Experts Say China Web Traffic Hijack Was ‘Overhyped’

Data analysis of the China Telecom Internet traffic hijack show claims are incorrect and overhyped, experts say

The furore over a Chinese Internet service provider hijacking Internet traffic in April is in danger of being overhyped and obscuring the real issues, according to security experts.

The hijacking incident occurred for 18 minutes on April 8, when China Telecom, China’s largest Internet service provider, published a set of instructions under the Border Gateway Protocol (BGP) that incorrectly rerouted Web traffic from about 37,000 networks through its servers. According to BGPmon, a group that collects routing data from around the world, China Telecom normally routes about 40 networks.

Most Of The Internet Ignored The Hijack

The US-China Economic and Security Review Commission report addressed the incident, noting that the “erroneous” network traffic instructions routed Internet traffic through Chinese servers. “Other servers around the world quickly adopted these paths, routing all traffic to about 15 percent of the Internet’s destinations through servers located in China,” the report said.

That figure appeared to be disputable to many security experts. Craig Labovitz, chief scientist at Arbor Networks, told eWEEK that, despite sundry reports and analyses, the hijack did not route 15 percent of Internet traffic.

“This information didn’t propagate. It didn’t impact the world,” Labovitz said.

He compared China Telecom’s BGP instructions to the publishing a “corrupted” telephone directory. While the potential was there for traffic to get misrouted, the directory, or the actual instructions, did not actually spread very far, he said.

According to the BGPmon blog, even though China Telecom appeared to route networks not assigned to them, “only about 10 percent” propagated outside of China. The majority were Chinese networks, although Web sites belonging to CNN, Dell, and Amazon were on the list. The Congressional report also listed specific US government-owned sites, including those belonging to all four military branches, the office of the Secretary of Defense and NASA, as well as Yahoo and Microsoft.

“Most of the Internet ignored the hijack for various technical reasons,” wrote Labovitz in his blog.

He cited an April post from Robert Kisteleki of Réseaux IP Européens (RIPE) claiming the incorrect instructions had not reached European networks. “No one in Europe actually got diverted”, and the ones mostly affected were the Chinese networks, said Labovitz.

Figure May Be Under One Percent

Arbor Networks also collects information from about 120 carriers around the world collecting real-time data about their traffic in its ATLAS system. The ATLAS data can be viewed on a country level and Labovitz said there was no “statistically significant increase” in traffic being routed to China on April 8. “Diverting 15 percent of the Internet even for just 15 minutes would be a major event,” said Labovitz and would have shown up as a significant spike in ATLAS’ country data.

If European traffic was unaffected and the data does not show a traffic spike to China, what could have happened?

Labovitz said that “15 percent” could refer to actual routes, or the instructions, China Telecom published and not actual Internet traffic volume. So while it was possible, and more likely, that China Telcom took upon itself to claim 15 percent of all the routes that were not assigned to it, that was significantly different from actual Web traffic, he said. The language in the report does not explicitly state whether it refers to traffic or routes.

Labovitz did express concern over the lack of security in the Domain Name System (DNS), saying the world was on “borrowed time” before a serious incident occurred. But he said that misrepresenting the incident was dangerous. It obscured “important security issues” surrounding the fact that Internet traffic was routed on a system relying “primarily on trust” and had no security standards.

“But in an industry crowded with security marketing and hype, it is important we limit the hyperbole and keep the discussion focused around the legitimate long-term infrastructure security threats and technical realities,” Labovitz wrote.

While the report did not accuse the Chinese wireless service provider of doing harm outright, the commission said “the capability could enable severe malicious activities”.

So how much traffic really did get diverted? Labovitz hedged his reply, saying the significance depended on actual companies and sites affected, before saying his data showed the actual number was “orders and orders of magnitude smaller, at 0.015 percent.”

China Telecom has called the accusations “groundless” and that it “has never done such an act”. Labovitz and several other industry watchers have speculated that it was an accident because of the incident’s short interval.