In layman terms, Internet hijacking can simply be explained as the rerouting of internet traffic through a path that it was not intended to go through and this is exactly what happened on Monday night towards Tuesday early morning (00.30 GMT+3), an incident that saw a number of Google Services – including search, G-Suite and Google Cloud Services go offline.
What happened is that traffic that was supposed to go through Google’s Cloud Services found its way to Russian and Chinese servers. The traffic misdirection showed signs of Border Gateway Protocol (BGP) hijacking. BGP is used by ISPs to automatically route traffic seamlessly across the web.
An error in this protocol saw Google’s traffic rerouted through Russia, China and eventually to Nigeria. BGP hijacking can be used to intercept internet traffic or disrupt a service and even though Google dismissed the incident as an accident, there’s concern due to the countries which said data was rerouted through.
“Russia, China and Nigeria ISPs… This is obviously very suspicious… It doesn’t look like a mistake,” said Alex Henthorne-Iwane, vice-president of product marketing at ThousandEyes – an internet monitoring firm.
Following the incident, Google said that they did not see any signs of malicious hijacking and instead suspected that the Nigerian ISP, MainOne, had accidentally caused the problem. MainOne, later on, released a statement acknowledging the “leak” and terming it as an error that occurred during a planned upgrade.
“We have investigated the advertisement of Google prefixes through one of our upstream partners. This was an error during a planned network upgrade due to a misconfiguration on our BGP filters. The error was corrected within 74mins & processes put in place to avoid reoccurrence,” read the statement from MainOne.
Normally, ISPs have protective measures to prevent “route leaks”. A simple explanation could be that MainOne’s misconfiguration led to a route leak and as a result, ISPs (in this case, in Russia and China) without any protective measures carried Google’s Traffic despite the error leading to the rogue reroute.
Then again, ThousandEyes researcher, Ameet Naik, points out that the incident put Google traffic in the hands of ISPs in countries with a long history of internet surveillance. Google is yet to reveal how many users were affected by this incident, although ThousandEyes says that this the worst incident affecting Google traffic yet and points out the possibility of it being a “war-game experiment”, a chilling sign of worse, wider-scale, similar attacks in future.