The initial hijacking lasted for three minutes, and targeted 80 separate address blocks, according to a blog post published by BGPMon. A second attack started two and half hours later and lasted for another three minutes. However, Qrator Labs suggests that the event actually lasted for two hours uninterrupted, with the number of blocks affected fluctuating throughout.
These communications were using the Border Gateway Protocol (BGP), which routes huge amounts of data around the web. The security implemented on the BGP has come under fire before; earlier in 2017, network traffic pertaining to a host of different financial services was briefly redirected via a telecom company operated by the Russian government, according to Ars Technica.
It’s not uncommon for data to be rerouted via the BGP as a result of user error. For a number of reasons, experts think that this situation was carried out intentionally.
First, there’s the fact that major entities like Microsoft and Google were targeted. Then there is the fact that hijacked IP addresses split up into announced blocks with some specificity, which indicates the guesswork of an attacker rather than an honest mistake.
The hijacking was carried out by an autonomous system known as AS39523, which has long since been inactive, save for an incident in August, which also targeted Google. We don’t know what, if anything, was done with the information that was rerouted. Projects like Logjam have previously set out to develop a means of breaking common encryption methods for such traffic, with little success — but the culprits could have a new technique that allows for some kind of workaround.
This is yet another scenario that goes to show how poor online security is a problem at every level. It’s crucial that users make smart decisions for themselves but the weak points available to attackers run deeper than many of us might realize.
