For more than an hour at the beginning of April, major sites like Google and Facebook sputtered for large swaths of people. The culprit wasn't a hack or a bug. It was problems with the internet data routing standard known as the Border Gateway Protocol, which had allowed significant amounts of web traffic to take an unexpected detour through a Russian telecom. For Cloudflare CEO Matthew Prince, it was the last straw.
BGP disruptions happen frequently, generally by accident. But BGP can also be hijacked for large-scale spying, data interception, or as a sort of denial of service attack. Just last week, United States Executive Branch agencies moved to block China Telecom from offering services in the US, because of allegedly malicious activity that includes BGP attacks. Companies like Cloudflare sit on the front lines of the BGP blowback. And while the company can't fix the problem directly, it can call out those that are slow to contribute defenses.
On Friday, the company launched Is BGP Safe Yet, a site that makes it easier for anyone to check whether their internet service provider has added the security protections and filters that can make BGP more stable. Those improvements are most effective with wide adoption from ISPs, content delivery networks like Cloudflare, and other cloud providers. Cloudflare estimates that so far about half of the internet is more protected thanks to heavy hitters like AT&T, the Swedish telecom Telia, and the Japanese telecom NTT adopting BGP improvements. And while Cloudflare says it doesn't seem like the Rostelecom incident was intentional or malicious, Russian telecoms do have a history of suspicious BGP meddling, and similar problems will keep cropping up until the whole industry is on board.
"With that last big route leak from a few weeks ago out of Russia it was a point at which our engineering team said enough is enough, its time for us to start naming and shaming the companies who arent doing this right," says Cloudflare CEO Matthew Prince. "Anything that goes wrong anywhere on the internet we get blamed for it, which is right! Our customers pay us to make sure their internet connections are fast and secure and reliable. So BGP is one of these really frustrating areas that we cant solve ourselves."
BGP is like a GPS mapping service for the internet, enabling ISPs to automatically choose what route data should take over the internet's vast landscape of networks. But really BGP is like using a GPS mapping service run by your opinionated relatives. Your cousin's step-father says "oh, take this route. It'll be fast and safe and you get to pass the house with the great Halloween decorations," and you just have to trust him. If he doesn't know what he's talking about—like an ISP advertising a bad BGP route—you could end up stuck in endless mall traffic.
The cryptographic tools, route filters, and best practices Cloudflare and other organizations have been promoting are like a sixth sense for detecting when you're getting bad advice. They run actual checks on the BGP routes other IPs are "announcing," or offering, to make sure they're legitimate and that no one is advertising a problematic route.