Use Protection if Peering Promiscuously

November 12, 2014 Doug Madory

Last week, I wrote a blog post discussing the dangers of BGP routing leaks between peers, illustrating the problem using examples of recent snafus between China Telecom and Russia’s Vimpelcom.  This follow-up blog post provides three additional examples of misbehaving peers and further demonstrates the impact unmonitored routes can have on Internet performance and security.  Without monitoring, you are essentially trusting everyone on the Internet to route your traffic appropriately.

In the first two cases, an ISP globally announced routes from one of its peers, effectively inserting itself into the path of the peer’s international communications (i.e., becoming a transit provider rather than remaining a peer) for days on end.  The third example looks back at the China Telecom routing leak of April 2010 to see how a US academic backbone network prioritized bogus routes from one of its peers, China Telecom, to (briefly) redirect traffic from many US universities through China.

Recap: How this works

To recap the explanation from the previous blog (and to reuse the neat animations our graphics folks made), we first note that ISPs form settlement-free direct connections (peering) in order to save on the cost of sending traffic through a transit provider.  Suppose that ISP A and ISP B establish such a private link between their networks.  At the BGP routing level, ISP A will then send routes from its customers to its peer ISP B, who will in turn send these routes on to its customers.  As a result, the customers of ISP B will send traffic destined for ISP A through the newly established peering link, saving ISP B from having to pay its transit providers to carry the traffic.  This flow of routes and traffic is illustrated below.


The first way this can go wrong is for ISP B to announce the routes received from ISP A out to the global Internet (through its transit providers) or to ISP B’s other peers.  By doing this, ISP B inserts itself onto the path of incoming traffic to ISP A from outside ISP B’s own network, something ISP A certainly didn’t expect when it took on ISP B as a peer.


ISP B can also mess up by sending routes learned either from its transit providers or peers to ISP A.  If these routes are accepted by ISP A (and they typically will be), such errors put ISP B onto the path of outgoing traffic from ISP A to the networks erroneously announced along this peering link.


These two scenarios can happen independently.  As shown in our last blog, China Telecom leaked routes to and from Vimpelcom numerous times throughout the year.  Most of these incidents involved China Telecom leaking routes it learned from Vimpelcom out to the global Internet (scenario 1); however, on a few occasions, China Telecom also passed a full or partial routing table to Vimpelcom (scenario 2), altering how traffic flowed out of Vimpelcom.

Additional recent examples of peering leaks


logo_en             Yandex_Mail_Russia_Wide

Yandex is essentially the Russian version of Google.  It is the dominant Russian-language search engine and, like Google, Yandex has established a lot of peering links — although, for obvious reasons, with a greater emphasis on the Russian-speaking world.  Beltelecom is the incumbent telecom of Belarus and has become a recurring character in this blog (either for globally routing RFC6598 address space or MITM hijacks).  Beltelecom and Yandex have a peering relationship, as it makes a lot of sense for eyeball networks (Beltelecom) and content providers (Yandex) to try to save on transit costs by interconnecting.  However, for twelve days this year, Beltelecom announced routes it learned from Yandex to its transit provider Telecom Italia (i.e., leak scenario 1 from above).

The AS paths of the impacted routes took the following form:

… 6762 6697 13238 …

This AS path shows that routes from Yandex (AS13238) shared with its peer Beltelecom (AS6697) who leaked them to Telecom Italia (AS6762), a global Tier 1 provider. Normally no provider outside of Belarus would use Beltelecom to reach Yandex.

The result was that traffic destined for Yandex from customers around the world in Telecom Italia’s downstream cone was misdirected first to Beltelecom.  For Yandex’s networks in Russia (which shares a border with Belarus), the impact on latency was minor.  However, Yandex has networks outside of Russia (including some in the Netherlands and the United States) and, for those networks, the latency and paths were dramatically altered. For those receiving Yandex routes via Telecom Italia, Beltelecom inserted itself into Yandex-destined traffic from 22 May through 3 June of this year.

Consider the following example traceroute from Brazil to Yandex’s presence in Palo Alto, California before Beltelecom started leaking Yandex routes. The trace illustrates a typical traffic path, namely from Brazil to Miami and then on to New York and finally California.

trace from João Pessoa, Brazil to Yandex-Palo Alto at 05:46 May 20, 2014
1  *
2 ( Data Center, João Pessoa, Brazil) 0.259ms
3 (SITECNET INFORMÁTICA LTDA, João Pessoa, Brazil)   8.122ms
4                54.263ms
5 (Miami, US)            165.525ms
6                     119.060ms
7 (GTT, New York)                                 179.928ms
8 (New York, US)        199.109ms
9 (Las Vegas, US)          187.579ms
10   (Yandex, Palo Alto, US)                         179.933ms
11 (Palo Alto, US)  187.462ms

However, during the leak, traffic from the same server in Brazil to the same Yandex location in California was redirected to Beltelecom in Minsk, Belarus and then on to Yandex in Moscow, after which Yandex took the traffic to California on its internal backbone.

trace from João Pessoa, Brazil to Yandex-Palo Alto at 00:57 May 23, 2014
1  *
2 ( Data Center, João Pessoa, Brazil) 0.249ms
3 (SITECNET INFORMÁTICA LTDA, João Pessoa, Brazil)  54.175ms
4               54.932ms
5 (São Paulo, BR)       70.403ms
6 (São Paulo, BR) 54.192ms
7 (Frankfurt)   220.925ms
8 (Frankfurt) 404.091ms
9 (Minsk, BY)                   252.911ms
10 (Minsk, BY)                 254.373ms
11 (Minsk, BY)                251.801ms
12 (Minsk, BY)                       295.233ms
13 (Moscow, RU)         266.851ms
14 (Moscow, RU)                266.571ms
15 (Moscow, RU)                 266.611ms
16 (Moscow, RU)        276.847ms
17 (Yandex, Moscow, RU)                            309.937ms
18 (Germany)            281.413ms
19 (Asheville, US)   356.142ms
20 (Las Vegas, US)          356.994ms
21   (Yandex, Palo Alto, US)                         346.466ms
22 (Palo Alto, US)  356.994ms

Did Yandex finally notice this after nearly two weeks of poor performance due to misdirected traffic?  Did Beltelecom ultimately catch the error, after perhaps noticing a surge in traffic along its peering link with Yandex?  We may never know the answers to these questions, but we easily quantified the impact to Yandex’s Internet performance using our continuous global measurement and monitoring platform.


Rascom_Logo_trans        HpAccroche_01

Our next example of a peering relationship gone bad concerns Rascom’s leak of Telma’s routes this summer.  Telma is the incumbent telecom of the African island-nation of Madagascar, and Rascom is a Russian fixed-line operator with a network that extends throughout Europe.  While the previous example involved a very common type of peering relationship, between a content producer (Yandex) and a content consumer (Beltelecom), why on earth would a Russian ISP peer with an ISP from Madagascar?  How much traffic could possibly be passing between these two networks?  Could that traffic really justify a private connection to help to reduce transit costs?  Probably not.  The reason for this arrangement is likely due to the fact that both entities happen to be present at London Internet Exchange and decided to peer because … why not?

When a  provider from a faraway place like Africa or the Middle East establishes a presence at one of the European IXes, it often will establish peering relationships with anyone and everyone.  Once present at an IX, each additional connection carries little marginal cost, so you might as well connect with everybody there in the hopes of reducing your transit costs, if only slightly.  But as we’ll see in this example, each of your peers has the potential to screw up and alter the flow of your Internet traffic.  In other words, every relationship, no matter how seemingly insignificant, carries real risks.  There is no free lunch on the Internet.

Consider the following example of a normal traffic path from New York to Telma in Madagascar, the day before the routing leak.  Level 3 carries the traffic to London, where Telma picks it up and takes it first to Paris and then Madagascar.

trace from New York to Telma, Madagascar at 08:42 Aug 11, 2014
1  *
2             0.602ms
3             69.191ms
4           69.274ms
5            70.905ms
6           69.265ms
7           181.282ms
8               75.363ms
9      87.635ms
10 *
11 93.228ms
12  280.859ms
13      294.419ms
14 *
15 *
16 (Madagascar)           296.248ms


This next trace illustrates the impact of the routing leak on the path and latency between New York and Madagascar.  In this case, Tata takes the traffic to London and then Frankfurt before handing it off to Golden Telecom (Vimpelcom).  Golden takes the traffic to Moscow and delivers it to Rascom, who takes it straight back to London (at LINX), handing it off to Telma so it can continue its journey to Madagascar.  Wow!

trace from New York to Telma, Madagascar at 12:30 Aug 12, 2014
1  *
2   0.791ms
3   (Tata Communications, London)               85.475ms
4         85.733ms
5  *
6          85.654ms
7      85.369ms
8      85.666ms
9       85.332ms
10  (Tata Communications, Frankfurt, DE)        85.792ms
11                      130.005ms
12               131.454ms
13   (Rascom, Vyborg, RU)                       129.323ms
14 *
15      128.012ms
16   (London Internet Exchange (LINX))          126.734ms
17     133.410ms
18 *
19 153.67ms
20  356.605ms
21      348.541ms
22 *
23 *
24 (Madagascar)           350.924ms

We wouldn’t be surprised if the network engineers at both Rascom and Telma were completely unaware of this circuitous routing.  This level of monitoring is often overlooked.

China Telecom—National LambdaRail

Although our final example isn’t recent, it is worth mentioning in this discussion.  During the big China Telecom routing leak of April 2010 that caused an international stir, it is interesting to note where the bogus routes announced by China Telecom (AS23724) propagated the farthest. Before it ceased operations earlier this year, National LambdaRail (NLR) was a “high-speed national computer network owned and operated by the U.S. research and education community.”  NLR also had a peering relationship with China Telecom, the state telecom of China.  When NLR received the bogus origination announcements from its Chinese peer, it accepted them and routed traffic to China that was intended for numerous other locations around the world.

This is what can be most pernicious about routes received across peering links.  Routes from peers are typically prioritized over routes from providers to avoid transit costs.  While many, but certainly not all, transit providers filter the routes they receive from their customers in some manner, it is far less common for peers to do any filtering on the routes they exchange, largely due to the difficulty of determining appropriate routing behavior for an independent entity.  These prioritized and unfiltered peer routes have the potential to cause the performance and security problems we’ve outlined here.

In a 2012 paper entitled “A Case Study of the China Telecom Incident”, I assisted the authors by searching and analyzing traceroute data from the iPlane project for examples of traceroutes that were sucked into China Telecom during the routing leak.  Since much of iPlane’s data is generated using the networks of universities in the U.S. and many universities had a connection to NLR, there were many U.S. universities that had traffic redirected through China Telecom.  As is standard practice, NLR had prioritized routes from its peers—including China Telecom.  U.S. universities may have also prioritized routes from NLR over commercial transit links because NLR might have been a subsidized and therefore cheaper option. This provided a vector for those bogus routes to briefly (the entire incident lasted only 18 minutes) redirect traffic through China.

Here is an example traceroute pulled from iPlane traceroute data that illustrated the impact of the routing leak.  Starting in Norman, Oklahoma this trace goes out to to Internet2 and onto NLR’s routers on the west coast of the US.  There it hands the traffic off to China Telecom before returning it back to the US; it next appears in Cogent’s network in Chicago (ord) before making its way over to Boston.

0      (University of Oklahoma, Norman, US)        0.384ms
1   (RFC 1918)                                  0.287ms
2  (RFC 1918)                                158.051ms
3     (OneNet, Oklahoma City, US)                 0.364ms
4     (OneNet, Oklahoma City, US)                 0.875ms
5     (OneNet, Oklahoma City, US)                 3.025ms
6    (OneNet, Oklahoma City, US)                 3.057ms
7    (OneNet, Oklahoma City, US)                40.005ms
8    (Oklahoma Regents, Oklahoma City, US)      18.231ms
9        18.699ms
10    (National LambdaRail, Los Angeles, US)     71.529ms
11   (National LambdaRail, Los Angeles, US)     71.614ms
12  (National LambdaRail, Los Angeles, US)     71.606ms
13 *
14    (China Telecom, Guangzhou, CN)            280.357ms
15 *
16  296.328ms
17 294.124ms
18     298.383ms
19  315.434ms
20  328.007ms
21 335.061ms
22  340.852ms
23    339.829ms
24        (TA ASSOCIATES, Boston, US)               341.378ms

Next we provide a few examples of AS-level traceroutes (also based on the iPlane data) from U.S. universities impacted by the China Telecom routing leak, presented in a sequence-alignment style.  In each sequence, there is a trace that was redirected through China Telecom (AS4134) by way of NLR (AS11164) on 8 April 2010.  To illustrate the normal paths at that time, the errant one is sandwiched by AS-level traces seen on the previous and successive days.

Purdue University

AS path for ( to (Advertinet, US)
[04/07/10] 17 ----- ----- 209 12067 (19.18 ms)
[04/08/10] 17 11164  4134 209 12067 (106.47 ms)
[04/09/10] 17 ----- ----- 209 12067 (22.04 ms)

University of California, Santa Cruz

AS path for ( to (Spartan Stores Inc., US)
[04/07/10] 5739 2152 11164  286 19151 26554 33372 (67.57 ms)
[04/08/10] 5739 2152 11164 4134  3356 26554 33372 (237.99 ms)
[04/09/10] 5739 2152 11164  286 19151 26554 33372 (66.35 ms)

University of Massachusetts

AS path for ( to (SCOTTRADE, US)
[04/07/10] 1249 ----- -----  1239 3561 12221 (33.06 ms)
[04/08/10] 1249 22742 11164  4134 7018 12221 (247.83 ms)
[04/09/10] 1249 ----- -----  1239 3561 12221 (44.78 ms)

University of Florida

AS path for ( to (Bresnan Communications, LLC., US)
[04/07/10] 6356 ----- ----- 3356 7018 33588 (101.12 ms)
[04/08/10] 6356 11164  4134  174 7018 33588 (280.64 ms)
[04/09/10] 6356 ----- ----- 3356 7018 33588 (101.53 ms)

Oregon State

AS path for ( to (Secure-Netz, DE)
[04/07/10 00:00:00]  4201 -----  3701  3356 25074 (222.03 ms)
[04/08/10 00:00:00]  4201 11164  4134  3320 25074 (287.73 ms)
[04/09/10 00:00:00]  4201 -----  3701  3356 25074 (170.01 ms)


AS path for ( to (Copa Airlines, PA)
[04/07/10 00:00:00] 103 22335  3549 11556 26105 28031 (83.89 ms)
[04/08/10 00:00:00] 103 22335 11164  4134 26105 28031 (148.91 ms)
[04/09/10 00:00:00] 103 22335  3549 11556 26105 28031 (84.89 ms)

There were literally thousands more examples like these in the iPlane data.


In this blog post (and the last one), we don’t want to suggest we are somehow against peering.  Peering is an essential feature of Internet connectivity and will continue to be in the future.

The main takeaway is that if your network is going to prioritize routes from a peer over a transit provider, then your network engineers should also take the time to set up appropriate filtering and monitoring of these links to ensure you don’t accept and act on bogus routes.  As far as the routes you share with your peers, you need to monitor the paths traffic is taking to reach your network to determine if a peer is leaking your routes.  Additionally, if you don’t exchange much traffic with another entity, it may not be worth peering with them just because you are both present at the same Internet exchange point.  But if you must be promiscuous when peering, please use protection.

The post Use Protection if Peering Promiscuously appeared first on Dyn Research.


About the Author

Doug Madory is a Director of Internet Analysis at Dyn where he works on Internet infrastructure analysis projects. Doug has a special interest in mapping the logical Internet to the physical lines that connect it together, with a special interest on submarine cables.

Follow on Twitter More Content by Doug Madory
Previous Article
What’s Next for Cuba?
What’s Next for Cuba?

While there has been great steps towards Internet access in Cuba, the Internet is still limited for a varie...

Next Article
Chinese Routing Errors Redirect Russian Traffic
Chinese Routing Errors Redirect Russian Traffic

Putin announces a plan to protect the Internet of Russia, but he should add Internet routing security to hi...