Apple has come away successful from a battle with Russian telco Rostelecom, after the latter sent out false route announcements to redirect traffic meant for the United States company's servers to the latter's network.
Network engineer Aftab Siddiqui at the Mutually Agreed Norms for Routing Security (MANRS) project wrote that Rostelecom started announcing routes for part of Apple's network through the border gateway protocol (BGP) for just over 12 hours, on July 26-27.
"The effect was that Internet users in parts of the Internet trying to connect to Apple’s services may have been redirected to the Rostelecom network," Siddiqui wrote.
Siddiqui said the Apple internet protocol address block affected by the apparent traffic hijack by Rostelecom autonomous system (AS) 12389 network was the 18.104.22.168/19 allocated to the US tech giant.
A /19 IP block contains 8192 network addresses, and Siddiqui said the prefix is part of Apple's larger 22.214.171.124/8 allocation.
Apple does not use Route Origin Authorisation (ROA), which uses resource public key infrastructure (RPKI) cryptographically signed objects to attest that an origin AS is allowed to announce network prefixes.
Validating ROA prevents false BGP route announcements between networks, which avoids sending traffic to the wrong destination.
Without ROA, Siddiqui said the only option during a route hijack is to announce more specific routes.
"This is exactly what Apple Engineering did today; upon learning about the hijack, it started announcing 126.96.36.199/21 to direct traffic toward AS714," Siddiqui said.
AS714 is assigned to Apple Engineering, and Rostelecom started to announce a route to that network at the same time as well.
Rostelecom's route announcements spread across the globe, with BGP monitoring systems picking them up and flagging them as potential traffic hijacking attempts.
Siddiqui pointed out that this is not the first time Rostelecom has hijacked routes.
In 2020, Qrator Labs noted that Rostelecom's AS12389 announced prefixes for many well-known companies such as Akamai, Cloudflare, Hetzner, Digital Ocean, and Amazon Web Services.
Rostelecom has not provided an explanation as to the mis-origination of Apple Engineering's network routes.
Apple has been contacted for comment on the event, which services were affected and if any traffic went through Rostelecom's network.
BGP traffic hijacks have long been a scourge of the Internet.
Some of the incidents have been accidental misconfigurations, like the 2004 event in which Turkish provider TTNet pretended to be the whole of the Internet, which meant that millions of users were unable to reach legitimate websites for hours on end.
Others, like the 2018 hijack by Iran Telecommunications of Telegram prefixes, suggest nation-state involvement.
Criminals have also been known to use BGP hijacking to steal traffic, as in February this year when the South Korean cryptocurrency platform KlaySwap was attacked and almost US$2 million in funds were taken.
Siddiqui said that network operators have a responsibility to ensure a globally robust and secure routing infrastructure, which includes having valid ROAs for all of their resources.
"Your network’s safety depends on a routing infrastructure that stops bad actors and mitigates accidental misconfigurations that wreak havoc on the Internet.
The more network operators work together, the fewer incidents there will be, and the less damage they can do," Siddiqui said.