Russian network 'hijacked' Twitter traffic

In what could either be an accident or an attempted hijack, a Russian telecommunications carrier briefly advertised itself as the destination for Twitter traffic for more than two hours yesterday.

As noted by Johannes Ullrich of the SANS Institute: “Earlier today, RTComm.ru started to advertise 104.244.42.0/24, a prefix used by Twitter.

“Hijacking a BGP prefix is one way to block access, but it can also be used to intercept traffic to the respective IP addresses”, Ullrich pointed out.

The mechanism for route hijacking uses the Border Gateway Protocol (BGP), the mechanism by which routers distribute information about which networks can be reached through them.

BGP is an old protocol, first published in 1990, and like many of the Internet’s foundation protocols it wasn’t designed with security in mind. 

As the FCC put it in late February when it announced an inquiry into routing vulnerability: “A bad network actor may deliberately falsify BGP reachability information to redirect traffic to itself or through a specific third-party network, and prevent that traffic from reaching its intended recipient”.

Fortunately, as Doug Madory of Internet analysis firm Kentik pointed out in a tweet, Twitter uses a protection mechanism called Resource Public Key Infrastructure (RPKI).

“The hijack didn't propagate far due to a RPKI ROA [route authorisation] which asserted AS13414 was the rightful origin,” he said.

From 12:05-12:50 UTC, RU telecom RTComm (AS8342) hijacked a prefix (104.244.42.0/24) belonging to Twitter.

The hijack didn't propagate far due to a RPKI ROA which asserted AS13414 was the rightful origin.

This is the same prefix hijacked during the coup in Myanmar last year. pic.twitter.com/mHXssRkQiz

— Doug Madory (@DougMadory) March 28, 2022

As APNIC explains here, RPKI “provides a way to connect Internet number resource information (such as IP addresses) to a trust anchor”.

Madory also noted it’s not the first time Twitter has been a target: “This is the same prefix hijacked during the coup in Myanmar last year”.

While BGP hijacks can be used to disrupt networks or intercept traffic, most such events are accidents such as when Telstra announced itself as the best route for 500 other networks in 2020.

However, the FCC inquiry announcement notes that Russian networks have behaved in suspicious ways before.

“Russian network operators have been suspected of exploiting BGP’s vulnerability to
hijacking, including instances in which traffic has been redirected through Russia without explanation," the FCC wrote.

“In late 2017, for example, traffic sent to and from Google, Facebook, Apple and Microsoft was briefly routed through an Internet service provider in Russia.

"That same year, traffic from a number of financial institutions, including Mastercard, Visa, and others was also routed through a Russian government-controlled telecommunications company under ‘unexplained’ circumstances.”

While RPKI and the Mutually Agreed Norms for Routing Security (MANRS) initiative address such problems, uptake is relatively low, so the FCC’s inquiry seeks ways to drive up adoption of BGP protections.