July 5, 2024 at 02:42PM
Internet giant Cloudflare reported a recent incident where its DNS resolver service, 1.1.1.1, was affected by a combination of BGP hijacking and route leak. This led to service unavailability for some users. The company responded by engaging with networks involved, disabling peering sessions, and presenting long-term solutions to improve route leak detection and routing security.
Based on the meeting notes, we have the following key takeaways:
– Cloudflare’s DNS resolver service, 1.1.1.1, experienced unreachability or degradation due to a combination of BGP hijacking and route leak, affecting 300 networks in 70 countries but with a “quite low” impact in some cases.
– The incident began at 18:51 UTC on June 27 when AS267613 announced the 1.1.1.1/32 IP address, and this incorrect announcement was accepted by multiple networks, leading to traffic misrouting.
– Cloudflare identified the problems at around 20:00 UTC and resolved the hijack roughly two hours later, with the route leak being resolved at 02:28 UTC.
– Remediation efforts included engaging with the networks involved, disabling peering sessions with problematic networks, and adopting RPKI to automatically reject invalid routes.
– Long-term solutions presented by Cloudflare involve enhancing route leak detection systems, promoting the adoption of RPKI and MANRS principles, encouraging the rejection of IPv4 prefixes longer than /24 in the Default-Free Zone, advocating for the deployment of ASPA objects, and exploring the potential of implementing RFC9234 and DOA.
These takeaways encapsulate the main points from the meeting notes and provide a clear summary of the incident and Cloudflare’s response and long-term solutions.