Sprint, Windstream traffic routing errors hijacked other ISPs
In simple words, it is like putting road signs on the Internet where Sprint and Windstream say to the world:
“Hey guys, send all traffic for the following networks to us: Telesmart, Macedonia, Saoudinet, Saoudi Arabia, a network from Gaza, one from Iceland, and three from China”
(all their traffic are belong to us ...)
The effect is that the traffic does not reach its destination, or that it transits via another network as was the case for Telesmart.
Quotes from ▻http://www.renesys.com/2014/09/latest-isps-to-hijack :
From 13:56 UTC on Tuesday (9-September) to 15:56 UTC on Wednesday (10-September), US wireless carrier #Sprint (AS1239) started hijacking a prefix (184.108.40.206/22) from Telesmart, an ISP in Macedonia. What was interesting was that once traffic arrived at Sprint, it continued onto Cogent and finally onto its intended destination at Telesmart in Skopje. Was this an accidental #man-in-the-middle (#MITM) or something else?
The same day #Windstream (AS7029) began announcing 220.127.116.11/24 (SaudiNet), which is normally announced by Saudi Arabian incumbent, Saudi Telecom. Unlike the previous Sprint example, traceroutes to this prefix along the Windstream route died within Windstream, effectively knocking this network off the Internet for anyone accepting the bogus route. Then on Wednesday, Windstream announced a handful of strange routes for about 10 hours including one from Gaza, one from Iceland, and three from China — all more-specifics of existing routes, ensuring their global propagation and acceptance.
There is a potentially innocent explanation to this example. Perhaps, these address ranges were ones that Windstream deemed to be sources of bad traffic and so was “blackholing” them internally, a relatively common practice. In this scenario, we could have simply witnessed Windstream inadvertently leaking internal routes to the global Internet for 10 hours.
PS: Also interesting reference in a larger context, at this year’s #Defcon 22 conference, Luca Bruno and Mariano Graziano from eurecom.fr (“a leading teaching and research institution in the fields of information and communication technologies”) gave a talk about the vulnerabilities of some ISPs’ public #looking_glass utilities that would allow an attacker to remotely modify #router configurations.