Sign in / up

back to article Apple network traffic takes mysterious detour through Russia

Apple's internet traffic took an unwelcome detour through Russian networking equipment for about twelve hours between July 26 and July 27. In a write-up for MANRS (Mutually Agreed Norms for Routing Security), a public interest group that looks after internet routing, Internet Society senior internet technology manager Aftab …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    Yet IPv6 networks were built to rely on and assume both BGP and DNS work perfectly.

    Hence our current conundrums. First why the {BLEEP} is anyone letting BGP advertisements out of Russia right now? Ask the TLAs for a map of their network edge and banish any advertisements for other ranges to /dev/null.

    Second, it's been clear for a while that BGP is a shitshow, if we can't fix it, we should be declaring support for an alternative, not waving our arms around. Much like SSL and DNS, BGPs core problems are in it's design assumptions not it's core code. You can fix those without breaking existing routing, but if only some participants implement the changes you have this kind of thing as an ongoing problem. The big asns and tier 1 carriers need to start slapping everyone else on the wrist to get the heel draggers moving.

    Carrot and stick perhaps? A new routing overlay where jumbo frames are supported but you have to run complaint secure DNS, non-blind trust BGP etc to join the party. I'd pay extra for it!

    31 3 Reply
    1. Yes Me Silver badge
      Reply Icon

      Re: Yet IPv6 networks were built to rely on and assume both BGP and DNS work perfectly.

      If only if it was that simple. It isn't.

      6 1 Reply
    2. UCAP Silver badge
      Reply Icon

      Re: Yet IPv6 networks were built to rely on and assume both BGP and DNS work perfectly.

      Sorry to break in here, but what has IPv6 got to do with this? The redirected a part of 17.0.0.0/8 which is an IPv4 address block.

      I would hesitate to condemn BGP quite so strongly since it has done sterling service over the years. However, in common with all routing protocols, there is a certain measure of trust built into the protocol - it trusts that you are not going to start announcing address blocks that you should not be handling. A significant number of network outages occur when someone misconfigures the routing protocol and all of sudden packets start flowing to there when they should be flowing to here.

      The real question I would like answered is: was this really an accident or an attempt by Russia to start screwing the global internet? I am not about to start throwing mud, but if Russia is trying to play games then I can see it being cut off from the wider community with extreme prejudice.

      18 1 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Yet IPv6 networks were built to rely on and assume both BGP and DNS work perfectly.

        "The real question I would like answered is: was this really an accident or an attempt by Russia to start screwing the global internet? I am not about to start throwing mud, but if Russia is trying to play games then I can see it being cut off from the wider community with extreme prejudice."

        Not necessarily screwing the Internet, but simply stealing (copying) data from Apple Engineering?

        5 0 Reply
        1. Frank Bitterlich
          Reply Icon

          Re: Yet IPv6 networks were built to rely on and assume both BGP and DNS work perfectly.

          If I were an author of espionage novels, this would give me a few plot ideas. Like that they might have identified some Apple internal service or system that carries unencrypted or easy-to-break traffic; because it is used exclusively within Apple's network, nobody bothered to fix it...

          But I'll leave that to John le Carré and his colleagues.

          2 1 Reply
          1. Starkoman
            Reply Icon
            Alert

            Re: Yet IPv6 networks were built to rely on and assume both BGP and DNS work perfectly.

            From what we know, all of Apples’ traffic is end-to-end encrypted. Everything.

            1 0 Reply
        2. JimboSmith Silver badge
          Reply Icon

          Re: Yet IPv6 networks were built to rely on and assume both BGP and DNS work perfectly.

          "The real question I would like answered is: was this really an accident or an attempt by Russia to start screwing the global internet? I am not about to start throwing mud, but if Russia is trying to play games then I can see it being cut off from the wider community with extreme prejudice."

          Not necessarily screwing the Internet, but simply stealing (copying) data from Apple Engineering?

          They’ve already fleshed out and tested cutting themselves (Russia) off from the rest internet so that’s not too far of a stretch in thinking. Copying Apple’s data…….who knows.

          0 0 Reply
    3. Fred Goldstein
      Reply Icon

      Re: Yet IPv6 networks were built to rely on and assume both BGP and DNS work perfectly.

      That's the problem with TCP/IP in general. It was built for the DoD Internet, ARPANET, PRnet, and later MILNET, without public access. So it has no security; it trusts its users. Not smart these days. BGP is inherently vulnerable. The whole thing needs rethinking.

      5 0 Reply
  2. Richard Tobin

    Block sizes

    "Rostelecom’s AS12389 network began announcing 17.70.96.0/19, which is part of Apple's 17.0.0.0/8 block and is usually announced as part of the larger 17.0.0.0/9 block."

    A /9 block is *smaller* than a /8 block.

    23 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Block sizes

      /19 is smaller than /9. Probably Apple announces 17.0.0.0/9 separately.

      It would be interesting to know what those addresses are usually used for.

      7 0 Reply
      1. Jellied Eel Silver badge
        Reply Icon

        Re: Block sizes

        It would be interesting to know what those addresses are usually used for.

        S'easy. Grab Nmap and have at it. Apple may object, but like most of big tech, if they have no respect for our security or privacy, turnabout is fair play.

        9 3 Reply
      2. ChoHag Silver badge
        Reply Icon

        Re: Block sizes

        Their private network. To the best of my knowledge they do not use NAT. It rather surprised me to sit down at a desk in an office and obtain a real IP.

        5 1 Reply
    2. diodesign (Written by Reg staff) Silver badge
      Reply Icon

      Re: Block sizes

      We meant the /19 is announced as part of a larger /9 block, which is in the /8 range. Here's the passage from MANRS:

      "Around 21:25 UTC On 26 July 2022, Rostelecom’s AS12389 network started announcing 17.70.96.0/19. This prefix is part of Apple’s 17.0.0.0/8 block; usually, Apple only announces the larger 17.0.0.0/9 block and not this shorter prefix length."

      I've edited that part as it seems to be confusing people. A /19 block is smaller than /9 which is smaller than /8.

      Also if you think we've written something wrong, please drop us an email to corrections@theregister.com so we can take a look straight away, thanks.

      C.

      11 0 Reply
  3. DS999 Silver badge

    This is why all traffic should be encrypted

    Since fixing BGP seems to impossible as we've been dealing with these for at least 20 years.

    Even stuff that seems innocuous should be encrypted. That way the only thing malicious actors can do is a DoS, rather than snooping or worse modifying traffic in transit.

    I'm not sure if any of Apple's iPhone to HQ traffic etc. is in the clear, but I doubt it. If it was then, it surely isn't after this happened!

    8 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: This is why all traffic should be encrypted

      They'd just issue fake certs from one of their controlled certificate authorities.

      Their browser/software would trust those fake certs because that's the way trust was dished out liberally in the certificate chain.

      Broken and backdoored by design.

      2 0 Reply
      1. Yes Me Silver badge
        Reply Icon

        Re: This is why all traffic should be encrypted

        If they were trying to receive traffic in bogus servers, they could provide bogus certificates. But there's nothing in the report to suggest that. It's equally likely they just wanted a look at the traffic for a while or just to blackhole it for fun and annoyance.

        2 1 Reply
      2. DS999 Silver badge
        Reply Icon

        Re: This is why all traffic should be encrypted

        People aren't browsing to Apple sites that often, this is more for stuff like downloading iOS updates, syncing with iCloud, checking if a new number you're texting is registered with iMessage, etc. None of that is going to allow a MiTM attack like SSL.

        And Apple (and every other western tech company) would be stupid to trust any Russian CAs for a device that's not using Russian language.

        2 0 Reply
        1. Tony.
          Reply Icon
          Black Helicopters

          Re: This is why all traffic should be encrypted

          CA trust is not based on location. There's a lot of trusted root CA on IOS...

          https://support.apple.com/en-gb/HT212140

          although not as many as windows...

          https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT

          both include government CAs of some countries... no obvious Russian ones but could they have compromised any of them...

          Almost 10 years ago Turktrust 'accidently' issues a *.google.com cert (to the Turkish government?)

          https://www.theregister.com/2013/01/04/turkish_fake_google_site_certificate/

          0 0 Reply
          1. DS999 Silver badge
            Reply Icon

            Re: This is why all traffic should be encrypted

            There's nothing stopping them from having CAs that are only effective if your phone is configured for a certain language or used within a certain geographic area, or only for certain sites.

            Will China and the US be willing to agree on a global list of CAs that can be trusted for all sites in the future? They'd obviously be trusted for *.cn and ours for *.us or *.gov, but *.com includes both so they could hijack google.com or we could hijack wechat.com, which neither are going to wish to allow.

            0 0 Reply
  4. elsergiovolador Silver badge

    BGP

    Actually comes from больше глупый протокол

    бгп = BGP

    Which literally means the wholly stupid protocol.

    4 0 Reply
    1. martinusher Silver badge
      Reply Icon

      Re: BGP

      Neat.

      Whenever there's a large scale Internet SNAFU there's invariably a BGP screwup although obviously if it involves Russia or China then there's just got to be some nefarious reason behind it. (.....because as we all know, every Russian or Chinese operator is 100% competent, never makes mistakes and is always planning their next dark and dirty deed)(obeying direct orders from Putin or Xi, of course)

      7 11 Reply
      1. Cav Bronze badge
        Reply Icon

        Re: BGP

        "always planning their next dark and dirty deed"

        They are.

        6 4 Reply
  5. cyberdemon Silver badge
    Black Helicopters

    I doubt if it is related, but

    Earlier this week I came across the story about the fibre optic cables in Paris being cut by persons unknown

    https://tech.slashdot.org/story/22/07/25/2014241/the-unsolved-mystery-attack-on-internet-cables-in-paris

    It wouldn't surprise me if there was a major attack on internet infrastructure being planned by Russia.

    Suppose the Russians paid some cargo ship to drag an anchor across the Bristol Channel, to cut off most of our network links to the US. Then, just like the gas, we would be dependent on the East for our communications.

    3 5 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: I doubt if it is related, but

      What, you Brits don't have access to sattelites?

      1 10 Reply
      1. cyberdemon Silver badge
        Reply Icon
        Devil

        Re: I doubt if it is related, but

        Oh great, latency in the hundreds if not thousands of milliseconds and a signal contention ratio worse than trying to have a conversation with the ref from the stands at a football match.

        No thanks. There's a bloody good reason that we have fibre optics.

        7 0 Reply
      2. Mayday
        Reply Icon
        Stop

        Re: I doubt if it is related, but

        Satellites.

        Do you really think a satellite or sever, even in LEO, could replace a down and out piece of glass?

        6 0 Reply
  6. Steve Button Silver badge

    BREAKING: Reply has come back from Apple.

    The Register asked MANRS whether anyone there had heard anything from Apple since its post was published and a spokesperson replied... "вся ваша база принадлежит нам"

    9 3 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: BREAKING: Reply has come back from Apple.

      With the help of Federation government forces, no less!

      0 0 Reply
  7. Michael Wojcik Silver badge

    Just one of many

    BGP leaks – some significant proportion of which are likely hijack attempts rather than accidents – are really common. Like, on the order of a hundred a day, according to studies I've seen. Some are successful, at least briefly; others are not.

    That's a small proportion of BGP announcements, which at the moment, judging by RIS Live, are running around 150/second. But it's certainly a problem.

    Internet Health Report shows 23 Internet partitions due to routing in the past 24 hours.

    2 0 Reply
  8. Colin Wilson 2

    Coincidentally(?), Apple released major updates to all their operating systems, including iOS and macOS on 26th & 27th July.

    Have these been compromised??

    1 1 Reply
  9. Anonymous Coward
    Anonymous Coward

    Hmmm

    Siddiqui said Rostelecom (AS12389) has been involved in previous BGP hijackings, and emphasized that network operators implement effective route filtering based on reliable information to thwart these shenanigans.

    Can't we somehow just sinkhole these c*nts from the internet?

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like