Apple has emerged victorious from a battle with Russian telecommunications operator Rostelecom, after the latter sent fake route announcements to redirect traffic destined for the American company’s servers to the latter’s network.
Network Engineer Aftab Siddiqui at the Mutually Agreed Norms for Routing Security (MANRS) project wrote that Rostelecom began advertising routes for part of Apple’s network via Border Gateway Protocol (BGP) for just over 12 hours on July 26-27.
“The effect was that Internet users in certain parts of the Internet trying to connect to Apple services may have been redirected to the Rostelecom network,” Siddiqui wrote.
Siddiqui said the block of Apple Internet Protocol addresses affected by the apparent hijacking of traffic by the Rostelecom Autonomous System (AS) 12389 network was 126.96.36.199/19 assigned to the US tech giant.
A /19 IP block contains 8192 network addresses, and Siddiqui said the prefix is part of Apple’s larger 188.8.131.52/8 allocation.
Apple does not use Route Origin Authorization (ROA), which uses Resource Public Key Infrastructure (RPKI) cryptographically signed objects to attest that an originating AS is authorized to advertise network prefixes.
ROA validation prevents false BGP route advertisements between networks, which avoids sending traffic to the wrong destination.
Without ROA, Siddiqui said the only option during a route diversion is to announce more specific routes.
“That’s exactly what Apple Engineering did today; after learning of the hack, they started advertising 184.108.40.206/21 to direct traffic to AS714,” Siddiqui said.
AS714 is assigned to Apple Engineering, and Rostelecom also began announcing a route to this network at the same time.
Rostelecom’s route announcements have spread around the world, with BGP monitoring systems picking them up and flagging them as potential traffic hijacking attempts.
Siddiqui pointed out that this is not the first time that Rostelecom has diverted routes.
In 2020, Qrator Labs Noted that Rostelecom’s AS12389 announced prefixes for many well-known companies such as Akamai, Cloudflare, Hetzner, Digital Ocean and Amazon Web Services.
Rostelecom did not provide an explanation for the poor origin of the Apple Engineering network routes.
Apple has been contacted to comment on the event, which services were affected, and whether any traffic passed through Rostelecom’s network.
BGP hijackings have long been a scourge of the Internet.
Some of the incidents were accidental misconfigurations, such as the 2004 event in which Turkish provider TTNet alleged be the entire internet, meaning millions of users were unable to access legitimate websites for hours.
Others, such as Iran Telecommunications’ 2018 hijacking of Telegram prefixes suggest nation-state involvement.
Criminals have also been known to use BGP hijacking to steal traffic, such as in February this year when South Korean cryptocurrency platform KlaySwap was busted. offensive and nearly $2 million in funds were raised.
Siddiqui said network operators have a responsibility to ensure a robust and secure routing infrastructure globally, which includes having valid ROAs for all their resources.
“Your network security depends on a routing infrastructure that stops bad actors and mitigates accidental misconfigurations that wreak havoc on the Internet.
The more network operators work together, the fewer incidents there will be and the less damage they can do,” Siddiqui said.