Oracle’s Internet Intelligence division has confirmed today the findings of an academic paper published two weeks ago that accused China of “hijacking the vital internet backbone of western countries.”
For almost a week late last year, the improper routing caused some US domestic Internet communications to be diverted to mainland China before reaching their intended destination, Doug Madory, a researcher specializing in the security of the Internet’s global BGP routing system, told Ars.
As the following traceroute from December 3, 2017 shows, traffic originating in Los Angeles first passed through a China Telecom facility in Hangzhou, China, before reaching its final stop in Washington, DC.
The problematic route, which is visualized in the graphic above, was the result of China Telecom inserting itself into the inbound path of Verizon Asian Pacific.
The routing snafu involving domestic US Internet traffic coincided with a larger misdirection that started in late 2015 and lasted for about two and a half years, Madory said in a blog post published Monday.
The misdirection was the result of AS4134, the autonomous system belonging to China Telecom, incorrectly handling the routing announcements of AS703, Verizon’s Asia-Pacific AS.
The mishandled routing announcements caused several international carriers—including Telia’s AS1299, Tata’s AS6453, GTT’s AS3257, and Vodafone’s AS1273—to send data destined for Verizon Asia-Pacific through China Telecom, rather than using the normal multinational telecoms.
For the next 30 months or so, a large amount of traffic that used Verizon’s AS703 improperly passed through AS4134 in mainland China first.
The circuitous route is reflected in the following traceroute taken on May 1, 2017:
“On average I believe we saw as much as 20 percent of our BGP sources carrying these routes at any given time,” Madory told Ars. “It isn’t the same as saying 20 percent of the Internet, but it is safe to say that a significant minority of the Internet was carrying these routes.”
The research paper was authored by researchers from the US Naval War College and Tel Aviv University and it made quite a few waves online after it was published.
Researchers accused China Telecom, one of China’s biggest state-owned internet service providers, of hijacking and detouring internet traffic through its normally-closed internet infrastructure.
Some security experts contested the research paper’s findings because it didn’t come from an authoritative voice in the world of internet BGP hijacks, but also because the paper touched on many politically sensitive topics, such as China’s cyber-espionage activities and how China used BGP hijacks as a way to circumvent the China-US cyber pact of 2015.
But today, Doug Madory, Director of Oracle’s Internet Analysis division (formerly Dyn), confirmed that China Telecom has, indeed, engaged in internet traffic “misdirection.”
“I don’t intend to address the paper’s claims around the motivations of these actions,” said Madori. “However, there is truth to the assertion that China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years.”
“I know because I expended a great deal of effort to stop it in 2017,” Madori said.
He then goes on to detail several of China Telecom’s BGP route “misdirections,” most of which have involved hijacking US-to-US traffic and sending it via mainland China before returning it to the US.
Madori recommended that internet service providers support up-and-coming BGP security standards such as RPKI, as a way to prevent such internet traffic “misdirections” from taking place in the first place.
Efforts to secure the BGP protocol, as a whole, have intensified in recent years after the number of BGP hijack incidents has steadily gone up.
The sustained misdirection further underscores the fragility of BGP, which forms the underpinning of the Internet’s global routing system.
In April, unknown attackers used BGP hijacking to redirect traffic destined for Amazon’s Route 53 domain-resolution service.
The two-hour event allowed the attackers to steal about $150,000 in digital coins as unwitting people were routed to a fake MyEtherWallet.com site rather than the authentic wallet service that got called normally.
When end users clicked through a message warning of a self-signed certificate, the fake site drained their digital wallets.
In 2013, malicious hackers repeatedly hijacked massive chucks of Internet traffic in what was likely a test run. Also in 2013, spyware service provider Hacking Team orchestrated the hijacking of IP addresses it didn’t own to help Italian police regain control over several computers they were monitoring in an investigation.
A year later, domestic Russian Internet traffic was diverted through China.
On two occasions last year, traffic to and from major US companies was suspiciously and intentionally routed through Russian service providers.
Traffic for Visa, MasterCard, and Symantec—among others—was rerouted in the first incident in April, while Google, Facebook, Apple, and Microsoft traffic was affected in a separate BGP event about eight months later.
By routing traffic through networks controlled by the attacker, BGP manipulation allows the adversary to monitor, corrupt, or modify any data that’s not encrypted.
Even when data is encrypted, attacks with names such as DROWN or Logjam have raised the specter that some of the encrypted data may have been decrypted.
Even when encryption can’t be defeated, attackers can sometimes trick targets into dropping their defenses, as the BGP hijacking against MyEtherWallet.com did.
Madory said the improper routing he reported finally stopped after he “expended a great deal of effort to stop it in 2017.” His report on Monday went on to endorse a proposed standard known as RPKI-based AS path verification.
The mechanism, had it been deployed, would have stopped some of the events Madory documented, he said.
Neither China Telecom nor Verizon responded to an email seeking comment for this post.
Monday’s blog post comes two weeks after researchers at the US Naval War College and Tel Aviv University published a report that quickly got the attention of BGP security professionals.
Titled China’s Maxim–Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking, it claimed the Chinese government has brazenly used China Telecom for years to divert huge amounts of traffic to China-controlled networks before it’s ultimately delivered to its final destination.
The report named four specific routes—Canada to South Korea, US to Italy, Scandinavia to Japan, and Italy to Thailand—that were reportedly manipulated between 2015 and 2017 as a result of BGP activities of China Telecom.
“While one may argue such attacks can always be explained by ‘normal’ BGP behavior, these, in particular, suggest malicious intent, precisely because of their unusual transit characteristics—namely the lengthened routes and the abnormal durations,” the authors wrote.
The Canada to South Korea leak, the report said, lasted for about six months and started in February 2016. The remaining three reported hijackings took place in 2017, with two of them reportedly lasting for months and the third taking place over about nine hours.
The report was unusual in that it didn’t provide AS numbers, specific dates and other specifics that allowed other researchers to confirm the claims.
Ars and other researchers asked the authors to make the data available, and they responded with a small amount of traceroute data.
Madory said the Scandinavia-to-Japan event reported in the paper two weeks ago was actually a small part of the two-and-a-half-year misdirection he reported Monday.
“We are describing the same thing in different ways,” he told Ars, speaking of the two-and-a-half-year event he documented and the two-month hijacking reported two weeks ago. “They may have only known about it for those two months in 2017, but I can guarantee you that it was going [on] for much longer.”
Madory said he was unable to confirm the three other hijackings the authors report.
His report on Monday, however, leaves little doubt that China Telecom has either knowingly or otherwise engaged in BGP leaks that have affected large chunks of Internet traffic for a sustained period.
The domestic US traffic, in particular, “becomes an even more extreme example,” he told Ars.
“When it gets to US-to-US traffic traveling through mainland China, it becomes a question of is this a malicious incident or is it accidental?
It’s definitely concerning. I think people will be surprised to see that US-to-US traffic was sent through China Telecom for days.”