Moscow is famous for the traffic jams, with the governments continually fighting that particular problem. Nevertheless, the beginning of 2018 was marked with the new traffic bottleneck created with the help of BGP misdirection. At 12:01 UTC 17.01.2018, AS8901 belonging to Moscow City Government started leaking prefixes between its upstreams: the Rostelecom (AS12389) and Comcor (AS8732). Redirection peaked at 70000 affected prefixes.
Anomaly active phase took just 15 minutes, followed by the long tail of stuck routes, found in the BGP tables of several ISPs. For example, at the looking glass operated by SG.GS (AS24482), at the time of the writing we were able to find the following route:
5.121.176.0/20 *[BGP/170] 02:22:00, MED 18510, localpref 200, from 203.175.175.45
AS path: 8732 8901 8901 8901 8901 12389 6453 3320 48159 44244 I,
While this leak had limited propagation through the upstreams and Tier-1 providers (3.8% of an overall amount of the leaked prefixes), it still had a significant effect on the peering network of Comcor. This anomaly had main influence on the Russian traffic, however, affected other regions as well. All that redirected traffic should have been lost - there is little chance of Moscow Mayor’s network capable of processing such traffic volume, making various services partially unavailable. The list of victims includes prefixes originated by Amazon, Alibaba, Microsoft, Linkedin, and others. The final impact may have been even worse, but all the leaked routes were prepended 4 times by AS8901, making them less preferable.
We can distinguish two major reasons for this incident:
Both ingress and egress filters between the Comcor’s and the Moscow City Government’s networks suddenly disappeared;
An absence of filters between Сomcor and its peers (private and through IX) made this anomaly global.
Peering is a crucial part of the interdomain routing. However, when you rely on the expertise of your peering partner without any backup on your side, you also delegate them control of connectivity and availability of yours and the customer’s services. We believe that ISPs should reconsider adding filters, or other controls not only at the customer-related links (where it’s their obligation) but at the peering links as well.
Share your experience and expectations regarding DDoS protection. Your answers will help us tailor solutions to meet your cybersecurity needs.
Tell us about your company’s infrastructure and critical systems. This will help us understand the scope of protection you require.
Help us learn about how decisions are made in your company. This information will guide us in offering the most relevant solutions.
Let us know what drives your choices when it comes to DDoS protection. Your input will help us focus on what matters most to you.
