rss_feed
calendar_today Oct. 21, 2020, 6:49 p.m.
Lumen aka CenturyLink is generating routing incidents via former Level3 network, again
Radar

AS203, belonging to what was formerly known as "Level3", acquired by "CenturyLink" in 2016, latter rebranded as "Lumen" in 2020, is a frequent visitor within the incident reports of the Qrator.Radar team. We are not here to blame anyone, but such occurrence of routing incidents for a single organization is worrying - we hope this article would help you to understand how even a small event could reach enormous impact with specific prerequisites met.

On October 21, 2020, at approximately 14:11 UTC AS203 started to announce 158 prefixes that almost immediately created more than 1100 conflicts for a 1000+ of advertised prefixes. This incident, which has not stopped yet while we are writing this particular report, affected 31 ISPs in 19 countries, including such players as AS9198 - KAZTELECOM-AS, AS35415 - WEBZILLA, AS7979 - SERVERS-COM and many more.

Here is the path graph for one of Webzilla’s hijacked prefixes:

 

Why an announcement of such a moderate set of prefixes resulted in a significant anomaly that, according to our estimations, cost legitimate owners a loss of a significant part of their reachability - from 30% to 100% depending on the distance from the Internet backbone?

In simple terms - because "Lumen" is a Tier-1 ISP. Announcements from such an autonomous system with extensive coverage across the continents easily win the BGP path challenge against the original announcements. Which further allows them to propagate to other ASes, reaching global coverage. AS203 announcements reach the world in two hops, which has a crucial impact on prefix propagation.

Take a look at the following picture which perfectly illustrates that even less or equal specific prefixes successfully spread across the Internet, hijacking the traffic of their original owners in case a hijack originates from a Tier-1:

We could say that on average, this incident dragged 50% of the usual traffic away from the legitimate autonomous systems. We could only speculate that the reason for this incident's impact lies within the fact that only 10% of invalid ROA prefixes accompanied this event.

"With great power comes great responsibility" - a phrase known as the Peter Parker principle is accurate. When you are a big and prominent player on the Internet Service Provider market, even an insignificant action could lead to disastrous consequences for those under your feet.