Cloudflare 1.1.1.1 Service Outage: A Quick Dive into BGP Hijacking and Route Leaks, here is what to know

On June 27, 2024, Cloudflare’s widely used 1.1.1.1 DNS resolver service experienced a significant disruption. Users across the globe encountered issues, ranging from complete unreachability to high latency. In this article, we delve into the technical intricacies of the incident, shedding light on the challenges faced by Cloudflare and the broader internet community.

The Cloudflare BGP Hijacking and Route Leak

1. BGP Hijacking: A Brief Overview

• BGP, the backbone of internet routing, determines how data flows between autonomous systems (ASes). Unfortunately, it’s not immune to hijacks.
• Imagine a fictitious network, FooBar Networks (AS65001), mistakenly announcing 1.1.1.1/32 within their internal network. This misconfiguration led to routing difficulties for their customers trying to reach Cloudflare’s DNS service.

2. The Role of RPKI in Route Origin Validation

• Cloudflare was an early adopter of Resource Public Key Infrastructure (RPKI). RPKI enables IP prefix owners to securely store and share ownership information.
• When properly enforced, RPKI limits the impact of BGP hijacks. However, during the incident, 1.1.1.1/32 was originated by ELETRONET S.A. (AS267613), bypassing RPKI checks.

3. The Unintended Leak

• Nova Rede de Telecomunicações Ltda (AS262504) erroneously leaked 1.1.1.0/24 upstream.
• Peer-1 Global Internet Exchange (AS1031) further propagated this leak, exacerbating the impact on Cloudflare’s users.

Mitigation and Future Steps

1. Improving Detection Methods

• Cloudflare acknowledges that the root cause was external, but they take service operation seriously.
• They commit to enhancing detection mechanisms for quicker responses to such incidents.

2. Encouraging Adoption of RPKI-Based Solutions

• Cloudflare aims to promote RPKI-based hijack and leak prevention mechanisms.
• Route Origin Validation (ROV) and Autonomous Systems Provider Authorization (ASPA) objects are crucial tools for securing BGP routing.

Conclusion

The 1.1.1.1 incident serves as a wake-up call for the internet community. As we rely more on digital services, safeguarding against BGP vulnerabilities becomes paramount. Cloudflare’s commitment to improvement underscores the collective responsibility to fortify our networks against future disruptions.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.