Google’s services redirected to Romania and Austria

Posted by Andree Toonk - August 23, 2010 - Hijack - 1 Comment

BGP hijacks happen every day, the majority of them don’t affect a large geographic region and only are noticed a small number of users.
Every now and then however we see an event that affects many users, either because of the geographic scale or simply because of the specific prefix that is affected. The latter happened this Sunday for 7 minutes, when the prefix 8.8.8.0/24 was ‘hijacked’.

8.8.8.0/24 is the prefix that serves one of Google’s Open DNS servers, which is available at 8.8.8.8.
A few hours ago 8.8.8.0/24 was announced by AS30890 (EVOLVA Evolva Telecom s.r.l.), a provider from Romania.

This ‘Hijack’ lasted for about 7 minutes, and was detected by 14 RIS peers in 4 unique countries. The majority of these networks learned this announcement through AS6939.
8.8.8.8 Hijack, Open DNS hijack, Google

This is the second time in a month that Google is affected by a hijack. Last month on July 9th, AS42473 (ANEXIA) a provider from Austria announced a more specific of one of Google’s prefixes.
The prefix 74.125.127.0/24 was announced by AS42473. This is a more specific of 74.125.126.0/23, a prefix that hosts many of Google’s public services.
This announcement was later identified as a copy paste mistake, and quickly resolved after the engineers of AS42473 detected the mistake.

This is yet another example of how easy it is to ‘accidentally’ mess with the reachability of prefixes. There’s not a lot we can do about this today, except for strict filtering on the edges and monitoring using services such as BGPmon.net.
Luckily there’s some good progress being made on the Resource Certificate Public Key Infrastructure (RPKI) initiative.
Hopefully RPKI related tools will become available soon, so that it will be easy for operators to deploy this. And although this will not be a full proof mechanism for preventing BGP hijacks, it will prevent us from most of the ‘fat finger’ incidents we see on regular basis.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>