Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chinese ISP Hijacks the Internet (Again)

Posted by Soulskill on from the phase-two-test-complete dept.

CWmike writes "For the second time in two weeks, bad networking information spreading from China has disrupted the Internet. On Thursday morning, bad routing data from a small Chinese ISP called IDC China Telecommunication was re-transmitted by China's state-owned China Telecommunications, and then spread around the Internet, affecting Internet service providers such as AT&T, Level3, Deutsche Telekom, Qwest Communications, and Telefonica. 'There are a large number of ISPs who accepted these routes all over the world,' said Martin A. Brown, technical lead at Internet monitoring firm Renesys. Brown said the incident started just before 10 am Eastern and lasted about 20 minutes. During that time the Chinese ISP transmitted bad routing information for between 32,000 and 37,000 networks, redirecting them to IDC instead of their rightful owners. These networks included about 8,000 US networks, including those operated by Dell, CNN, Starbucks, and Apple. More than 8,500 Chinese networks, 1,100 in Australia, and 230 owned by France Telecom were also affected."

14 of 171 comments (clear)

  1. Re:Blacklist 'em by pv2b · · Score: 5, Informative

    Blacklisting China's IP ranges would do nothing to protect you against bad routing - something you as an end user don't have any control over.

  2. Re:An old saying... by Jaysyn · · Score: 3, Informative

    Three times is enemy action.

    --
    There is a war going on for your mind.
  3. Re:What about signing & certificates? by Anonymous Coward · · Score: 1, Informative

    It wasn't the same ISP twice, I don't think.

    And you cannot do 'basic verification' of such things on our side of the pond, that's not how BGP works. It's unreasonable to enumerate every block that China Telecommunications announces, as they are a very, very large ISP. The problem was that they in turn should have verified what the small ISP was allowed to announce. But they didn't, those routes popped up on their routers and then propagated out.

  4. Re:An old saying... by MagikSlinger · · Score: 4, Informative

    The correct quote is:

    "Once is happenstance. Twice is coincidence. Three times is enemy action."

    -- Auric Goldfinger, "Goldfinger" by Ian Fleming

    --
    The bitter lessons of a veteran coder: http://bitterprogrammer.blogspot.com
  5. Re:Not unintentional by robmv · · Score: 2, Informative

    and add to that a Chinese CA certificate inside Firefox and even SSL could be sniffed

  6. Re:Fall guy by Paralizer · · Score: 4, Informative

    The internet runs the BGP routing protocol. It is by design a 'trust' system. You explicitly neighbor with autonomous systems you want to directly connect to and you freely exchange routes. It's possible to filter that routing information if you wanted (both in and out), but because you explicitly connected with them there's a certain level of "I trust anything you tell me, as I you should of me."

  7. Re:Chinese bashing? by Anonymous Coward · · Score: 1, Informative

    It happens rather frequently. Several times a year.

    A large event was a few years back when Iran decided to block youtube.com by announcing their network space as being reachable via Iranian routers, and blackholing the traffic. Unfortunately they neglected to properly configure their outbound prefix filters and that routing announcement made it onto the Internet at large, causing many international routers to believe youtube.com was reachable via Iran.

  8. oops, bad link; sorry by bsDaemon · · Score: 2, Informative

    I mistyped the link. The proper URL is http://www.blockacountry.com/

  9. Almost Certainly Unintentional by billstewart · · Score: 5, Informative

    Limited-scope attacks like the Pakistani YouTube diversion are much more likely to be a deliberate attack; broad-spectrum attacks are obviously either mistakes (or really clever DDOS.) Advertising that you're the best route to half the world isn't exactly un-stealthy enough for intelligence gathering - and China doesn't have the bandwidth to handle that much traffic, either inside their entire country's network or especially across the Pacific; the only carriers with a chance of absorbing some fraction of AT&T's plus Level3's traffic are Verizon or possibly Google, and they're both competent enough not to do that.

    This kind of thing happens occasionally with BGP, which was designed to be run in a relatively trusted environment by relatively-to-extremely-competent people, which means that it only explodes occasionally and most major carriers do a good job of filtering routing announcements that look seriously wrong, and detecting when other people advertise bogus information about their networks. The typical cause used to be bad conversions between external BGP routes and internal OSPF or RIP routes, especially back when some random customer would have left autosummarization on so they'd take their two Class C subnets, combine them into the Class A that they're both in, and announce to everybody in the world that they were the best route to reach the Tier 1 carrier who's their upstream (or who's the upstream of their local ISP, who wasn't bothering to filter their BGP announcements.)

    The first time this happened in a big way was a bit of a surprise, as some little ISP announced that their T1 line was the best way to reach all of MAE-EAST (i.e. half the world), so suddenly there were gigabits of traffic headed that direction, at least until their self-DDOS killed off most of the BGP sessions and somebody fixed it. Since then, if you try to advertise being the best route to some large carrier who has a /8, you'll find they're also advertising a pair of /9s (which win), and that they'll be calling your upstream carrier within a couple of minutes to get your BGP session shut down. On the other hand, if this happens, it also means your upstream carrier wasn't filtering your BGP announcements for sanity, so they may also not be good at having somebody who can answer the phone and quickly resolve that level of problem.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  10. Re:What about signing & certificates? by TooMuchToDo · · Score: 3, Informative

    No one wants to move to secure BGP (which uses PKI to validate route announcements) for a variety of reasons. Google "secure bgp" or "sbgp" to familiarize yourself with the situation.

  11. Re:Blacklist 'em by merc · · Score: 4, Informative

    I use http://www.countryipblocks.net/ -- they seem to do a pretty decent job of keeping their database up-to-date. It will also provide the output in varying formats (net/mask, CIDR, ip range, etc).

    --
    It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
  12. Close enough by billstewart · · Score: 2, Informative

    ISPs use BGP to talk to each other, but internally they may use iBGP or EIGRP or OSPF or (once upon a time) RIP, and they usually have a complex routing structure internally and a small number of border routers that announce a simplified set of routes to their upstream carriers or peers. Badly-automated conversions between OSPF/etc and BGP are the easiest place to make a big mistake like that, though some operators are clever enough to break their routing purely by hand.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  13. Re:Blacklist 'em by X0563511 · · Score: 2, Informative

    I also like http://www.ipdeny.com/

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  14. Re:Blacklist 'em by pv2b · · Score: 2, Informative

    Baidu's real spiders obey robots.txt. However there are plenty of malicious spiders out there who pretend to be Baidu in their User-agent string - giving Baidu a bad name in this area.