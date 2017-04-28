Traffic destined for several networks, including Visa and Mastercard, was briefly redirected to Rostelecom on Wednesday, BGPmon reported.

Rostelecom is a Russian state-owned network operator.

Several other networks were also affected, including Internet Solutions in South Africa, reported BGPmon.

This is not the first time something like this has happened, with the IS ADSL network wiped off the Internet in 2013 when a local operator hijacked its address space.

Such hijacking, whether inadvertent or not, is often due to human errors which creep into border gateway protocol (BGP) configurations.

To help devices which route network traffic send data to where it needs to go, BGP groups blocks of Internet Protocol addresses together in what is termed an Autonomous System (AS).

An AS, according to RFC 1930, is “a connected group of one or more IP prefixes run by one or more network operators which has a single and clearly defined routing policy”.

In practice, an AS may belong to a single network operator.

BGPmon reported that Rostelecom hijacked IP addresses from AS3741. This AS number belongs to Internet Solutions and contains 3,079,168 addresses grouped into several blocks, according to IPInfo.

“Curious”

BGPmon said the hijacking was likely inadvertent, but it was curious that so many financial institutions were affected.

The other curious element is that this does not seem to be a typical BGP “leak”, it said.

A prefix for HSBC that normally exists as 203.112.90.0/23 was announced differently by Rostelecom, with the more specific /24 prefix.

“So someone, likely Rostelecom (AS12389) is inserting it in their routing tables themselves,” said BGPmon.

“The question is why. One typical scenario where this is normally done is because of some kind of traffic engineering or traffic redirection.”

Limited impact

Internet Solutions said Rostelecom hijacking part of its address space had limited impact on its services.

Reachability to addresses in the affected prefix range was interrupted for a short period, it said.

“Our team was alerted of the incident, which facilitated a response on our side to prevent malicious intent,” said Internet Solutions.

“Internet Solutions makes use of different techniques to prevent our prefix from being hijacked. One of those is the use of the RIPE database to enforce route exchange policy with our upstream peers. We use different tools to proactively monitor for these occurrences and adjust our responses according to the attack vector.”

It said there is no indication that Rostelecom intentionally targeted the IS prefix. The services that reside within it are “limited”, it said.