Mobile internet traffic from multiple carriers in Europe took an unintended turn through China Telecom for over two hours on June 6 because of a route leak incident.
Internet traffic uses multiple networks to move across the globe to its destinations. These hops represent an established route through network policies and rules. Autonomous systems, such as an Internet Service Provider (ISP) use the Border Gateway Protocol (BGP) to exchange the routing information.
A BGP route leak is defined by the Internet Engineering Task Force (IETF) as “the propagation of routing announcement(s) beyond their intended scope” and they can result in redirecting the traffic through a path that could allow eavesdropping or analysis.
The problem occurred at Safe Host, a Swiss data center collocation company identified with the autonomous system number (ASN) AS21217 and resulted in leaking over 70,000 routes to China Telecom (AS4134).
Safeguards work, when implemented
Doug Madory, Director of Oracle’s Internet Analysis division says that among the most impacted networks were Swisscom (AS3303) of Switzerland, KPN (AS1130) of Holland, Bouygues Telecom (AS5410) and Numericable-SFR (AS21502) of France.
When China Telecom received the leaked routes, it announced them further on the internet, practically interposing itself in the path between the source and the destination.
There are protections an autonomous system can set up to prevent the propagation of routing leaks, as well as procedures that can quickly detect and restore them whenever they occur.
China Telecom obviously did not implement the necessary precautions and passed the routes along as its own.
“Often routing incidents like this only last for a few minutes, but in this case many of the leaked routes in this incident were in circulation for over two hours.”
Users noticed the different route for the traffic and expressed concerns on Twitter. For instance, a path between two locations close to each other the Netherlands – city of Haarlem and Amsterdam, took a detour through China.
— Wieger Bontekoe (@wbontekoe) June 6, 2019
The first thought was BGP hijacking, where the perpetrating AS intentionally advertises the routes of another AS to move traffic through their infrastructure.
The consequences of this incident were slow internet connectivity or impossibility to reach servers.