Rostelecom caused a major disruption of well-known financial services
The state corporation Rostelecom for several days caused problems in the work of several well-known financial services and organizations, including Visa, MasterCard, Alfa Bank, and HSBC. The cause of the failure is still unclear, and it lies in the fact that Rostelecom redirected the traffic of a number of services and sites to its internal network. Therefore, the services themselves could be inaccessible not only for Rostelecom subscribers, but also for other companies, Kommersant writes .
The first alarm was scored by the BGPmon service, which tracks information about traffic routes around the world. The company's specialists report that Rostelecom, voluntarily or involuntarily, made âBGP-interceptionâ. In other words, the state organization announced incorrect data on the routing to various resources on the Internet. The company Qrator Labs, according to its head Alexander Lyamina, recorded five such failures in a few days. The first failure occurred on April 18, its duration was about a minute. Then the second failure happened on the afternoon of April 25, after which he held for several hours, and then several more such failures, which occurred several times during the night of April 26-27.
Rostelecom itself acknowledges the problem, claiming that there was a failure, but it was localized for seven minutes. The reason, according to Rostelecom employees, was the routerâs failure: âBecause of the softwareâs failure, the filters did not properly work on filters that do not allow announcements of internal static routes to external networks. At the same time, a number of external operators did not have filters that checked the legitimacy of the announcements, in connection with which the incorrect information was distributed over the Internet and violated routing. â
')
Information security experts are still discussing what happened, trying to understand exactly what happened. Some experts believe that the root of what happened should be found in the errors in the configuration of a number of services. Rostelecom says that such failures have happened before, in the networks of other operators. For example, in 2008, a Brazilian company blocked almost the entire global web, because it needed to optimize the traffic flow through its network. But this was done incorrectly, therefore large-scale failures were noticed in the global network.
But a number of features of recent problems, as experts say, do not allow us to consider what happened as usual traffic optimization. âIf it was actually an attempt to redirect traffic to some of these financial institutions, this was done in a very visible and large-scale way, and therefore probably not very likely. On the other hand, given the number of prefixes from one category â financial institutions and credit card processors â this seems to be more than just an innocent random interception, âsaid the head of the BGPmon service company.
Source: RBC
Most likely, Rostelecom missed various traffic routes through one node for a certain time. Cybersecurity experts say that what happened could be the result of the exercise: âSince Rostelecom itself or through its subsidiaries is present throughout the country, route traffic from all over Russia gathered at one site. It might be necessary to check how much traffic can be pumped by one node in case of shutdown, isolation of the Russian network segment, as, for example, in the case of North Korea. â
By the way, earlier BGP transition was used by some providers from other countries to block various resources. An example is Pakistan Telecom, a telecommunications company from Iran. When its management decided to block YouTube, the traffic of many users of the World Wide Web was randomly redirected to Pakistan. As a result, YouTube is not available.
As for the anomalies with Rostelecom, over the past few days, Qrator.Radar has recorded several events of this type with it:
- 2017-04-18 23:02:00 - 2017-04-18 23:03:00
- 2017-04-26 22:37:00 - 2017-04-26 22:50:00
- 2017-04-27 01:06:00 - 2017-04-27 02:20:00
- 2017-04-27 03:21:00 - 2017-04-27 04:26:00
The figures above show the date and time of the beginning of the anomaly, and, accordingly, the date and time of its completion. These are the MOAS shown by the BGPStream service. Besides them, there was another, more significant route leak incident on the 933 affected prefix.
A diagram visualizing the changes caused by Rostelecom.
âI would classify this case as quite suspicious. Usually problems like this one are bigger and more random. In this case, we are talking about a targeted impact on financial institutions ... It looks strange that someone restricted the traffic in their network only in relation to the networks of financial organizations, âsaid Dyn head of the company Dyn Madory.
Traffic managed in this way can be decrypted. First of all, it concerns data that has not been encrypted. But the encrypted data can be decoded, if you use attacks like Logjam and DROWN .
In general, a failure in the Rostelecom network (no one claims for certain that this was done purposefully, calling the problem a âfailureâ) affected the networks of 36 organizations. The prefixes of these organizations with the owners are listed below.
List of organizations
202.138.100.0/24 Reliance Communications Bangalore State of KarnÄtaka IN
145.226.109.0/24 Euro-Information-Europeenne de Traitement de l'Information SAS Paris Ăle-de-France FR
193.58.4.0/24 Fortis Bank NV Brussels Bruxelles-Capitale BE
217.75.242.0/24 Servicios de Hosting en Internet SA SA ES
194.153.135.0/24 Norvik Banka LV
93.190.87.0/24 Modrium Mdpay Oy NUF Ăy Nord-Trøndelag Fylke NO
217.117.65.0/24 NET_217_117_65 UA
195.76.9.0/24 REDSYS SERVICIOS DE PROCESAMIENTO SLU
64.75.29.0/24 Arcot Systems, Inc. Sunnyvale CA US
206.99.153.0/24 Savvis Singapore SG
198.241.161.0/24 VISA INTERNATIONAL CO US
203.112.91.0/24 HSBC Hong Kong HK
196.38.228.0/24 Internet Solutions Johannesburg Gauteng ZA
216.136.151.0/24 Savvis Arlington VA US
198.161.246.0/24 EMC Corporation Southborough MA US
212.243.129.0/24 UBS Card Center AG Glattbrugg Kanton ZĂźrich CH
203.112.90.0/24 HSBC Hong Kong HK
216.150.144.0/24 Xand Corporation Farmingdale NY US
195.20.110.0/24 Bank Zachodni WBK SA PoznaĹ WojewĂłdztwo Wielkopolskie PL
193.16.243.0/24 Servicios Para Medios De Pago SA ES
202.187.53.0/24 TIME DOTCOM BERHAD Shah Alam Selangor MY
160.92.181.0/24 Worldline France hosting FR
145.226.45.0/24 Euro-Information-Europeenne de Traitement de l'Information SAS Strasbourg Alsace FR
195.191.110.0/24 card complete Service Bank AG Vienna Wien AT
193.104.123.0/24 PROVUS SERVICE PROVIDER SA Bucharest BucureČti RO
69.58.181.0/24 Verisign, Inc. New york ny us
194.5.120.0/24 DOCAPOST BPO SAS FR
89.106.184.0/24 Worldline SA Frankfurt am Main Hessen DE
217.75.224.0/19 Servicios de Hosting en SA Internet Madrid Comunidad de Madrid ES
195.114.57.0/24 DNBNORD PLC LV
198.241.170.0/24 VISA INTERNATIONAL CO US
216.119.216.0/24 MasterCard Technologies LLC Wentzville MO US
193.203.231.0/24 SIA SpA Milano Lombardia IT
65.205.249.0/24 Symantec Inc Mountain View CA US
194.126.145.0/24 Netcetera AG ZĂźrich Kanton ZĂźrich CH
65.205.248.0/24 Symantec Inc Mountain View CA US
145.226.109.0/24 Euro-Information-Europeenne de Traitement de l'Information SAS Paris Ăle-de-France FR
193.58.4.0/24 Fortis Bank NV Brussels Bruxelles-Capitale BE
217.75.242.0/24 Servicios de Hosting en Internet SA SA ES
194.153.135.0/24 Norvik Banka LV
93.190.87.0/24 Modrium Mdpay Oy NUF Ăy Nord-Trøndelag Fylke NO
217.117.65.0/24 NET_217_117_65 UA
195.76.9.0/24 REDSYS SERVICIOS DE PROCESAMIENTO SLU
64.75.29.0/24 Arcot Systems, Inc. Sunnyvale CA US
206.99.153.0/24 Savvis Singapore SG
198.241.161.0/24 VISA INTERNATIONAL CO US
203.112.91.0/24 HSBC Hong Kong HK
196.38.228.0/24 Internet Solutions Johannesburg Gauteng ZA
216.136.151.0/24 Savvis Arlington VA US
198.161.246.0/24 EMC Corporation Southborough MA US
212.243.129.0/24 UBS Card Center AG Glattbrugg Kanton ZĂźrich CH
203.112.90.0/24 HSBC Hong Kong HK
216.150.144.0/24 Xand Corporation Farmingdale NY US
195.20.110.0/24 Bank Zachodni WBK SA PoznaĹ WojewĂłdztwo Wielkopolskie PL
193.16.243.0/24 Servicios Para Medios De Pago SA ES
202.187.53.0/24 TIME DOTCOM BERHAD Shah Alam Selangor MY
160.92.181.0/24 Worldline France hosting FR
145.226.45.0/24 Euro-Information-Europeenne de Traitement de l'Information SAS Strasbourg Alsace FR
195.191.110.0/24 card complete Service Bank AG Vienna Wien AT
193.104.123.0/24 PROVUS SERVICE PROVIDER SA Bucharest BucureČti RO
69.58.181.0/24 Verisign, Inc. New york ny us
194.5.120.0/24 DOCAPOST BPO SAS FR
89.106.184.0/24 Worldline SA Frankfurt am Main Hessen DE
217.75.224.0/19 Servicios de Hosting en SA Internet Madrid Comunidad de Madrid ES
195.114.57.0/24 DNBNORD PLC LV
198.241.170.0/24 VISA INTERNATIONAL CO US
216.119.216.0/24 MasterCard Technologies LLC Wentzville MO US
193.203.231.0/24 SIA SpA Milano Lombardia IT
65.205.249.0/24 Symantec Inc Mountain View CA US
194.126.145.0/24 Netcetera AG ZĂźrich Kanton ZĂźrich CH
65.205.248.0/24 Symantec Inc Mountain View CA US
So far, Rostelecom has not given detailed comments on what actually happened.
Source: https://habr.com/ru/post/373415/
All Articles