Cloudflare, a leading privacy-focused public DNS resolver service, recently faced a challenging situation involving two simultaneous Border Gateway Protocol (BGP) issues. This incident led to an unintentional BGP hijacking event that shed light on the longstanding concerns related to the security of the internet routing protocol that has been in existence for over three decades.
The disruption and slowdowns that impacted the free Cloudflare DNS resolver service, known as “1.1.1.1,” on June 27, had a minor effect on less than 1 percent of internet traffic. However, the incident underscored the importance of addressing vulnerabilities in BGP, a protocol famously coined as the “three-napkin protocol” due to its creation during a lunch break at an IETF meeting in 1989. Recent regulatory actions, such as the FCC’s decision to mandate ISPs to report on their BGP security progress, further emphasize the need for enhanced measures to safeguard internet infrastructure.
One key issue faced by the Cloudflare DNS resolver service is the historical utilization of the IP address 1.1.1.1 for testing purposes, leading to unforeseen traffic patterns and routing anomalies. As detailed in a blog post by Cloudflare engineers, the June 27 incident involved a combination of a routing hijack and a BGP route leak, effectively disrupting the service for users in certain regions.
A routing hijack scenario could occur if a network mistakenly assigns the 1.1.1.1 IP address to one of its internal routers, causing routing difficulties for customers trying to access the DNS service. Additionally, a BGP route leak, where incorrect routing information is propagated, can exacerbate the impact by channeling traffic along unintended paths, potentially overwhelming networks ill-equipped to handle the sudden influx of global traffic.
The incident involving the Cloudflare DNS resolver service on 1.1.1.1 was triggered by AS267613 announcing the IP address to peers and customers, followed by a route leak from AS262504 to AS1031, leading to widespread dissemination of the erroneous routing information. In response, Cloudflare disabled specific peering points and engaged with the involved parties to mitigate the issues, ultimately resolving the situation after several hours.
To enhance BGP security, Cloudflare advocates for the adoption of Resource Public Key Infrastructure (RPKI) to authenticate routing information and prevent unauthorized route announcements. Implementing stricter BGP filtering practices, adhering to best practices outlined by industry standards, and exploring innovative solutions like Autonomous System Provider Authorization (ASPA) can help mitigate the risks associated with BGP-related incidents.
In an effort to bolster its route leak detection capabilities, Cloudflare has expanded its data sources and real-time monitoring systems to swiftly identify and address similar events in the future. Collaboration among network operators is essential to effectively combat route leaks and ensure the stability and security of internet routing infrastructure.
Users are encouraged to stay informed about BGP security measures and can monitor their ISPs’ compliance with RPKI origin validation through platforms like isbgpsafeyet.com. The incident involving Cloudflare underscores the ongoing need for proactive measures to safeguard internet routing protocols and prevent disruptive events that impact online connectivity and accessibility.