Home > How China swallowed 15% of ’Net traffic for 18 minutes
How China swallowed 15% of ’Net traffic for 18 minutes
by Open-Publishing - Thursday 18 November 2010In a 300+ page report (PDF) today, the US-China Economic and Security Review Commission provided the US Congress with a detailed overview of what’s been happening in China—including a curious incident in which 15 percent of the world’s Internet traffic suddenly passed through Chinese servers on the way to its destination.
Here’s how the Commission describes the incident, which took place earlier this year:
For about 18 minutes on April 8, 2010, China Telecom advertised erroneous network traffic routes that instructed US and other foreign Internet traffic to travel through Chinese servers. Other servers around the world quickly adopted these paths, routing all traffic to about 15 percent of the Internet’s destinations through servers located in China. This incident affected traffic to and from US government (‘‘.gov’’) and military (‘‘.mil’’) sites, including those for the Senate, the army, the navy, the marine corps, the air force, the office of secretary of Defense, the National Aeronautics and Space Administration, the Department of Commerce, the National Oceanic and Atmospheric Administration, and many others. Certain commercial websites were also affected, such as those for Dell, Yahoo!, Microsoft, and IBM.
The culprit here was "IP hijacking," a well-known routing problem in a worldwide system based largely on trust. Routers rely on the Border Gateway Protocol (BGP) to puzzle out the best route between two IP addresses; when one party advertises incorrect routing information, routers across the globe can be convinced to send traffic on geographically absurd paths.
This happened famously in 2008, when Pakistan blocked YouTube. The block was meant only for internal use, and it relied on new routing information that would send YouTube requests not to the company’s servers but into a "black hole."
As we described the situation at the time, "this routing information escaped from Pakistan Telecom to its ISP PCCW in Hong Kong, which propagated the route to the rest of the world. So any packets for YouTube would end up in Pakistan Telecom’s black hole instead." The mistake broke YouTube access from across much of the Internet.
The China situation appears to have a similar cause. The mistaken routing information came from IDC China Telecommunications, and it was then picked up by the huge China Telecom. As other routers around the world accepted the new information, they began funneling huge amounts of US traffic through Chinese servers, for 18 minutes.
As with many things involving cyberattacks and Internet security, it’s hard to know if anything bad happened here. The entire thing could have been a simple mistake. Besides, Internet traffic isn’t secure and already passes through many servers outside of one’s control. Content that is sensitive but still suitable for the public Internet should be encrypted. Still, the Commission points out the many possible problems that such an IP hijack could cause.
Although the Commission has no way to determine what, if anything, Chinese telecommunications firms did to the hijacked data, incidents of this nature could have a number of serious implications. This level of access could enable surveillance of specific users or sites. It could disrupt a data transaction and prevent a user from establishing a connection with a site. It could even allow a diversion of data to somewhere that the user did not intend (for example, to a ‘‘spoofed’’ site). Arbor Networks Chief Security Officer Danny McPherson has explained that the volume of affected data here could have been intended to conceal one targeted attack.
What about encryption?
Perhaps most disconcertingly, as a result of the diffusion of Internet security certification authorities, control over diverted data could possibly allow a telecommunications firm to compromise the integrity of supposedly secure encrypted sessions.
The proliferation of certification authorities means that "untrustworthy" certification authorities are much harder to police, and there’s speculation now that governments are involved in getting access to certificates in order to break encryption.
China has openly sought all sorts of encryption information for years, including the source code for routers, network intrusion systems, and firewalls. Those rules went into effect in May 2010, and they require foreign firms to submit this information to Chinese authorities before the government will purchase any such products.
But because the government review panels contain employees of rival Chinese firms, and because providing this information could make a company’s worldwide products more susceptible to Chinese hacking or cyberattacks (which would in turn kill sales of said products in most countries), the Commission notes that no foreign firm has yet submitted to the new scheme.