Use Protection if Peering Promiscuously

Last week, I wrote a blog post discussing the dangers of BGP routing leaks between peers, illustrating the problem using examples of recent snafus between China Telecom and Russia’s Vimpelcom.  This follow-up blog post provides three additional examples of misbehaving peers and further demonstrates the impact unmonitored routes can have on Internet performance and security.  Without monitoring, you are essentially trusting everyone on the Internet to route your traffic appropriately.

In the first two cases, an ISP globally announced routes from one of its peers, effectively inserting itself into the path of the peer’s international communications (i.e., becoming a transit provider rather than remaining a peer) for days on end.  The third example looks back at the China Telecom routing leak of April 2010 to see how a US academic backbone network prioritized bogus routes from one of its peers, China Telecom, to (briefly) redirect traffic from many US universities through China.

Recap: How this works

To recap the explanation from the previous blog (and to reuse the neat animations our graphics folks made), we first note that ISPs form settlement-free direct connections (peering) in order to save on the cost of sending Continue reading

Chinese Routing Errors Redirect Russian Traffic

In recent weeks, Russian President Vladimir Putin announced a plan to enact measures to protect the Internet of Russia. In a speech to the Russian National Security Council he said, “we need to greatly improve the security of domestic communications networks and information resources.” Perhaps he should add Internet routing security to his list because, on a number of occasions in the past year, Russian Internet traffic (including domestic traffic) was re-routed out of the country due to routing errors by China Telecom. When international partners carry a country’s domestic traffic out of the country, only to ultimately return it, there are inevitable  security and performance implications.

Last year, Russian mobile provider Vimpelcom and China Telecom signed a network sharing agreement and established a BGP peering relationship. However, as can often happen with these relationships, one party can leak the routes received from the other and effectively insert itself into the path of the other party’s Internet communications. This happened over a dozen times in the past year between these two providers. This is a general phenomenon that occurs with some regularity but isn’t often discussed in BGP security literature. In this blog post, we’ll explore the issue Continue reading

Why Far-Flung Parts of the Internet Broke Today

VolumeDrive is a Pennsylvania-based hosting company that uses Cogent and (since late May of this year) Atrato for Internet transit. A routing leak this morning by VolumeDrive was passed on to the global Internet by Atrato causing disruptions to traffic in places as far-flung from the USA as Pakistan and Bulgaria.

Background

The way Internet transit is supposed to work in BGP is that a provider announces the global routing table to its customers (i.e., a large number of routes). Then, in turn, the customers announce local routes to their respective providers (generally a small number of routes). Each customer selects the routes it prefers from the options it receives. When a transit customer accidentally announces the global routing table to back one of its providers, things get messy. This is what happened earlier today and it had far-reaching consequences.

At 06:49 UTC this morning (18-September), VolumeDrive (AS46664) began announcing to Atrato (AS5580) nearly all the BGP routes it learned from Cogent (AS174). The resulting AS paths were of the following format:

    … 5580 46664 174 …

Normally, VolumeDrive announces 39 prefixes (networks) to Atrato: 27 it originates itself and 12 it transits for two of its downstream Continue reading

Sprint, Windstream: Latest ISPs to hijack foreign networks

Last year my colleague Jim Cowie broke a story about routing hijacks that resulted in Internet traffic being redirected through Iceland and Belarus. Unfortunately, little has changed since then and the phenomenon of BGP route hijacking continues unabated and on an almost daily basis.

In the past three days, the situation has gone from bad to downright strange as we have observed a flurry of this activity. Now, for the first time, we’re seeing major US carriers, Sprint and Windstream, involved in hijacking, along with the return of an operation out of Poland targeting Brazilian networks. We see router misconfigurations regularly in BGP data – could these incidents also be explained by simple command-line typos?

Route hijacking continues

In May my colleague, Earl Zmijewski gave a presentation about routing hijacks at the LINX 85 meeting, describing a comprehensive system that can be used to identify suspicious hijacks on a global basis and without any prior knowledge about the networks involved. While we now detect suspicious routing events on an almost daily basis, in the last couple of days we have witnessed a flurry of hijacks that really make you scratch your head.

To mention a few recent events, last Continue reading

No turning back: Russia activates Crimean cable

The Crimean peninsula depends critically on the Ukrainian mainland for infrastructure services: power, water, and Internet. That has begun to change in the last few days, as Crimean ISPs began receiving their first Internet services over the newly constructed Kerch Strait Cable, linking Crimea with the Russian mainland. The message: there is no turning back now in the process of infrastructure consolidation.

At Medvedev’s direction, Russian state-owned telecommunications company Rostelecom quickly constructed a submarine cable across the Kerch Strait at a cost of 400-900 million rubles (11-25 million US dollars). On April 25th, Rostelecom announced that the cable was completed.

But laying a short cable through shallow littoral waters is simple work, compared to the process of convincing Crimea’s ISPs to accept Internet service — any Internet service — from a Russian carrier. April passed, and then May, and June. We knew that when the Continue reading

Kurdish ISPs enable growth of Iraqi Internet

The recent violence in Iraq and the government’s actions to block social media and other Internet services have put a spotlight on the Iraqi Internet. However, an overlooked but important dynamic in understanding the current Iraqi Internet is the central role Kurdish ISPs play in connecting the entire country to the global Internet.

In the past five years, the Internet of Iraq has gone from about 50 networks (routed prefixes) to over 600. And what is most noteworthy this that the growth has not occurred as a result of increased connectivity from the submarine cable landing at Al Faw, as would be expected in a typical environment. Instead the dominant players in the Iraqi wholesale market are two Kurdish ISPs that connect to the global Internet through Turkey and Iran: Newroz and IQ Networks.

Help from the Kurds

The Iraqi Kurdistan region contains four main cities: Erbil, Duhok, Zakho and Sulaymaniyah. Newroz covers the first three, while IQ Networks provides service in the last. However, it would be incorrect to simply classify these providers as city-level retail ISPs. They also carry significant amounts of traffic for the rest of the country.

From the relative peace and stability of Continue reading

Amid raging violence, Iraq orders Internet shutdowns

Update (10:00ET, 14-Jun-2014): See below for a copy of Friday’s Iraqi MoC order to disconnect social media.

Iraq is descending into further violence, as militant group ISIL takes control of Mosul and beyond. Renesys has observed two large Internet outages this week (here and here) that our sources confirmed to be government-directed outages. These interruptions appear to coincide with military operations, amid concerns that ISIL forces are using Internet websites to coordinate their attacks.

2nd massive outage this week in Iraq at 14:27UTC lasted over 3hrs. ISPs Earthlink, IQNetworks impacted pic.twitter.com/pR8ab7jFAa

— Renesys Corporation (@renesys) June 12, 2014

#iraq-i government to shutdown internet in #Nenwah #Kirkuk #salah_al_deen #alanbar #leaked -no prove- #email #ISIS pic.twitter.com/eM3OqkVzyo

— Jassey (@eng_mohamedarif) June 12, 2014

The screencapture image in this tweet shows an email message announcing the latest shutdown. It reads:

Dear Valued customers

Due to the current security situation in iraq and as per the MOC instruction sent by the PM Mr Nori Kamel Al-Maliki ,the internet service will be suspended for the below provinces until further notice starting from today Thursday 12/6/2014 , Continue reading

Beware the Ides of March: Subsea Cable Cut Trend Continues

Earlier this month, the International Cable Protection Committee, a submarine cable advisory group, held their annual plenary in Dubai. One question that they could have considered is: Why do so many submarine cables get cut in the February/March timeframe? In this blog, we’ll look back at the last three years and the submarine cable industry’s own version of March Madness.

2012

Two years ago in February 2012, we saw a rash of closely-timed submarine cable cuts, causing Internet disruptions extending into March. In one incident, three cables were simultaneously severed in the Red Sea on February 17th, and then a fourth was damaged on the 25th off the coast of Kenya. The fourth cable was the TEAMS (The East African Marine System) cable systems, which runs from Mombasa to Fujairah, UAE.