Illustration of BGP hijacking

Statement regarding BGP hijacking on September 29

Share this page

At Proton, we strive to plan for all contingencies that might affect our service. Our efforts paid off on Tuesday, September 29 (around 4 AM Wednesday morning, Australia time), allowing us to turn a very serious incident into a minor inconvenience for some of our users.

As far as we currently understand the situation, this was done on accident and not maliciously, although we have still not been provided with any additional details. For several hours, however, around 30% of the global internet looking for us got pointed to Telstra instead. Some 1,680 other networks were also affected, making this perhaps the most serious BGP hijacking incident ever.

As we will explain in this article, although there are ways to mitigate the fallout from BGP hijacking, due to the way the internet is designed there is simply no way to prevent this kind of incident from happening. The episode highlights, in fact, how broken some key aspects of the internet are.

Users were minimally affected

Fortunately, we mitigated the effects of this incident relatively quickly thanks to measures such as Route Origin Authorization and monitoring that we already have in place for situations like this.

We were able to divert all mail and web traffic along unimpacted internet routes, so the only effect was some delay in sending and receiving emails. Some non-essential systems, however, like our payments system, were not functioning. This meant that customers were not able to pay us for some number of hours, and we incurred meaningful financial losses as a result. 

In this incident, no user data was lost or breached.

What is BGP hijacking?

Border Gateway Protocol (BGP) is a key component of how the internet works. It is the routing protocol that determines how data packets travel from one IP address to another IP address.

IP addresses are the computer-friendly numbers that ISPs assign to every device that connects to the internet. If we imagine the internet as a postal network, IP addresses are the ZIP codes for each destination, and data packets are letters that each contain a portion of the information being sent. BGP is the road map used to deliver the letters to the correct addresses.

BGP looks for all available paths and chooses the fastest and most efficient route. Usually this means transferring data packets between autonomous systems (AS) until they reach their destination.

Autonomous systems are the smaller networks that together make up the internet. All IP addresses belong to an autonomous system, and most autonomous systems belong to ISPs like Telstra.

Using our earlier analogy, autonomous systems are like regional post offices. Letters are delivered to a regional post office, which then delivers them to individual addresses in the post office’s catchment area.

BGP relies on routing information published by autonomous systems, but there are no real safeguards in place to prevent a malicious AS from announcing a route to IP prefixes that it does not control.

To return to our analogy, BGP hijacking is like painting over road signs with false directions so that letters intended for one post office are delivered to a different one. 

BGP always chooses the fastest and most efficient route, however, so for a BGP hijack to succeed, the fraudulent announcement must appear to offer a more efficient route than any existing route maps stored on BGP routers across the internet.

How we stopped this incident so quickly

We continually monitor our networks for signs of BGP hijacking and have measures in place to mitigate the problem when an attack is detected. Upon detecting that some portion of our internet traffic was being routed to Australia, we moved essential services over to backup subnets and IPs which were not being hijacked. 

Thus, even though our primary network was still being hijacked, the bulk of our traffic was no longer flowing through that network. To follow the analogy above, even though the main highway now had incorrect road signs, we sent users down a different highway that still had the correct signs.  

How can BGP hijacking be prevented?

The bad news is that there is no practical way to prevent BGP hijacking. There are, however, some proposals to fix this. The main approach is Resource Public Key Infrastructure (RPKI)(new window), also known as Resource Certification. 

This is a system designed to certify that BGP route announcements can only be made by an organization with the authority to make that announcement.

We believe this is the most sensible solution, and Proton fully implements RPKI on all our networks. RPKI is opt-in and only works if other internet service providers agree to abide by it. Unfortunately, over 80%(new window) of the internet does not use RPKI, and until it does, incidents of BGP hijacking can cause significant damage (in our case, 30% of global traffic). 

As BGP hijacking cannot be prevented without the collaboration of the main internet players, the only solution is to have infrastructure in place to quickly switch to alternative networks if and when it happens. Proton had previously invested in such infrastructure as part of our work for alternative routing(new window).

Final thoughts

For the internet to become a safer place, more ISPs and cloud service providers must adopt RPKI, and for that to happen, internet users will need to lobby their ISPs. If you would like to get involved in this effort, please see Is BGP safe yet?(new window), an initiative by Cloudflare to pressure ISPs into adopting the protocol.

Encouraging your ISP to support RPKI is a good first step toward preventing future incidents of this sort anywhere on the internet. If you are a local internet registry (LIR), sign your prefix now. It is a simple, five-minutes process.

Best Regards,
The Proton Team

Feel free to share your feedback and questions with us via our official social media channels on Twitter(new window) and Reddit(new window).

Protect your privacy with Proton
Create a free account

Share this page

Proton Team

We are scientists, engineers, and specialists from around the world drawn together by a shared vision of protecting freedom and privacy online. Proton was born out of a desire to build an internet that puts people before profits, and we're working to create a world where everyone is in control of their digital lives.

Related articles

At Proton, we’re always working on new and innovative ways to protect the privacy and data of the Proton community. Sometimes that means developing entirely new services, like our Proton Sentinel program, which combines AI and human security analysts
How to unsend an email in Gmail, Outlook, Proton Mail, and Apple Mail
“Undo Send” gives you a chance to stop an erroneous message you’ve just sent. We’ve all done it. You hit Send on an email only to spot you’ve misspelled someone’s name, forgotten an attachment, or accidentally sent a cringing joke to half your conta
Google has already taken privacy washing to the extreme by trying to brand itself as “privacy focused”, even though its business model is based on surveillance.  Lately, the company’s marketing strategy has turned toward outright Orwellian doublespe
Last week, the UK government made a statement in the House of Lords acknowledging that portions of the controversial Online Safety Bill might not even be technically enforceable without breaking end-to-end encryption. This rightly received a lot of a
What is email spoofing?
Email spoofing is a technique attackers use to make a message appear to be from a legitimate sender — a common trick in phishing and spam emails. Learn how spoofing works, how to identify spoofed messages, and how to protect yourself from spoofing a
Google Chrome is the world’s most popular web browser by far, with over 3 billion users. Its built-in password manager, Google Password Manager, is its default software to create and store passwords for websites and services. Although convenient for