Intentional BGP Hijacking
Organizations like the NSA manipulate Internet routing to make certain traffic easier to intercept. The NSA calls it "network shaping" or "traffic shaping".
The same techniques make their way to organized crime.
A criminal group used a large reservoir of trusted IP
addresses, malware installed on millions of computers,
and BGP route hijacking to cause billions of false
ad impressions and defraud advertisers out of $29 million.
Google and Whiteops analysis Ars Technica article
October-November 2018 —
in Military Cyber Affairs
accused the Chinese government of manipulating BCP routing
in order to intercept Internet traffic.
That was followed by a
from Oracle's Internet Intelligence about BGP
misdirection through China in 2015 through 2017.
China’s Maxim — Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking China Telecom's Internet Traffic Misdirection
Soon after, for 83 minutes on 12 November,
traffic to large blocks of Google-owned IP space was
routed through China Telecom, TransTelecom in Russia,
and MainOne, a small ISP in Nigeria.
The ThousandEyes network-monitoring and analysis organization
"This incident further underscores one of the fundamental
weaknesses in the fabric of the Internet.
BGP was designed to be a chain of trust between
well-meaning ISPs and universities that blindly
believe the information they receive.
It hasn’t evolved to reflect the complex commercial
and geopolitical relationships that exist between
ISPs and nations today."
ThousandEyes on 12 Nov 2018 event Ars Technica report
April 2018 — Someone took over part of Equinix, an ISP in Columbus, Ohio, USA, causing it to advertise a preferred route for a block of addresses that includes Amazon's Route 53 DNS service. A fake DNS server at Equinix then provided misleading answers for address queries about MyEtherWallet.com, and discarded all other queries.
The result was that some users of MyEtherWallet.com,
a cryptocoin wallet app, had their traffic misdirected
to a man-in-the-middle attack.
that over $150,000 in Ethereum was stolen through
Some users of other services using Route 53, such as
Instagram, were unable to reach their desired server.
ThousandEyes on AWS Route 53 DNS and BGP hijack
December 2017 —
Network traffic to and from Google, Facebook, Apple,
Microsoft, Mail.ru, Vkontakte,
and other prominent sites was misrouted through
AS39523, an obscure Russian network.
BGPmon analysis Qrator analysis Ars Technica article
April 2017 —
Network traffic to and from MasterCard, Visa, and over
two dozen other financial institutions was misrouted through
Rostelecom, a telco controlled by the Russian government.
BGPmon analysis Ars Technica article
July 2015 — Hacking Team and a case of BGP hijacking
July 2015 — Ars Technica on Hacking Team orchestrated brazen BGP hack to hijack IPs it didn't own
September 2014 — Why Is It Taking So Long to Secure Internet Routing?
that attacks over a period of several months
had hijacked BGP routes from about 1,500 IP blocks
for periods lasting from minutes to days,
re-routing traffic through Belarus, Russia,
Victims included large banks, foreign
ministries of several countries, a large
US VoIP provider, and several ISPs.
At one point traffic between two networks
in Denver, Colorado, was redirected via
the US east coast and Iceland.
Also see the Renesys report:
The New Threat: Targeted Internet Traffic Misdirection
8 April 2010 —
China Telecom hijacked Internet backbone traffic
in what has been
as 15% of the Internet backbone traffic for 18 minutes in
"both a large-scale experiment and a demonstration of
Arbor Networks Ars Technica The Citizen Lab The Register Reuters
Authoritarian regimes in Africa, the Middle East, and Asia sometimes disconnect or otherwise disrupt national Internet access around elections or other times of anticipated unrest, or even during school testing times.
According to research by Oracle + Dyn, this started with Egypt disconnecting itself in January 2011. It was followed by intentional disruptions in Bahrain, Libya, and Syria.
The Migration of Political Internet Shutdowns
Oracle Dyn Global Business Unit The Global Economic Damage of Internet Blackouts
Egypt started this trend in January 2011:
Egypt Cuts Off Most Internet and Cell Service
The New York Times Egypt Leaves the Internet
Iraq blocked Internet access in June 2014 in areas where
ISIS has a physical presence:
Iraqi Government Takes Its Fight With ISIS Online
Then in May, August, and October 2015, Iraq blocked Internet access to prevent 6th-grade school children from cheating on tests:
Uzbekistan had already done this, in August 2014:
The National Intelligence Agency of the
Democratic Republic of Congo ordered that the Internet be
blocked in Kinshasa until further notice.
This was after bloody clashes between opponents of
President Joseph Kabila and police:
DR Congo authorities block Internet in Kinshasa — operators
In February 2016, Gujarat State in India blocked mobile
Internet access to stop exam cheating:
To beat exam cheats, Gujarat to block mobile internet today
The Times of India
In June 2016 Algeria blocked Internet access to stop
Algeria blocks Facebook, Twitter to stop exam cheats: state media
In July and August 2016 Syria
repeatedly shut down the Internet for 4 hours per day
to prevent cheating on national high school exams:
Syria goes to extremes to foil cheaters
Gabon shut down its Internet connection in September 2016
after announcing election results:
Cameroon block Internet access in English-speaking areas
of the country in January 2017 after a series of protests:
Cameroon goes offline after Anglophone revolt
CNN Cameroon's Internet Has Been Cut For Four Weeks With No End in Sight
An article in March 2017 reported on the seven-year series
of intentional interruptions to communications in the
Democratic Republic of Congo:
The Evolution of Internet Shutdowns in DR Congo
Togo cut Internet access through the fall of 2017 in
response to protests:
Why are people protesting in Togo?
Al Jazeera WhatsApp's role as a government protest tool is in the spotlight again as Togo blocks it
In December 2017 Equatorial Guinea held an election,
Internet access had been restricted for years (access to
opposition websites blocked for 4 years), more restricted
since the electoral campaign started in late October,
and entire cut off around the day of voting.
Deutsche Welle Reporters Without Borders News24
In January 2018 the Democratic Republic of Congo blocked
the Internet and set up physical barriers on roads:
Outages Caused by Routing Blunders
2021 — Facebook network engineers made a change on October 4, 2021, that took down internal connections within and between Facebook data centers. They meant to assess the availability of their global backbone capacity. Instead, it took down all the connections in their world-wide corporate backbone. Their DNS servers became unreachable. Then their border routers stopped advertising reachability over BGP.
The result was that Facebook, Instagram, and WhatsApp
immediately disappeared from the Internet,
along with Fastly and other sites and services.
Cloudflare description The Verge article Brian Krebs story Wired article Ars Technica article Bloomberg article Facebook description
2014 — China suffered a country-wide Internet outage for 45 minutes on 22 January 2014. Chinese government spokesmen blamed the outage on the DNS root servers. But outsiders said that the Chinese government's attempt to control their citizens' Internet access involved a DNS poisoning operation that spun out of control.
They wanted to block access to 220.127.116.11, belonging to Dynamic Internet Technology, which provides the FreeGate censorship-circomvention tool and also hosts a Falun Gong news portal mirror. They instead poisoned the DNS records by mapping all domain names in the world to that single IP address. This was a massive distributed denial of service attack against that company, as China is estimated to have more Internet users than any other country (other than India) has people. But none of those masses could see anything until the DNS caches got straightened out.
2014 — Domestic Russia traffic between Moscow and Yaroslavl was routed through Stockholm and a China Telecom router in Frankfurt, Germany, see Ars Technica coverage here and an analysis by Dyn Research (formerly Renesys) here. It says that a networking sharing agreement and BGP peering relationship between Russian mobile provider Vimpelcom and China Telecom led to one party leaking the routes received from the other "over a dozen times in the past year between these two providers." The same author wrote about China's accidental 18-minute hijacking of backbone routes in 2010.
2010 — Renesys reported that something like 15% of the Internet's backbone traffic was re-routed through China for 18 minutes in April.
2008 — In February 2008, the Pakistani government was worried that a video disrespectful toward Muhammed had been uploaded to YouTube. Government leaders directed Pakistan Telecom to either force YouTube to remove the video or else shut down YouTube. Informed that neither of those was possible, the government settled for making it so no one using Pakistan Telecom could view anything on YouTube.
You don't do that by filtering rules, as the edge routers can't keep up. You do it by black-holing the route(s) to the corresponding IP block(s).
The problem was that they then propagated those black-hole routes over BGP to PCCW, an ISP in Hong Kong, which in turn propagated those extremely attractive routes across the Internet. It made it look as though some corner of Pakistan was, by far, the most attractive route to YouTube. Almost everyone's attempted connection got routed that way.
The result for most of the world was that you lost access to YouTube for a few hours. Somehow society survived that episode. The result within Pakistan was all telecommunications were disrupted for several days, maybe a week. Mobile phone couldn't connect to the network, wired phones had no dial tone. Also see the ArsTechnica report.
2004 — TTNet in Turkey (AS9121) accidentally pretended to be the entire Internet on the morning of Christmas Eve (U.S. time), leaving large chunks of the Internet unreachable for a few hours.