Did someone try to hijack Twitter? Yes!

On 1 February, Myanmar’s army took power in a coup against the elected government and detained the civilian leadership. Restrictions to the Internet were reported as people woke up to the news. Internet Society’s Insight portal covered the Internet shutdown in detail.

On Friday, 5 February, the Myanmar Ministry of Transport and Communications issued a notification to mobile networks and internet service providers (ISPs) in the country to block Twitter and Instagram. ISPs and Telcos operating in the country followed the order and blocked said services.

After a few hours, Dr Alberto Dainotti (Research Scientist and Principal Investigator at CAIDA) shared the following tweet suggesting a hijack attempt originating from one of the ISPs in Myanmar.

Twitter (AS13414) originates around 91 IPv4 prefixes and 3 IPv6 prefixes. All other prefixes were intact, but 104.244.42.0/24 was impacted.

# dig twitter.com +short   
104.244.42.129
104.244.42.65
CAIDA BGP Observatory

First, look at how AS136168 (Campana MYTHIC) is connected. According to RIPEStat, AS136168 is peering with major service providers in the region as follows (this is not an exhaustive list). AS6939 (Hurricane Electric) is the preferred path for most the announced routes.

RIPEStat

As mentioned in the CAIDA data, AS136168 started originating 104.244.42.0/24 on 5 February, 15:51 UTC. Here is the BGP update data for the exact time. The prefix was accepted by AS132132, AS61292, AS4844, AS18106 and AS23673. No other peers accepted this announcement.

Isolario BGP Updates
02/05/21 15:51:17 104.244.42.0/24 37989 56300 132132 136168
02/05/21 15:51:21 104.244.42.0/24 61292 136168
02/05/21 15:51:40 104.244.42.0/24 37989 4844 136168
Routeviews UO BGP Updates
02/05/21 15:51:13.709232 104.244.42.0/24 18106 136168
02/05/21 15:51:21.558341 104.244.42.0/24 23673 136168

The bogus announcements were withdrawn after more than three hours.

Routeviews UO BGP Updates
02/05/21 18:58:03.235768 104.244.42.0/24 18106 136168
02/05/21 18:58:03.676510 104.244.42.0/24 18106 13414 13414
02/05/21 18:58:24.375976 104.244.42.0/24 23673 13414 13414

Even though the propagation wasn’t widespread, it must have impacted the end users of those ASNs who accepted this bogus announcement. It could have been much worse.

RIPEStat

It is very encouraging to see that many service providers didn’t accept the bogus announcement by AS136168. As mentioned in RIPEStat, only five peers were able to detect this and it did not create any widespread issue on the Internet. Except the handful networks mentioned above, all other service providers dropped this announcement on the basis of route object.

route:      104.244.42.0/24
descr:      Twitter route
origin:     AS13414
admin-c:    NETWO3685-ARIN
tech-c:     NETWO3685-ARIN
notify:     [email protected]
mnt-by:     MAINT-AS13414
changed:    [email protected] 20150724  #20:15:09Z
source:     RADB

Unfortunately, Twitter has not created ROAs for any of its resources; having a valid ROA would have made it much more difficult for a bogus announcement to propagate. e.g. Just after a couple of days AS136168 started originating 1.32.58.0/24 which is an RPKI INVALID. This announcement was also accepted and propagated by AS132132, AS4844 (legitimate resource holder) and AS9930 only and every other peer dropped it. This is still visible through routeviews. The announcement was detected by only threee peers as compared to five in case of Twitter’s 104.244.42.0/24.

Type: A > announce Involving: 1.32.58.0/24 Short description: The new route 36924 21351 4788 136168 has been announced Path:36924, 21351, 4788, 136168, Community: 4788:400,4788:460,4788:461,21351:4000,21351:4638 Date and time: 2021-02-08 10:21:09 Collected by: 01-5.57.81.76

Type: A > announce Involving: 1.32.58.0/24 Short description: The new route 55720 9930 136168 has been announced Path:55720, 9930, 136168, Date and time: 2021-02-08 10:21:34 Collected by: 00-103.212.68.10

Type: A > announce Involving: 1.32.58.0/24 Short description: The new route 37989 56300 132132 136168 has been announced Path:37989, 56300, 132132, 136168, Community: 65132:600 Date and time: 2021-02-08 10:32:25 Collected by: 00-203.123.48.6

Now, looking at the Twitter RPKI ROA status, as of 15 February 2021, ROA status of all originated prefixes by AS13414. Fortunately, all resources have valid route/route6 objects.

ASN – Prefix – StatusASN – Prefix – Status
13414 209.237.223.0/24 unknown
13414 69.195.163.0/24 unknown
13414 199.16.156.0/22 unknown
13414 69.195.178.0/24 unknown
13414 199.59.148.0/22 unknown
13414 209.237.195.0/24 unknown
13414 209.237.200.0/24 unknown
13414 209.237.207.0/24 unknown
13414 185.45.5.0/24 unknown
13414 192.133.76.0/22 unknown
13414 209.237.198.0/24 unknown
13414 69.195.172.0/24 unknown
13414 209.237.218.0/24 unknown
13414 69.195.174.0/24 unknown
13414 69.195.175.0/24 unknown
13414 104.244.42.0/24 unknown
13414 209.237.219.0/24 unknown
13414 69.195.168.0/24 unknown
13414 2a04:9d40::/29 unknown
13414 199.96.57.0/24 unknown
13414 69.195.191.0/24 unknown
13414 64.63.33.0/24 unknown
13414 209.237.213.0/24 unknown
13414 202.160.129.0/24 unknown
13414 199.96.56.0/23 unknown
13414 209.237.192.0/24 unknown
13414 199.16.156.0/23 unknown
13414 199.96.61.0/24 unknown
13414 185.45.6.0/23 unknown
13414 199.96.56.0/24 unknown
13414 104.244.41.0/24 unknown
13414 209.237.215.0/24 unknown
13414 69.195.171.0/24 unknown
13414 69.195.162.0/24 unknown
13414 209.237.194.0/24 unknown
13414 199.96.62.0/23 unknown
13414 69.195.186.0/24 unknown
13414 209.237.206.0/24 unknown
13414 69.195.164.0/24 unknown
13414 199.96.60.0/24 unknown
13414 209.237.199.0/24 unknown
13414 69.195.190.0/24 unknown
13414 209.237.221.0/24 unknown
13414 69.195.169.0/24 unknown
13414 69.195.177.0/24 unknown
13414 209.237.211.0/24 unknown
13414 202.160.130.0/24 unknown
13414 209.237.193.0/24 unknown
13414 103.252.112.0/23 unknown
13414 209.237.210.0/24 unknown
13414 209.237.205.0/24 unknown
13414 209.237.214.0/24 unknown
13414 202.160.131.0/24 unknown
13414 104.244.47.0/24 unknown
13414 209.237.203.0/24 unknown
13414 69.195.176.0/24 unknown
13414 69.195.180.0/24 unknown
13414 64.63.0.0/18 unknown
13414 2400:6680::/32 unknown
13414 69.195.189.0/24 unknown
13414 2606:1f80::/32 unknown
13414 199.96.58.0/23 unknown
13414 103.252.114.0/23 unknown
13414 104.244.44.0/24 unknown
13414 202.160.128.0/24 unknown
13414 69.195.187.0/24 unknown
13414 104.244.45.0/24 unknown
13414 192.44.69.0/24 unknown
13414 209.237.217.0/24 unknown
13414 69.195.160.0/24 unknown
13414 209.237.204.0/24 unknown
13414 209.237.208.0/24 unknown
13414 209.237.196.0/24 unknown
13414 69.195.188.0/24 unknown
13414 69.195.182.0/24 unknown
13414 64.63.32.0/24 unknown
13414 69.195.165.0/24 unknown
13414 69.195.185.0/24 unknown
13414 209.237.209.0/24 unknown
13414 69.195.181.0/24 unknown
13414 209.237.197.0/24 unknown
13414 209.237.222.0/24 unknown
13414 192.133.76.0/23 unknown
13414 209.237.201.0/24 unknown
13414 209.237.212.0/24 unknown
13414 199.96.60.0/23 unknown
13414 69.195.179.0/24 unknown
13414 209.237.220.0/24 unknown
13414 104.244.46.0/24 unknown
13414 69.195.166.0/24 unknown
13414 209.237.216.0/24 unknown
RIPEStat

This incident shows the importance of BGP Filtering. Otherwise, it could have been the 2008 PTCL hijack of YouTube moment for Twitter in 2021. Thankfully, the industry has learned some really good lessons from the past and is taking strong steps to fix the problems.

It is extremely important that network operators implement effective route filtering based on verifiable information about which networks are legitimately authorised to originate which number resources (AS numbers and IP prefixes). Having a valid Route/Route6 Object is important but these days when many major network operators are doing ROV (Route Origin Validation), it is important to have a valid ROA for all your resources.

This is what MANRS has been promoting, MANRS is an industry-supported initiative that builds on well-established best practices by bringing together actions that can address the most common threats in the global routing system.

By being part of MANRS, close to 600 network operators, Internet exchange points, and cloud and content delivery network providers are taking concrete actions to contribute to the resilience and security of a critical part of the Internet infrastructure. The actions include route filtering, global validation of number resources, coordination, and anti-spoofing.

For more information on how to implement these actions and join the MANRS initiative, visit the MANRS website.







Leave a Comment