171.124/ 24, a prefix used by Twitter.
“Pirating a BGP prefix is one way to block access, however it can likewise be used to intercept traffic to the respective IP addresses”, Ullrich explained.
The system for route hijacking utilizes the Border Gateway Procedure (BGP), the system by which routers disperse details about which networks can be reached through them.
BGP is an old protocol, very first released in 1990, and like a number of the Internet’s structure procedures it wasn’t designed with security in mind.
As the FCC put it in late February when it revealed an inquiry into routing vulnerability: “A bad network actor might deliberately falsify BGP reachability details to reroute traffic to itself or through a specific third-party network, and avoid that traffic from reaching its intended recipient”.
Fortunately, as Doug Madory of Internet analysis firm Kentik pointed out in a tweet, Twitter utilizes a security mechanism called Resource Public Secret Infrastructure (RPKI).
“The hijack didn’t propagate far due to a RPKI ROA [path authorisation] which asserted AS13414 was the rightful origin,” he stated.
From 12:05 -12:50 UTC, RU telecom RTComm (AS8342) pirated a prefix (126.96.36.199/ 24) belonging to Twitter.The hijack didn’t
propagate far due to a RPKI ROA which asserted AS13414 was the rightful origin.This is the exact same prefix pirated throughout the coup in Myanmar in 2015. pic.twitter.com/mHXssRkQiz– Doug Madory (@DougMadory)March 28, 2022 As APNIC describes here, RPKI” provides a method to connect Internet number resource information(such as IP addresses)to a trust anchor”. Madory also noted it’s not the very first time Twitter has been a target: “This is the exact same prefix hijacked during the coup in Myanmar last year “. While BGP pirates can be utilized to interrupt networks or intercept traffic, many such occasions are accidents such as when Telstra revealed itself as the very best path for 500 other networks in 2020.
However, the FCC query announcement notes that Russian networks have acted in suspicious methods prior to.”Russian network operators have been suspected of exploiting BGP’s vulnerability to hijacking, including instances
in which traffic has actually been rerouted through Russia without explanation,”the FCC wrote.”In late 2017, for example
, traffic sent to and from Google, Facebook, Apple and Microsoft was quickly routed through a Web service supplier in Russia.”That same year, traffic from a number of banks, including
Mastercard, Visa, and others was also routed through a Russian government-controlled telecoms company under’unusual’circumstances.
“While RPKI and the Mutually Predetermined Standards for Routing Security(MANRS)initiative address such issues, uptake is relatively low, so the FCC’s inquiry looks for methods to increase adoption of BGP defenses. Source