Google’s services redirected to Romania and Austria
BGP hijacks happen every day, the majority of them don't affect a large geographic region and only are noticed a small number of users. Every now and then however we see an event that affects many users, either because of the geographic scale or simply because of the specific prefix that is affected. The latter happened this Sunday for 7 minutes, when the prefix 220.127.116.11/24 was 'hijacked'. 18.104.22.168/24 is the prefix that serves one of Google's Open DNS servers, which is available at 22.214.171.124. A few hours ago 126.96.36.199/24 was announced by AS30890 (EVOLVA Evolva Telecom s.r.l.), a provider from Romania. This 'Hijack' lasted for about 7 minutes, and was detected by 14 RIS peers in 4 unique countries. The majority of these networks learned this announcement through AS6939. This is the second time in a month that Google is affected by a hijack. Last month on July 9th, AS42473 (ANEXIA) a provider from Austria announced a more specific of one of Google's prefixes. The prefix 188.8.131.52/24 was announced by AS42473. This is a more specific of 184.108.40.206/23, a prefix that hosts many of Google's public services. This announcement was later identified as a copy paste mistake, and quickly resolved after the engineers of AS42473 detected the mistake. This is yet another example of how easy it is to 'accidentally' mess with the reachability of prefixes. There's not a lot we can do about this today, except for strict filtering on the edges and monitoring using services such as BGPmon.net. Luckily there's some good progress being made on the Resource Certificate Public Key Infrastructure (RPKI) initiative. Hopefully RPKI related tools will become available soon, so that it will be easy for operators to deploy this. And although this will not be a full proof mechanism for preventing BGP hijacks, it will prevent us from most of the 'fat finger' incidents we see on regular basis.