FUD: 15% of world's internet traffic hijacked
This is starting to be picked up by mainstream media, but was was first reported here (I believe): <http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=249> "Cyber Experts Have Proof That China Has Hijacked U.S.-Based Internet Traffic" "For 18 minutes in April, China.s state-controlled telecommunications company hijacked 15 percent of the world.s Internet traffic, including data from U.S. military, civilian organizations and those of other U.S. allies." This article, which quotes Dmitri Alperovitch of McAfee, is full of false data as far as I can tell. I assert that much less than 15%, probably on the order of 1% to 2% (much less in the US) was actually diverted. The correct statement is that 15% of the world's network prefixes were "hijacked", but the impact was minimal in the US. My concern is that this "report" will be presented to the US Congress without being refuted by experts in the know. My request is that someone with some gravitas please issue a press release setting the facts straight on this matter. I have been in contact with Dan Goodin at The Register but I'm just a lowly grunt with a small network. -- Bob Poortinga K9SQL <http://www.linkedin.com/in/bobpoortinga> Bloomington, Indiana US "the Internet interprets spam as noise and suppresses it"
On Wed, 17 Nov 2010 11:45:14 -0500, Bob Poortinga <bobp+nanog@webster.tsc.com> wrote:
This is starting to be picked up by mainstream media, but was was first reported here (I believe):
<http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=249>
"Cyber Experts Have Proof That China Has Hijacked U.S.-Based Internet Traffic"
"For 18 minutes in April, China.s state-controlled telecommunications company hijacked 15 percent of the world.s Internet traffic, including data
from
U.S. military, civilian organizations and those of other U.S. allies."
This article, which quotes Dmitri Alperovitch of McAfee, is full of false data as far as I can tell. I assert that much less than 15%, probably on the order of 1% to 2% (much less in the US) was actually diverted. The correct statement is that 15% of the world's network prefixes were "hijacked", but the impact was minimal in the US.
My concern is that this "report" will be presented to the US Congress without being refuted by experts in the know.
My request is that someone with some gravitas please issue a press release setting the facts straight on this matter. I have been in contact with Dan Goodin at The Register but I'm just a lowly grunt with a small network.
Also worth pointing out that if this was a normal prefix hijack without them actually delivering the packets to the intended recipient (unlikely the case), then there would be very little TCP data seen. A few packets on existing connections before they time out, and SYNs on new connection attempts. Unless they were able to push the traffic back to another ISP which didn't see their originated routes, things would break more likely than be "routed via" the hijacking AS. Ryan
Anyone want to give me a quote for an AmericaFree.TV report ? Off-list, please. Regards Marshall On Nov 17, 2010, at 11:51 AM, Ryan Rawdon wrote:
On Wed, 17 Nov 2010 11:45:14 -0500, Bob Poortinga <bobp+nanog@webster.tsc.com> wrote:
This is starting to be picked up by mainstream media, but was was first reported here (I believe):
<http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=249>
"Cyber Experts Have Proof That China Has Hijacked U.S.-Based Internet Traffic"
"For 18 minutes in April, China.s state-controlled telecommunications company hijacked 15 percent of the world.s Internet traffic, including data
from
U.S. military, civilian organizations and those of other U.S. allies."
This article, which quotes Dmitri Alperovitch of McAfee, is full of false data as far as I can tell. I assert that much less than 15%, probably on the order of 1% to 2% (much less in the US) was actually diverted. The correct statement is that 15% of the world's network prefixes were "hijacked", but the impact was minimal in the US.
My concern is that this "report" will be presented to the US Congress without being refuted by experts in the know.
My request is that someone with some gravitas please issue a press release setting the facts straight on this matter. I have been in contact with Dan Goodin at The Register but I'm just a lowly grunt with a small network.
Also worth pointing out that if this was a normal prefix hijack without them actually delivering the packets to the intended recipient (unlikely the case), then there would be very little TCP data seen. A few packets on existing connections before they time out, and SYNs on new connection attempts. Unless they were able to push the traffic back to another ISP which didn't see their originated routes, things would break more likely than be "routed via" the hijacking AS.
Ryan
On Wed, 17 Nov 2010 11:45:14 -0500 Bob Poortinga <bobp+nanog@webster.tsc.com> wrote:
This article, which quotes Dmitri Alperovitch of McAfee, is full of false data as far as I can tell. I assert that much less than 15%, probably on the order of 1% to 2% (much less in the US) was actually diverted. The correct statement is that 15% of the world's network prefixes were "hijacked", but the impact was minimal in the US.
In my experience, it is not uncommon for folks in the security industry who talk to the press to be quoted claiming something that turns out to be careless exaggeration at best. The February 2007 DNS DDoS attacks were a good example where that happened and I'm familiar with. The media likes a good story.
My concern is that this "report" will be presented to the US Congress without being refuted by experts in the know.
Call me an optimist, but I find it unlikely that a trade magazine will carry more weight than simply drawing further attention to the matter, which would presumably result in more rigorous analysis if warranted. John
On Nov 17, 2010, at 9:45 AM, Bob Poortinga wrote:
My concern is that this "report" will be presented to the US Congress without being refuted by experts in the know.
My request is that someone with some gravitas please issue a press release setting the facts straight on this matter. I have been in contact with Dan Goodin at The Register but I'm just a lowly grunt with a small network.
At the very least you might want to review: http://www.renesys.com/blog/2010/11/chinas-18-minute-mystery.shtml Renesys provides one data point but there are others that clearly show traffic routed *through* China (meaning they did indeed originate/hijack, and then pass data on to the original destination). Just because there are people in the know (or with gravitas) that don't post on nanog doesn't mean it didn't happen. -b
At the very least you might want to review: http://www.renesys.com/blog/2010/11/chinas-18-minute-mystery.shtml Renesys provides one data point but there are others that clearly show traffic routed *through* China (meaning they did indeed originate/hijack, and then pass data on to the original destination).
as usual i see no traffic measurements in the renesys note. i see inference of traffic based on some control plane measurements. and, has been shown, such inferences are highly suspect. randy
Dear Randy; On Dec 1, 2010, at 3:28 PM, Randy Bush wrote:
At the very least you might want to review: http://www.renesys.com/blog/2010/11/chinas-18-minute-mystery.shtml Renesys provides one data point but there are others that clearly show traffic routed *through* China (meaning they did indeed originate/hijack, and then pass data on to the original destination).
as usual i see no traffic measurements in the renesys note. i see inference of traffic based on some control plane measurements. and, has been shown, such inferences are highly suspect.
Doesn't this traceroute (from the above) seem fairly convincing of transit ? (Not of the _amount_ of transit, just of its _existence_ ?) ...here's one of the typical traceroutes we saw during the incident, between the London Internet Exchange and a host in the USA, passing through China Telecom. This trace was collected at 16:03 UTC, about 13 minutes into the event. Total time in transit is 525ms (this trace typically takes no more than 110ms under normal conditions). 1. <our host> 0.785ms # London 2. 195.66.248.229 1.752ms # London 3. 195.66.225.54 1.371ms # London 4. 202.97.52.101 399.707ms # China Telecom 5. 202.97.60.6 408.006ms # China Telecom 6. 202.97.53.121 432.204ms # China Telecom 7. 4.71.114.101 323.690ms # Level3 8. 4.68.18.254 357.566ms # Level3 9. 4.69.134.221 481.273ms # Level3 10. 4.69.132.14 506.159ms # Level3 11. 4.69.132.78 463.024ms # Level3 12. 4.71.170.78 449.416ms # Level3 13. 66.174.98.66 456.970ms # Verizon 14. 66.174.105.24 459.652ms # Verizon [.. four more Verizon hops ..] 19. 69.83.32.3 508.757ms # Verizon 20. <last hop> 516.006ms # Verizon And doesn't the graph in Craig Labovitz's blog seem consistent with a modest (not overwhelming, or even unusual) amount of excess traffic during the event ? http://asert.arbornetworks.com/2010/11/china-hijacks-15-of-internet-traffic/ So, putting this, and everything else, together, wouldn't it be reasonable to conclude, that - some traffic was diverted but - nowhere near 15% of the Internet, by orders of magnitude ? Regards Marshall
randy
On Wed, Dec 1, 2010 at 3:28 PM, Randy Bush <randy@psg.com> wrote:
as usual i see no traffic measurements in the renesys note. i see inference of traffic based on some control plane measurements. and, has been shown, such inferences are highly suspect.
it's fairly clear though that you won't get traffic information without looking at the interconnects between the offending parties, eh? I think the Arbor notes about this try to address this from a traffic perspective, though they have anonymized stats at best. <conspiracy-hat>also, you won't get the traffic stats from the offending parties</conspiracy-hat> -chris
it's fairly clear though that you won't get traffic information without looking at the interconnects between the offending parties
yep
<conspiracy-hat>also, you won't get the traffic stats from the offending parties</conspiracy-hat>
and how much traffic data does google publish? or iij or ntt? oops! cho, fukuda, esaki, & kato [0] did show real traffic data from japan's largest isps. no accusations meant. just trying to keep the discussion near sea level. randy --- [0] - http://www.iijlab.net/~kjc/papers/rbb-sigcomm2006.pdf and follow-on from 2010 http://www.iij.ad.jp/en/development/iir/pdf/iir_vol08_report_EN.pdf
On Wed, Dec 1, 2010 at 3:52 PM, Randy Bush <randy@psg.com> wrote:
<conspiracy-hat>also, you won't get the traffic stats from the offending parties</conspiracy-hat>
and how much traffic data does google publish?
or iij or ntt? oops! cho, fukuda, esaki, & kato [0] did show real traffic data from japan's largest isps.
no accusations meant. just trying to keep the discussion near sea level.
sometimes I love to pull your chain... :) I agree though that folks won't publish this data (in general) directly, for whatever reason. Also, right '15% of traffic' really should have been '15% of routes*' -chris (*) routes as seen in one set of perspectives... not valid in tennessee, wyoming, parts of Alabama, Albania, Germany, The ex-UK-protectorates or...
On Dec 1, 2010, at 4:17 PM, Christopher Morrow wrote:
sometimes I love to pull your chain... :) I agree though that folks won't publish this data (in general) directly, for whatever reason. Also, right '15% of traffic' really should have been '15% of routes*'
Agreed, I should have been more clear. I wasn't implying that much traffic either, but rather "15% of global prefixes." I was more focused on, "Seems clear enough that traffic *transited* China ASNs, as opposed to being blackholed as we seen in many hijacks. Further, in hopes of generating discussion... I've seen a lot of comments along the lines of "this was likely an accident, misconfiguration, or fat-finger..." I'm having a really hard time figuring how, if traffic not only diverted to China but *transited* China, this could be any kind of mistake. I'm not able to get my fingers or thumbs to randomly (seemingly) select approximately 15% of all prefixes, originate those, modify filters so I can do so, and also somehow divert it to another router that doesn't have the hijacked prefixes I'm announcing but rather forwards the source traffic on to it's intended destination. I can't seem to work all of that out into any kind of "accident." Anyone? -b
On Wed, Dec 1, 2010 at 5:42 PM, Brett Watson <brett@the-watsons.org> wrote:
I'm not able to get my fingers or thumbs to randomly (seemingly) select approximately 15% of all prefixes, originate those, modify filters so I can do so, and also somehow divert it to another router that doesn't have the hijacked prefixes I'm announcing but rather forwards the source traffic on to it's intended destination.
"What filters?" "We don't need any stinkin' filters" Sometimes disasters such as an accidental hijacking might be the result of multiple different mistakes or errors that occured at different times; separated by months or years, it can include design mistakes that were present all along, and the earlier mistakes might never have been detected, until they catalyzed later mistakes. A device missing filters, a missing config entry to actually apply any filters, or a big hole in a filter set are some possibilities, where an operator would not need to make the same typo twice at a later date. The redirection of packets to the eventual proper destination is not necessarily indicating anything intentional; perhaps packets reached a Chinese router that did not have the error, or that had the right filter set active. So far, I saw nothing reported of sufficient detail to infer with high confidence either that it was by accident or that hijacking was not an accident; it seems, you can proceed using either assumption, without arriving at probable inconsistency or logical contradiction. "We don't know for sure if the hijacking was accidental or not" seems a valid answer. -- -JH
Hanlon's razor? On Dec 1, 2010 6:43 PM, "Brett Watson" <brett@the-watsons.org> wrote:
On Dec 1, 2010, at 4:17 PM, Christopher Morrow wrote:
sometimes I love to pull your chain... :) I agree though that folks won't publish this data (in general) directly, for whatever reason. Also, right '15% of traffic' really should have been '15% of routes*'
Agreed, I should have been more clear. I wasn't implying that much traffic
either, but rather "15% of global prefixes."
I was more focused on, "Seems clear enough that traffic *transited* China
ASNs, as opposed to being blackholed as we seen in many hijacks.
Further, in hopes of generating discussion... I've seen a lot of comments
along the lines of "this was likely an accident, misconfiguration, or fat-finger..."
I'm having a really hard time figuring how, if traffic not only diverted
to China but *transited* China, this could be any kind of mistake. I'm not able to get my fingers or thumbs to randomly (seemingly) select approximately 15% of all prefixes, originate those, modify filters so I can do so, and also somehow divert it to another router that doesn't have the hijacked prefixes I'm announcing but rather forwards the source traffic on to it's intended destination.
I can't seem to work all of that out into any kind of "accident."
Anyone?
-b
participants (9)
-
Bob Poortinga
-
Brett Watson
-
Christopher Morrow
-
James Hess
-
Jeremy L. Gaddis
-
John Kristoff
-
Marshall Eubanks
-
Randy Bush
-
Ryan Rawdon