On Thursday, June 6th (9:43 am UTC), Europe’s leading mobile providers received a shock when a large chunk of the traffic destined to reach them was misdirected or rerouted to another path by the network of a Chinese state-operated telecom firm, China Telecom.
The misdirection of the traffic continued for two hours and even more in some cases.
According to the details shared by an Internet-monitoring service, the internet’s global routing system, which is called the Border Gateway Protocol (BGP), was clearly hijacked by the Chinese telecom firm.
The BGP route leak affected various mainstream mobile carriers across Europe.
What happened was that on early Thursday morning, a Swiss web hosting service provider Safe Host leaked over 70,000 BGP routes to China Telecom after which the Chinese firm announced these routes as its own.
Due to this, the traffic for many mobiles carries including those in France, the Netherlands, and Switzerland passed through China Telecom’s network to reach the desired destination.
Currently, it is unclear whether the leak was accidental or intentional. It is worth noting that some of the IP blocks affected in this incident were quite small but more specific than many of those included in legit announcements.
This indicates that route optimizers were used to improve the network traffic, which might have caused Thursday’s route leak.
China Telecom also is known for propagating improper BGP announcements. For instance, in November 2018, an African ISP updated its BGP tables in order to improperly declare AS37282 as a legitimate path for reaching 212 IP prefixes of Google.
Furthermore, Chinese telecom not only accepted this route but also announced it at a global level. However, it turned out that the move made Google’s key services including the search engine unavailable to users at the same time affecting the functioning of Spotify and Google Cloud.
For your information, internet traffic passes through multiple networks around the world to reach the desired destinations.
These networks are part of an already established route and autonomous systems like the ISPs have are responsible for exchanging the routing information using the BGP.
Leaking of BGP routes means the “propagation of routing announcement(s) beyond their intended scope,” according to the Internet Engineering Task Force (IETF). Resultantly, the traffic can pass through a path where spying or eavesdropping can be carried out by an outside source.
BGP route leaks continue to be a cause of concern primarily because it is the key protocol that helps the network in functioning and for informing the routers regarding the best route to a certain destination.
Moreover, other routers all over the internet use this route information for their own functioning and if one of the routes breaks for some reason, the network can easily publish another route to maintain uninterrupted traffic flow.
However, since routers don’t authenticate these routes from a particular network, it is possible that a network owner can propagate the route of another network to reroute the traffic to an undesired destination.
It could either be accidental or a pre-planned hijacking and the recent incident involving European ISPs seems to be intentional.
Oracle’s Internet Analysis division’s director Doug Madory explains that this incident reinforces the fragile architecture of the internet and how dangerous such leaks can be.
“Today’s incident shows that the Internet has not yet eradicated the problem of BGP route leaks.
It also reveals that China Telecom, a major International carrier, has still implemented neither the basic routing safeguards necessary both to prevent the propagation of routing leaks nor the processes and procedures necessary to detect and remediate them in a timely manner when they inevitably occur,” said Madory.
An academic paper published by experts from the US Naval War College and Tel Aviv University in October last year blamed China Telecom for “hijacking the vital internet backbone of western countries.”
The report argued that the Chinese government was using local ISPs for intelligence gathering by systematically hijacking BGP routes to reroute western traffic through its country, where it can log it for later analysis.
While some experts have criticized the paper, Madory is one of the people who stood by its technical accuracy — albeit not by its politically-charged accusations– confirming that China Telecom has rerouted western traffic through its network for years many times before.
However, Madory couldn’t say if this was intentional, or a technical or human error.
Back last year, Madory recommended that internet service providers support up-and-coming BGP security standards such as RPKI, as a way to prevent such internet traffic “misdirections” from taking place in the first place.
Security researchers Chris C. Demchak and Yuval Shavitt revealed in a recent paper that over the past years, China Telecom has been misdirecting Internet traffic through China.
China Telecom was a brand of the state-owned China Telecommunications Corporation, but after marketization of the enterprise spin off the brand and operating companies as a separate group.
China Telecom is currently present in North American networks with 10 points-of-presence (PoPs) (eight in the United States and two in Canada), spanning major exchange points.
The two researchers pointed out that the telco company leverages the PoPs to hijack traffic through China, it has happened several times over the past years,
According to the experts, the activity went unnoticeable for a long time, but to better understand how it is possible to hijack the traffic let’s reads this excerpt from the paper:
“Within the BGP forwarding tables, administrators of each AS announce to their AS neighbors the IP address blocks that their AS owns, whether to be used as a destination or a convenient transit node.” states the paper.
“Errors can occur given the complexity of configuring BGP, and these possible errors offer covert actors a number of hijack opportunities. If network AS1 mistakenly announces through its BGP that it owns an IP block that actually is owned by network AS2, traffic from a portion of the Internet destined for AS2 will actually be routed to – and through – AS1. If the erroneous announcement was maliciously arranged, then a BGP hijack has occurred.”
On April 8th, 2010 China Telecom hijacked 15% of the Internet traffic for 18 minutes, experts speculate it was a large-scale experiment for controlling the traffic flows.
The incident also affected US government (‘‘.gov’’) and military (‘‘.mil’’) websites.
Many other similar cases were reported by the experts over the years, in December 2017, traffic for Google, Apple, Facebook, Microsoft, and other tech giants routed through Russia, also in this case experts speculated it was an intentional BGP Hijacking.
According to the research paper, China Telecom used numerous PoPs to hijack domestic US and crossUS traffic redirecting the flow to China over days, weeks, and months.
“The patterns of traffic revealed in traceroute research suggest repetitive IP hijack attacks committed by China Telecom.” continues the research.
“While one may argue such attacks can always be explained by ‘normal’ BGP behavior, these in particular suggest malicious intent, precisely because of their unusual transit characteristics –namely the lengthened routes and the abnormal durations,”
In February 2016, another attack hijacked traffic from Canada to Korean Government websites to China in what is defined as a perfect scenario of long-term cyber espionage.
“Starting from February 2016 and for about 6 months, routes from Canada to Korean government sites were hijacked by China Telecom and routed through China. Figure 2a shows the shortest and normal route: Canada-US-Korea.” continues the report.
“As shown in figure 2b, however, the hijacked route started at the China Telecom PoP in Toronto, the traffic was then forwarded inside the Chinese network to their PoP on the US West Coast, from there to China, and finally to delivery in Korea.”
A similar attack occurred on October 2016, when traffic from several locations in the USA to a large Anglo-American bank headquarters in Milan, Italy was hijacked by China Telecom to China.
Another incident has happened on December 9, 2015, when traffic to Verizon APAC was hijacked through China Telecom. In response to the incident two of the major carriers of the affected routes implemented filters to refuse Verizon routes from China Telecom.
The security experts described many other BGP hijacking attacks involving China Telecom, further info is reported in the research paper.
Security experts are pushing to adopt solutions to protect BGP, Cloudflare for example, sustains that Resource Public Key Infrastructure (RPKI) could secure BGP routing.