{"id":23,"date":"2010-11-19T01:09:21","date_gmt":"2010-11-19T01:09:21","guid":{"rendered":"http:\/\/www.pseudonymity.net\/?p=23"},"modified":"2010-11-19T01:09:21","modified_gmt":"2010-11-19T01:09:21","slug":"media-reports-on-chinese-internet-hijacking","status":"publish","type":"post","link":"https:\/\/www.pseudonymity.net\/blog\/index.php\/2010\/11\/19\/media-reports-on-chinese-internet-hijacking\/","title":{"rendered":"Media reports on Chinese Internet ‘hijacking’"},"content":{"rendered":"

Another media story on China and the Internet has been widely reported today, although with a somewhat depressing lack of detail and excess of hysteria. I was interviewed today<\/a> on the BBC about the story (my comments start around 01:34) and so spent a while digging into the particulars. I’ll attempt here to present a slightly more balanced and fact-based version of the story as I understand it. A good technical analysis of this incident can be found at BGPmon here<\/a>, and probably the best I’ve seen so far is at Renesys here<\/a>.<\/p>\n

A recent report<\/a> to the US government by the US-China Economic and Security Review Commission<\/a> contains, amongst other reports of potential national security threats to the US from China, mention of an incident in April 2010 in which a significant minority of Internet traffic was briefly and erroneously routed through China. The incident lasted approximately 18 minutes, and affected 15% of Internet destinations.<\/p>\n

The headlines report that “China hijack 15% of the Internet”, whilst somewhat breathlessly informing us that US military and government traffic was affected. The original report[1]<\/a> points out that there is no evidence that this occurred intentionally, but the term “hijack” leaves the interpretation of malicious intent which, of course, makes for a more exciting story.<\/p>\n

While the obvious question to be answered is: “how did this happen?”, we might also wonder what exactly is meant by “15% of the Internet”. Luckily, the answer to the former helps with answering the latter.<\/p>\n

Without going into too much detail on exterior gateway protocols such as BGP<\/a>, this situation came about due to a fundamental design issue in one of the underlying protocols that controls the Internet. Simply speaking, when data passes over the Internet it travels across a number of networks en route<\/emph> to its destination, with the precise route being determined according to which networks can most efficiently pass data to that destination at a given moment. This simple approach provides reasonably high levels of performance and robustness.<\/p>\n

Unfortunately, from a security point of view, the information used to plan the best path comes from servers belonging to individual telecommunication companies, and is largely taken on trust by other servers. The servers provide authoritative routing information for certain networks, defined by IP prefixes<\/emph>, or ranges of IP addresses. <\/p>\n

In the case of the April 2010 incident it appears that servers operated by IDC China<\/a> began to claim that, instead of being the ideal route for roughly 40 local Chinese prefixes, they were optimal for approximately 37,000 networks. These included networks used by the US military and government, as well as many other entities. This information was automatically propagated across the Internet, in part by China Telecom, causing routes to these IP prefixes to be misdirected worldwide via China.<\/p>\n

The reported figure of “15% of the Internet” therefore comes from the 37,000 prefixes that were redirected. It does not refer to volumes of traffic, number of website hits or types of traffic such as email or web traffic, all of which I have seen reported as the source of the 15% figure.<\/p>\n

This kind of incident has happened before, as noted in the USCC report. In 2005 a configuration error at the Turkish provider TTNet accidentally caused a similar incident [2]<\/a>, affecting approximately 100,000 prefixes, making that a much larger incident. In 2008 a provider in Pakistan, in attempting to block YouTube internally, caused Internet-wide routing to route YouTube through Pakistan and thus blocked the system for the entire Internet. <\/p>\n

Was the Chinese incident deliberate? In my opinion it seems unlikely. It is, of course, difficult to tell one way or another with such minimal information, but there does not seem to be any good reason to ascribe malice rather than error in this case. The nature of the incident, and its brief duration, inclines me to believe that this was most likely a swiftly-fixed configuration error, as it has been in several similar incidents. Whilst it is possible that an approach along these lines could be used to pull in a snapshot of important communications from across the globe, it seems a very inefficient and risk-prone strategy with relatively nebulous benefits. <\/p>\n

What the incident does highlight is that several critical underlying internet protocols still function without great regard for security or resistance against subversion, malicious or otherwise. That incidents like these can still occur accidentally seems a greater concern for the world at large than the potential that a small proportion of, hopefully encrypted, US governmental emails might have been intercepted during a twenty-minute window in April.<\/p>\n

Links:<\/p>\n

[1]<\/a>: http:\/\/www.uscc.gov\/annual_report\/2010\/annual_report_full_10.pdf<\/a>
\n[2]<\/a>: http:\/\/en.wikipedia.org\/wiki\/IP_hijacking<\/a>
\n[3]<\/a>: http:\/\/www.ripe.net\/news\/study-youtube-hijacking.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Another media story on China and the Internet has been widely reported today, although with a somewhat depressing lack of detail and excess of hysteria. I was interviewed today on the BBC about the story (my comments start around 01:34) and so spent a while digging into the particulars. I’ll attempt here to present a […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,6,10],"tags":[14],"class_list":["post-23","post","type-post","status-publish","format-standard","hentry","category-china","category-interview","category-security","tag-oii"],"_links":{"self":[{"href":"https:\/\/www.pseudonymity.net\/blog\/index.php\/wp-json\/wp\/v2\/posts\/23","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pseudonymity.net\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pseudonymity.net\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pseudonymity.net\/blog\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pseudonymity.net\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=23"}],"version-history":[{"count":0,"href":"https:\/\/www.pseudonymity.net\/blog\/index.php\/wp-json\/wp\/v2\/posts\/23\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.pseudonymity.net\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=23"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pseudonymity.net\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=23"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pseudonymity.net\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=23"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}