China ’s Maxim – Leave No Access Point Unexploited: The Hidden Story of China Telecom’ s BGP Hijacking
Curious to hear others' thoughts on this. https://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1050&context=mca This paper presents the view that several BGP hijacks performed by China Telecom had malicious intent. The incidents are: * Canada to Korea - 2016 * US to Italy - Oct 2016 * Scandinavia to Japan - April-May 2017 * Italy to Thailand - April-July 2017 The authors claim this is enabled by China Telecom's presence in North America.
Curious to hear others' thoughts on this. https://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1050&context=mca
This paper presents the view that several BGP hijacks performed by China Telecom had malicious intent. The incidents are: * Canada to Korea - 2016 * US to Italy - Oct 2016 * Scandinavia to Japan - April-May 2017 * Italy to Thailand - April-July 2017
The authors claim this is enabled by China Telecom's presence in North America. Not sure I agree with the author's argument of having Access Reciprocity between nations/governments (both as a technical solution or on
Harley H wrote on 10/26/2018 8:52 AM: political principle). Moving towards an ecosystem where prefix advertisements and AS paths are validated to prevent both accidental and intentional hijacks is probably a better solution to improve availability, integrity, and confidentiality. Encrypting traffic so that, even if it does go through a hostile network, it remains confidential and the integrity is validated is also probably a better solution than the proposed access reciprocity. With the number of players involved, neither of these will be short term changes. But, over time, we seem to be moving in that direction already.
these hacks could have been done from any pwned core router. this is just a desire to get footprint in prc. randy
* Harley H
Curious to hear others' thoughts on this. https://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1050&context=mca
This paper presents the view that several BGP hijacks performed by China Telecom had malicious intent. The incidents are: * Canada to Korea - 2016 * US to Italy - Oct 2016 * Scandinavia to Japan - April-May 2017 * Italy to Thailand - April-July 2017
The authors claim this is enabled by China Telecom's presence in North America.
Hi, I looked a bit into the Scandinavia to Japan claim last week for a Norwegian journalist, who obviously found this rather sensational claim very intriguing. The article (Norwegian, but Google Translate does a decent job) is found at https://www.digi.no/artikler/internettrafikk-fra-norge-og-sverige-ble-kapret... in case you're interested.
From what I can tell from looking at routeviews data from the period, what happened was that SK Broadband (AS9318) was leaking a bunch of routes to China Telecom (AS4134). The leak included the transit routes from SKB's upstream Verizon (AS703) and customers of theirs in turn, including well- known organisations such as Bloomberg (AS10361) and Time Warner (AS36032), which I suppose might be the ones the paper is referring to.
The routes in question then propagated from CT to Telia Carrier (AS1299), probably in North America somewhere. Scandinavia is TC's home turf, it makes sense that the detour via CT was easily observed from here. If you want to see for yourself, look for «1299 4134 9318 703» in http://archive.routeviews.org/route-views.linx/bgpdata/2017.04/RIBS/rib.2017... Anyway, in my opinion the data for this particular incident (I haven't looked into the other three) does not indicate foul play on CT's behalf, but rather a pretty standard leak by SKB followed by sloppy filtering by CT and TC both. Tore
On 05/11/2018 10:54, Tore Anderson wrote:
* Harley H
Curious to hear others' thoughts on this. https://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1050&context=mca
This paper presents the view that several BGP hijacks performed by China Telecom had malicious intent. The incidents are: * Canada to Korea - 2016 * US to Italy - Oct 2016 * Scandinavia to Japan - April-May 2017 * Italy to Thailand - April-July 2017
The authors claim this is enabled by China Telecom's presence in North America. Hi,
I looked a bit into the Scandinavia to Japan claim last week for a Norwegian journalist, who obviously found this rather sensational claim very intriguing. The article (Norwegian, but Google Translate does a decent job) is found at https://www.digi.no/artikler/internettrafikk-fra-norge-og-sverige-ble-kapret... in case you're interested.
From what I can tell from looking at routeviews data from the period, what happened was that SK Broadband (AS9318) was leaking a bunch of routes to China Telecom (AS4134). The leak included the transit routes from SKB's upstream Verizon (AS703) and customers of theirs in turn, including well- known organisations such as Bloomberg (AS10361) and Time Warner (AS36032), which I suppose might be the ones the paper is referring to.
The routes in question then propagated from CT to Telia Carrier (AS1299), probably in North America somewhere. Scandinavia is TC's home turf, it makes sense that the detour via CT was easily observed from here.
If you want to see for yourself, look for «1299 4134 9318 703» in http://archive.routeviews.org/route-views.linx/bgpdata/2017.04/RIBS/rib.2017...
Anyway, in my opinion the data for this particular incident (I haven't looked into the other three) does not indicate foul play on CT's behalf, but rather a pretty standard leak by SKB followed by sloppy filtering by CT and TC both.
Tore
https://www.zdnet.com/article/oracle-confirms-china-telecom-internet-traffic... "But today, Doug Madory, Director of Oracle's Internet Analysis division (formerly Dyn), confirmed that China Telecom has, indeed, engaged in internet traffic "misdirection." "I don't intend to address the paper's claims around the motivations of these actions," said <https://internetintel.oracle.com/blog-single.html?id=China+Telecom%27s+Internet+Traffic+Misdirection> Madori. "However, there is truth to the assertion that China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years." "I know because I expended a great deal of effort to stop it in 2017," Madori said. He then goes on to detail several of China Telecom's BGP route "misdirections," most of which have involved hijacking US-to-US traffic and sending it via mainland China before returning it to the US." -Hank
On 05/11/2018 10:54, Tore Anderson wrote:
* Harley H
Curious to hear others' thoughts on this. https://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1050&context=mca
This paper presents the view that several BGP hijacks performed by China Telecom had malicious intent. The incidents are: * Canada to Korea - 2016 * US to Italy - Oct 2016 * Scandinavia to Japan - April-May 2017 * Italy to Thailand - April-July 2017
The authors claim this is enabled by China Telecom's presence in North America. Hi,
I looked a bit into the Scandinavia to Japan claim last week for a Norwegian journalist, who obviously found this rather sensational claim very intriguing. The article (Norwegian, but Google Translate does a decent job) is found at https://www.digi.no/artikler/internettrafikk-fra-norge-og-sverige-ble-kapret... in case you're interested.
From what I can tell from looking at routeviews data from the period, what happened was that SK Broadband (AS9318) was leaking a bunch of routes to China Telecom (AS4134). The leak included the transit routes from SKB's upstream Verizon (AS703) and customers of theirs in turn, including well- known organisations such as Bloomberg (AS10361) and Time Warner (AS36032), which I suppose might be the ones the paper is referring to.
The routes in question then propagated from CT to Telia Carrier (AS1299), probably in North America somewhere. Scandinavia is TC's home turf, it makes sense that the detour via CT was easily observed from here.
If you want to see for yourself, look for «1299 4134 9318 703» in http://archive.routeviews.org/route-views.linx/bgpdata/2017.04/RIBS/rib.2017...
Anyway, in my opinion the data for this particular incident (I haven't looked into the other three) does not indicate foul play on CT's behalf, but rather a pretty standard leak by SKB followed by sloppy filtering by CT and TC both.
Tore
Internet Vulnerability Takes Down Google https://blog.thousandeyes.com/internet-vulnerability-takes-down-google/ -Hank
Internet Vulnerability Takes Down Google https://blog.thousandeyes.com/internet-vulnerability-takes-down-google/
I think this was actually just: "neighbor leaked routes beyond where they should have" which means, of course, that 'transit provider is not filtering their customer'.
participants (6)
-
Blake Hudson
-
Christopher Morrow
-
Hank Nussbacher
-
Harley H
-
Randy Bush
-
Tore Anderson