Cloudflare’s DNS Resolver Service Hit by BGP Hijacking Incident – Security Concerns Raised
Cloudflare, a prominent internet infrastructure service provider, recently experienced an unintentional BGP hijacking incident that caused temporary outages and slowdowns in its privacy-first public DNS resolver service. The incident, which occurred on June 27, affected less than 1% of internet traffic but raised concerns about the security of the aging internet routing protocol known as BGP.
The outage was a result of two simultaneous BGP issues that led to a routing hijack and route leak, effectively disrupting the Cloudflare DNS resolver service “1.1.1.1” for users in certain regions. The incident highlighted the vulnerabilities in the BGP protocol and the potential risks associated with improper routing announcements.
Cloudflare engineers explained that historical use of the IP address 1.1.1.1, which has been commonly used for testing purposes, contributed to the misrouting of traffic. The incident involved unauthorized announcements of routing information by specific Autonomous Systems, leading to traffic blackholing and slowdowns for Cloudflare’s users.
To address these issues and prevent future incidents, Cloudflare recommended the adoption of security measures such as RPKI, BGP best practices, and ASPA for BGP. They also expanded their route leak detection system to enhance their ability to respond to similar events promptly in the future.
Overall, the Cloudflare BGP hijacking incident serves as a reminder of the importance of securing internet routing protocols to prevent disruptions and ensure the reliability of online services. As internet infrastructure continues to evolve, proactive measures to enhance security and prevent unauthorized routing announcements will be essential to safeguarding the stability of the internet.