Slashdot Mirror
Chinese ISP Hijacks the Internet (Again)
CWmike writes "For the second time in two weeks, bad networking information spreading from China has disrupted the Internet. On Thursday morning, bad routing data from a small Chinese ISP called IDC China Telecommunication was re-transmitted by China's state-owned China Telecommunications, and then spread around the Internet, affecting Internet service providers such as AT&T, Level3, Deutsche Telekom, Qwest Communications, and Telefonica. 'There are a large number of ISPs who accepted these routes all over the world,' said Martin A. Brown, technical lead at Internet monitoring firm Renesys. Brown said the incident started just before 10 am Eastern and lasted about 20 minutes. During that time the Chinese ISP transmitted bad routing information for between 32,000 and 37,000 networks, redirecting them to IDC instead of their rightful owners. These networks included about 8,000 US networks, including those operated by Dell, CNN, Starbucks, and Apple. More than 8,500 Chinese networks, 1,100 in Australia, and 230 owned by France Telecom were also affected."
It was an accident, of course.
now you can order iPad direct from china through apple.com
All that data routed to the wrong place accidentally... hmmm sounds like a perfect excuse to me - for intelligence gathering. If it passes through their routers, they have the data.
Until China learns how to act as responsible Internet citizens, I'll continue to blackhole as many of Chinese subnets as I can find both at work and home. Spam, malware, and every kind of crap comes from China, and I don't do business with any Chinese, so it's a no-brainer.
I don't respond to AC's.
"Once is an Accident, twice is a Coincidence, and three times is a Pattern."
Any sufficient level of Incompetence is indistinguishable from Malice.
Solution however is exactly the same.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
The ISP in question only controls 30 networks, yet other routers blindly accepted thousands. Why isn't there basic verification of such re-configurations? I'm actually very shocked, the potential for abuse is huge; and TWICE as well.
Why can one "small" ISP do this? I mean from a technical point of view how can they spread routing information for endpoints their network doesn't own? While they have clearly dropped the ball, I struggle to understand how they could accomplish this even if they tried, that is if everyone else's equipment is configured correctly *cough*
Obviously the only way to protect the Border Gateway Protocol is to build a fence around it. (Spits. Scratches ass.)
"I'm not a quack, I'm a mad scientist! There's a difference." - Dr. Cockroach
I mistyped the link. The proper URL is http://www.blockacountry.com/
This kind of thing happens all of the time. Subscribe to the operators list at http://www.nanog.org/ and you will see reports of mis-announced prefixes every month or two. This is just China bashing and media sensationalism. (Which I do mind very much, thank you)
Where would we be if Wheel had hid her round rock in a cave instead of showing everyone how it rolls?
Limited-scope attacks like the Pakistani YouTube diversion are much more likely to be a deliberate attack; broad-spectrum attacks are obviously either mistakes (or really clever DDOS.) Advertising that you're the best route to half the world isn't exactly un-stealthy enough for intelligence gathering - and China doesn't have the bandwidth to handle that much traffic, either inside their entire country's network or especially across the Pacific; the only carriers with a chance of absorbing some fraction of AT&T's plus Level3's traffic are Verizon or possibly Google, and they're both competent enough not to do that.
This kind of thing happens occasionally with BGP, which was designed to be run in a relatively trusted environment by relatively-to-extremely-competent people, which means that it only explodes occasionally and most major carriers do a good job of filtering routing announcements that look seriously wrong, and detecting when other people advertise bogus information about their networks. The typical cause used to be bad conversions between external BGP routes and internal OSPF or RIP routes, especially back when some random customer would have left autosummarization on so they'd take their two Class C subnets, combine them into the Class A that they're both in, and announce to everybody in the world that they were the best route to reach the Tier 1 carrier who's their upstream (or who's the upstream of their local ISP, who wasn't bothering to filter their BGP announcements.)
The first time this happened in a big way was a bit of a surprise, as some little ISP announced that their T1 line was the best way to reach all of MAE-EAST (i.e. half the world), so suddenly there were gigabits of traffic headed that direction, at least until their self-DDOS killed off most of the BGP sessions and somebody fixed it. Since then, if you try to advertise being the best route to some large carrier who has a /8, you'll find they're also advertising a pair of /9s (which win), and that they'll be calling your upstream carrier within a couple of minutes to get your BGP session shut down. On the other hand, if this happens, it also means your upstream carrier wasn't filtering your BGP announcements for sanity, so they may also not be good at having somebody who can answer the phone and quickly resolve that level of problem.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
This should really be cause for alarm. Does China also use the Narus systems that the NSA is using to spy on all Americans?
Someone had to say it.
Our Grand Communist Party of the Great Nation of China plan to get the rest of the world to leave us alone about our glorious firewall, and desire, nay, duty to protect our citizens:
Step 1: Push out Google
Step 2: Muck up their internet
Step 3: They kick us off "their" internet
Step 4: Setup our own, national, internet
Step 5: Be praised by the lesser nations for staying off their internet, rather than chastised for walling ourselves off and keeping their realfacts out
Step 6: Spread propaganda, er... goodfacts about our Grand Communist Party of the Great Nation of China
Step 7: Unlimited, eternal power to do whatever we please
This is sort of the nature of BGP, at least when you are in the habit of trusting BGP peers. Methinks the large carriers should probably be in the habit of filtering BGP updates from chinese carriers, at least until they can pass "peering 101"
By "old-school principles", you did mean "pre-ARIN IPv4 Swamp Addresses", didn't you? :-)
Yeah, the people who designed IPv6 hoped that by having a big enough address space with no pre-existing reservations, they could make routing simpler and cleaner and delay the problem of routers running out of special route table memory and routing protocol horsepower, but that was pretty much a pipe dream:
so the IPv6 world's going to be a non-hierarchical mess just like the IPv4 world.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
'cause we created it. Thanks.
So while this was going on could the chinese save off the network traffic? They have the infrastructure Cisco routers, etc. ...
Could they decrypt SSL packets ? It may take awhile but they're not doing this real-time.
Go through any interesting attachments ? Spreadsheets, documents,
I think I'll read up more on asymmetric warfare and the Red Army officer's paper on the subject.
ISPs use BGP to talk to each other, but internally they may use iBGP or EIGRP or OSPF or (once upon a time) RIP, and they usually have a complex routing structure internally and a small number of border routers that announce a simplified set of routes to their upstream carriers or peers. Badly-automated conversions between OSPF/etc and BGP are the easiest place to make a big mistake like that, though some operators are clever enough to break their routing purely by hand.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
nuff said. Ok, I will ellaborate, but that shouldnt be neccecary. Do you really need to read more?
This may be a cyberwar between a multinational corporation and China. Google will of course win this war. The war is secret, and not fought with bullets. Oh, you want to know even more? That is hardly neccecary, but I will go on.
Also, we will need to equip an army of female acrobatic tech-warriors wearing tight-fitted latex with large open cleavages. That can probably keep the kung-fu chinese hackers at bay. Now you know all you need to know, no need to read further.
If all fails, the US must deploy the sharks with laser-beams on their heads witch they used to sever the middle-eastern Internet connection some years ago. They can keep the US coast safe from spyware. But this is all. I swear! There is no more sinister things going on.
Now, I must get back to my experiments. Nothing to see here .... move along....
Good walls work both ways. To "help" China from being tainted by the evil ways of us westerners let's just cut them off completely.
Tisha Hayes
While at it, I offer you to query my own Zebra server, I guarantee to only return the best available routes ;-))
http://www.gnu.org/software/zebra/
Contact me off-line if you are interested.
Seriously, I have some friends who do like you, they start by blocking China, then Korea, then end up blocking half of the world to enhance their security.
In my humble opinion, this is not a valid security approach, I actually use some requests or connection attempts from these countries to test and strengthen my security. Hackers can get to your machine from US relays/proxies or US compromised machine anyway and blocking only drops the packets as they arrive to your machine, no DOS protection or bandwidth savings.
In short, I believe blocking China gives you a false sense of security, use China to learn how to make your system secure in the first place instead but the is just my 2 cents hence my very personal opinion ;-))
Everything I write is lies, read between the lines.
Yeah, I'd be interested in knowing if I'm paranoid against China and this type of thing for no reason, but (and maybe it's just my paranoia talking) I think there's pretty good reason to believe this is intentional. The only time I've ever heard of large scale screwups like this are with China and once with Pakistan.
/. front page every once in a while)
Are you saying this is truly a selection bias, or are the Chinese screwups more global in scope? Seems like propagating a small ISP to a large ISP to the entire Internet would be something I've heard before in other countries. Are there incidences in the past where 10% of ALL Internet traffic was routed through a different country?
(I'm not trolling, this is a genuine question. Because if it does happen more often, maybe we should splash it on the
If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
Don't get me wrong, this was a really big mistake. It doesn't happen often at this scale, but it does happen.
In this case the prefixes what were mis-broadcast were sequential for the most part and covered several networks and countries, not a specific target. The bulk of the misrouted addresses were actually in China. They also didn't leak the routes (as in the Pakistan incident) but re-originated the prefixes, pre-pending their AS number to the announcement. This means "origin AS" based filters would have stopped the incident form even happening. I think that some poor technician fat fingered his BGP announcement, trying to do some traffic shaping. An actual attack would have been much more sophisticated.
You will have to make your own decision about your paranoia against China.
Where would we be if Wheel had hid her round rock in a cave instead of showing everyone how it rolls?
Racist garbage spoken like a true uninformed dickhead. Meanwhile crap like this continues to get modded up on slashdot. I'm tied of seeing almost daily china threads started on /. accompanied by racist or boarderline racist rants in the threads.