Mysterious Re-Routing Of Google Traffic Could Have Been An Attack, Or Just A Glitch

Some web services provided by internet giant Google were briefly disrupted today after a Google Cloud IP issue that the company wrote in a blog post was “external” and under investigation, though what exactly happened remains unclear.

According to the Wall Street Journal, some Google services were “temporarily unreachable for some users after some traffic intended to reach the web giant was rerouted through other networks,” though the company has not publicly disclosed whether it has determined the issue was a technical error or a hacking attempt. The AP reported, however, that the re-routing may have been the result of a border gateway protocol hijacking attack—in which an internet hub responsible for directing global internet traffic lanes is compromised to send that traffic to the wrong destinations. Intelligence company ThousandEyes’ Alex Henthorn-Iwane told the AP some of Google’s search and cloud hosting services were routed through Russian (Transtelecom), Chinese (China Telecom), and Nigerian (MainOne) telecommunications companies:

Alex Henthorn-Iwane, an executive at the network-intelligence company ThousandEyes, called Monday’s incident the worst affecting Google that his company has seen. He said he suspected nation-state involvement because the traffic was effectively landing at state-run China Telecom. A recent study by U.S. Naval War College and Tel Aviv University scholars says China systematically hijacks and diverts U.S. internet traffic.

Global internet traffic routing systems are potentially vulnerable because in an era where the internet has become one of the world’s foremost geopolitical battlegrounds, the independence and neutrality of providers is not always a certain matter. Henthorn-Iwane told the AP he suspected that the attack could have been a “war-game experiment.”

However, Google told the Journal they had no reason to believe the incident was malicious in nature. In a blog post, ThousandEyes conceded the incident could have been simply been a technical glitch relating to the BGP peering agreements between the MainOne and China Telecom, the biggest fixed-line service in China:

Our analysis indicates that the origin of this leak was the BGP peering relationship between MainOne, the Nigerian provider, and China Telecom. MainOne has a peering relationship with Google via IXPN in Lagos and has direct routes to Google, which leaked into China Telecom. While we don’t know if this was a misconfiguration or a malicious act, these leaked routes propagated from China Telecom, via TransTelecom to NTT and other transit ISPs. We also noticed that this leak was primarily propagated by business-grade transit providers and did not impact consumer ISP networks as much.

The vast majority of Google network traffic is encrypted using HTTPS, which the AP noted could help prevent any data that was diverted from actually being accessed by a malicious party.

[AP/Wall Street Journal]