Route leak sends Google Cloud traffic to Russia

Google has acknowledged a connectivity issue earlier today that saw traffic destined for its Cloud platform end up at a Russian internet provider for over an hour, following an erroneous border gateway protocol routing advertisement.

Source: ThousandEyes

Network monitoring company ThousandEyes spotted traffic going to Google Cloud was taking the wrong route, and called the incident a "potential hijack".

ThousandEyes BGP Route Visualization shows the 216.58.192.0/19 prefix being leaked into the Internet, which would cause traffic to #Google to be routed via networks in #Russia, #China and #Nigeria pic.twitter.com/q9OlHCIvNK

— ThousandEyes (@thousandeyes) November 12, 2018

A /19 prefix contains 8,192 internet protocol addresses and traffic to these was redirected to a China Telecom router at Russian internet provider TransTeleCom in the Komi Republic, well-known for its gulag penal camps during the Soviet era.

Andrée Toonk of OpenDNS-owned internet route monitoring service BGPMon confirmed the traffic redirection, and provided further detail:

Appears that Nigerian ISP AS37282 'MainOne Cable Company' leaked many @google prefixes to China telecom, who then advertised it to AS20485 TRANSTELECOM (russia). From there on others appear to have picked this up.

— BGPmon.net (@bgpmon) November 12, 2018

Since Google is blocked in China, the redirected traffic was blackholed and dropped.

Toonk said that the route leak affected 212 unique Google prefixes.

Google said the problem has now been sorted out, and that it is looking into measures to prevent it from happening again.

"The issue with Google Cloud IP addresses being erroneously advertised by internet service providers other than Google has been resolved for all affected users as of 14:35 US/Pacific.

"Throughout the duration of this issue Google services were operating as expected and we believe the root cause of the issue was external to Google.

"We will conduct an internal investigation of this issue and make appropriate improvements to our systems to help prevent or minimise future recurrence," Google said.

China Telecom was accused of hijacking internet traffic by researchers last month, as part of a large espionage and intellectual property theft effort spanning several years.

It is unclear if today's incident was an accident, or intentional.

“Could be both. It was very visible, with many reports on it, so if done to steal data i'd say it's too visible,” Toonk told iTnews.

“My guess is that's a leak since it wasn't just Google, but also included the [Nigerian ISP] MainOne’s networks and it's downstream customers,” he added.