Media reports on Chinese Internet ‘hijacking’

Another media story on China and the Internet has been widely reported today, although with a somewhat depressing lack of detail and excess of hysteria. I was interviewed today on the BBC about the story (my comments start around 01:34) and so spent a while digging into the particulars. I’ll attempt here to present a slightly more balanced and fact-based version of the story as I understand it. A good technical analysis of this incident can be found at BGPmon here, and probably the best I’ve seen so far is at Renesys here.

A recent report to the US government by the US-China Economic and Security Review Commission contains, amongst other reports of potential national security threats to the US from China, mention of an incident in April 2010 in which a significant minority of Internet traffic was briefly and erroneously routed through China. The incident lasted approximately 18 minutes, and affected 15% of Internet destinations.

The headlines report that “China hijack 15% of the Internet”, whilst somewhat breathlessly informing us that US military and government traffic was affected. The original report[1] points out that there is no evidence that this occurred intentionally, but the term “hijack” leaves the interpretation of malicious intent which, of course, makes for a more exciting story.

While the obvious question to be answered is: “how did this happen?”, we might also wonder what exactly is meant by “15% of the Internet”. Luckily, the answer to the former helps with answering the latter.

Without going into too much detail on exterior gateway protocols such as BGP, this situation came about due to a fundamental design issue in one of the underlying protocols that controls the Internet. Simply speaking, when data passes over the Internet it travels across a number of networks en route to its destination, with the precise route being determined according to which networks can most efficiently pass data to that destination at a given moment. This simple approach provides reasonably high levels of performance and robustness.

Unfortunately, from a security point of view, the information used to plan the best path comes from servers belonging to individual telecommunication companies, and is largely taken on trust by other servers. The servers provide authoritative routing information for certain networks, defined by IP prefixes, or ranges of IP addresses.

In the case of the April 2010 incident it appears that servers operated by [2], affecting approximately 100,000 prefixes, making that a much larger incident. In 2008 a provider in Pakistan, in attempting to block YouTube internally, caused Internet-wide routing to route YouTube through Pakistan and thus blocked the system for the entire Internet.

Was the Chinese incident deliberate? In my opinion it seems unlikely. It is, of course, difficult to tell one way or another with such minimal information, but there does not seem to be any good reason to ascribe malice rather than error in this case. The nature of the incident, and its brief duration, inclines me to believe that this was most likely a swiftly-fixed configuration error, as it has been in several similar incidents. Whilst it is possible that an approach along these lines could be used to pull in a snapshot of important communications from across the globe, it seems a very inefficient and risk-prone strategy with relatively nebulous benefits.

What the incident does highlight is that several critical underlying internet protocols still function without great regard for security or resistance against subversion, malicious or otherwise. That incidents like these can still occur accidentally seems a greater concern for the world at large than the potential that a small proportion of, hopefully encrypted, US governmental emails might have been intercepted during a twenty-minute window in April.



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.