Slashdot Mirror

← Back to Stories (view on slashdot.org)

China Telecom Hijacks US, Canadian Internet Traffic On a Regular Basis, Report Says (itnews.com.au)

Posted by BeauHD on from the business-as-usual dept.

Bismillah writes: China Telecom is up to no good with Border Gateway Protocol (BGP) shenanigans researchers have discovered. The state-owned telco is hijacking and rerouting internet traffic to China via it's U.S. and Canadian points of presence (PoPs). As for how the researchers came to their conclusion, they reportedly "built a route tracing system that monitors BGP announcements and which picks up on patterns suggesting accidental or deliberate hijacks and discovered multiple attacks by China Telecom over the past few years," reports iTNews.

In one example occurring in 2016, "China Telecom diverted traffic between Canada and Korean government networks to its PoP in Toronto," the report says. "From there, traffic was forwarded to the China Telecom PoP on the U.S. West Coast and sent to China, and finally delivered to Korea. Normally, the traffic would take a shorter route, going between Canada, the U.S. and directly to Korea." The telecommunications company is able to reroute the traffic by announcing fake routes via the BGP, which "governs data flow between Autonomous Systems, the large networks operated by telcos, internet providers and corporations."

31 of 64 comments (clear)

  1. So what do we do about it? by Anonymous Coward · · Score: 3, Interesting

    Is anyone going to impose any actual consequences, or are they just too damn big?

    1. Re:So what do we do about it? by houstonbofh · · Score: 1

      We could just block bgp updates from them. You got a new network? Too bad no one can find it!

    2. Re:So what do we do about it? by Narcocide · · Score: 5, Insightful

      Oh, I have an idea. How about we stop allowing border gateway maintenance to be policed exclusively by the honor system?

    3. Re: So what do we do about it? by Anonymous Coward · · Score: 1

      My hunch is that they are doing this at peering exchanges where you normally have wide open filters with a prefix limit.

      If they keep pulling these kind of route highjacking, you could probably set up bgbmon and setup a script to auto block any prefixes they are hijacking.

    4. Re:So what do we do about it? by TomGreenhaw · · Score: 1

      The supply chain for much of the products we all buy in the US depends on Internet connectivity to China. I'm starting to realize that few people truly understand how much the US and China depend on each other. We have created a complex financial ecosystem that depends on the Internet.

      All the purchase orders for the billions of things we buy and depend upon could not be processed. Store shelves would be empty and hyperinflation would take root due to the scarcity of supply of pretty much everything.

      --
      Greed is the root of all evil.
    5. Re:So what do we do about it? by Athanasius · · Score: 1

      There are moves afoot to address this, but not currently going so well: https://blog.apnic.net/2018/10...

      The first is that only 63 networks appear to reject routes where the ROA indicates an invalid origination of the route. Out of some 63,000 networks in today’s routing system that’s a very small number. Hopefully, this situation will improve over time.

      The second observation is that the ROAs would only have been effective if these route leaks were inadvertent operational mistakes. If these route leaks were deliberate routing hijacks, then the attackers would’ve been able to create the hijacked route with the ROA-defined origin AS. While the prudent use of the maxlength parameter in the ROA could’ve mitigated more specific attacks, the potential for routing disruption based on deliberate hijacks, while preserving the origin AS, still remains.

    6. Re:So what do we do about it? by postbigbang · · Score: 1

      Enough hand-wringing. Your contention is simply fear-mongering. The BS of ecosystem betrays your sense of fragility, and not the reality of the situation.

      There would be a disruption. Alibaba and more would rapidly crater. Supply chains would be broken. Apple might have a bad quarter. Poor Apple.

      On the ground in the USA, some farmers would be selling bacon and soybeans really inexpensively. Other markets would be found. The ASEAN currencies would go like rollercoasters as new supply chains are made. The price of oil would drop. Boo Hoo.

      But we might need more anti-anxiety medications for folks like you. Oh, right, India would be right up to bat. Auto parts would come from Bangalore and Lahore, perhaps Penang. Yeah, garlic would be tough.... for a while.

      --
      ---- Teach Peace. It's Cheaper Than War.
    7. Re:So what do we do about it? by TomGreenhaw · · Score: 1

      I like your signature line, I propose we be civil to each other

      I don't like that the US is so heavily dependent on foreign trade but that is the mess we are in right now. I agree we must act.

      My company manages software for a number of major retailers that I'm sure you and most everyone else shops at all the time. We manage all their product data and purchase order systems. Most of our customers are healthcare, hardware, crafts, sporting goods retailers and transportation parts. I'm not fear mongering, I am saying that this is something I deal with on a daily basis. This is not a hobby for me or something I'm guessing at at a high or philosophical level - its my career.

      I know the country of origin for the products these companies sell and how many purchase orders are being written. It's staggering.

      We need to cautiously ramp down slowly. Terriffs are one way to accomplish that goal, but it is surely going to have unintended consequences. These terriffs are going to be a consumption tax until domestic sources kick in. With a tight labor market that's going to take time if it happens at all. That in conjunction with all the current policy changes are all inflationary.

      But shutting off the Internet to China? It would be like blowing off your head to stop the migraine headache.

      I propose we Teach Peace to China. It's Cheaper Than War.

      --
      Greed is the root of all evil.
    8. Re:So what do we do about it? by postbigbang · · Score: 2

      Are the tariffs stupid? Didn't comment on that.

      This morning I looked at some of the website my organizations manage. The attacks came 84% from China origin. Pakistan, Albania, Azerbaijan, and even France trailed well behind.

      I try to specifically not buy Chinese goods, especially Chinese foods. Certainly others do. I try to put my money where it will do the most good, and that's as local as possible. This said, the dependency that US Corporate industry has put on China now enslaves them to a regime that suppresses free speech, human rights (yeah, we do to, but we're working on it), and attempts to conquer the S China Sea. They're suckering parts of Africa, S America, and the Middle East, the disaffected areas, into financial chattel.

      So they hijack BGP for a little while to sniff who's doing what. It's not a mistake. It is a mistake to have a president that uses a sniffable phone, but let's not quibble. All of that data gets sorted and sifted. They do not, and no one has the right to do that, no, not even the NSA. The honor system used to respect BGP updates is hilarious, and one of the many flaws of the Internet. But the US has given up most of its policing rights. Let the games begin. Oh, wait, they've been underway for a decade.

      --
      ---- Teach Peace. It's Cheaper Than War.
    9. Re:So what do we do about it? by Puls4r · · Score: 1

      You are incorrect. Almost every manufacturing facility requires finished product and raw materials, and probably 80-90% of that is created in China. Purchase systems, inventory systems, these are all automatic. We build XX a day, the system automatically sends orders to our 437 suppliers to replenish those. That's the reality of lean. 3 day stock on hand if you are lucky.

      The automotive manufacturing system would continue to run for a short time while the already in-transit materials were coming in. After that, nothing. Orders would not be automatically cut, shippers not automatically contacted, and there isn't a large company in the US that has even a tiny fraction of the people or manual systems in place to maintain what computers and the internet do for us automatically every day.

      Everything from cell phones to automotive window motors to the jugs that manufacturers put milk and other food stuffs in (those are largely made in china, just like your bread bags and everything else we package stuff in).

      You are vastly understating the issues that something like this could potentially create if it broke the internet.

    10. Re:So what do we do about it? by postbigbang · · Score: 1

      I won't argue vast supply chain. You over-estimate the size and demand and impact. So we must disagree. There is no doubt that a disruption would occur. The magnitude and outcomes would crash a decided number of businesses. Would it cause a burden? Yep. Could it be surmounted? Certainly not easily, but in certainty, what has been woven into a cloth of low-cost labor fealty can be unwoven. Given the madness of their current regime, it may have to be. Extricating supply chain from China would be onerous, but not the gottdamerung you posit.

      --
      ---- Teach Peace. It's Cheaper Than War.
  2. so use RPKI by johnjones · · Score: 5, Informative

    the canadian government is surprised to find china did exactly the same thing to them as they did to china...

    come on just implement signing and validation...
    https://blog.benjojo.co.uk/post/are-bgps-security-features-working-yet-rpki

    also get on your DNSSEC and DANE implementations

    1. Re:so use RPKI by houstonbofh · · Score: 2, Insightful

      Or just block bgp from China entirely. Yes, it would suck for them. So sad. :)

    2. Re: so use RPKI by petermgreen · · Score: 4, Informative

      Using BGP is the normal way routes are exchanged between carriers on the Internet. It is absoloutely normal for carriers in different countries to have BGP sessions with each other.

      The problem is a combination of laziness and resource limitations mean that carriers and other networks end up trusting each other. Sure filters can be put in place in theory but on a link where thousands of prefixes are normally exchanged maintaining those filters is both a a PITA and a resource drain on the routers.

      Adding to that many networks are cheapskates. Rather than take the shortest path to a destination they will take the cheapest. i.e. they will prefer sending the traffic to a peer or downstream over sending it to an upstream.

      The result of this is it's easy for traffic to get diverted, either accidentally or maliciously, and as long as the traffic reaches it's destination without undue delays it is very likely that no one will notice.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    3. Re: so use RPKI by Bert64 · · Score: 3, Informative

      Not only that, but traffic going from canada to korea via china isn't unreasonable, it could be the cheapest route or the direct routes could be unavailable for whatever reason. If the traffic was destined from canada to the us and went via china that would be far more suspicious.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    4. Re: so use RPKI by Muros · · Score: 1

      If the traffic was destined from canada to the us and went via china that would be far more suspicious.

      Not necessarily. I know Virgin Media used to route traffic from one of our customers about 5 miles away across the Atlantic and back.

    5. Re:so use RPKI by jon3k · · Score: 1

      Who? Everyone other country on earth? Otherwise traffic would just pass through some other transit network. Not every country is directly connected to a network physically inside China.

    6. Re: so use RPKI by WindBourne · · Score: 1

      Actually. no.
      Going to CHina would be one of the more expensive routes.
      Look at this map. VERY FEW Chinese locations are shared between America, and South Korea. If looking for a 3rd indirect hop, Japan would be far more likely. In fact, it was obviously designed for just that. Multiple links from America go to Japan. In every location that has an American link, also has links to S. Korea.

      --
      I prefer the "u" in honour as it seems to be missing these days.
  3. Repeat after me by Nkwe · · Score: 5, Interesting

    "The Internet is not a secure network."

    As an Internet user you have no control over where your packets go or how they are routed. China could re-route them. The NSA could re-route them. Your ISP could re-route them. The only "guarantee" you get is the Internet will try really hard to get your packets there by any means necessary. Because there is no way to know where your packets are going to go, you should assume that *anyone* could be reading your packets. ("Packets" meaning the web pages your browse, the credit card details you enter on a website, the emails you send, etc.)

    This of course doesn't matter because you encrypt everything you send across the Internet right?

    1. Re:Repeat after me by Kaenneth · · Score: 1

      Tor in a VPN in another VPN.

    2. Re:Repeat after me by Anonymous Coward · · Score: 1

      Encryption is not a fix-all measure.
      It can be hacked or circumvented (corrupted certificate system for example).
      You do not always have the choice to select your desired level of encryption (accessing internet based services)
      And metadata is data too.

  4. Stopped even trying.. by Anonymous Coward · · Score: 2, Interesting

    I've given up trying to tell ISP's when their networks are hijacked (it happens, a lot). It's not just China either, Comcast likes to engage in it's own hijacking for example. Many networks simply don't give a shit or want free consulting.

    I'm sure there are some of you here that understand BGP but for the rest, in short it's not necessarily a case of Provider C announces Provider A's networks such that Provider B routes through C. There are quite a few metrics that go into how routers decide one routeu over another, some are policy while others are protocol level (link goes down, routes get withdrawn). Having a shorter path or lower latency for example are two ways a third party can fool networks into giving them preference.

    Dropping your BGP session is a script kiddie level attack, influencing your routing such that YOU believe I have a better one without making global changes is much more sinister.

  5. Neat, but doesn't matter. by Anonymous Coward · · Score: 2, Informative

    Just encrypt your traffic.

  6. Man in the Middle has Always Been a Risk by nateman1352 · · Score: 1

    The fact that the Internet's design allows this behavior has been known for decades. The only thing that is new is China was caught doing it, though probably most world governments have done it by now. That is why many in the industry are pushing for 100% HTTPS adoption. It's free and easy now thanks to https://letsencrypt.org/

  7. I wonder if data was modified? by WindBourne · · Score: 1

    Was this China just spying, or did they modify the data ? If the first, then not as big a deal. But modified data could be seen as act of war. it

    --
    I prefer the "u" in honour as it seems to be missing these days.
  8. Re: Sounds like it's time... by jeromef · · Score: 1

    I have seen one guy driving a Quattroporte in Shenzhen. But maybe he was not Chinese...

  9. I am from China, but ... by Anonymous Coward · · Score: 1

    well, you see the beginning of the story. I am a client of China-telecom, but I find my CN-2-CN traffic is routed via China-Taiwan node (yep. you can say it is china), which makes no sense at all. Judging from this report, it is some Canada-China-(another AS)-(perhaps China again)-specified destination. In my understanding it is now a Tor-like relaying structure.

    To make it worse, in order to protect China's internet censor system (content review on .., e.g,, similar to china's version of whatisup message, news posts etc), they don't allow most tracing protocol such as the one trace-route uses, and they route different protocol in different ways (TCP/UDP/others are treated in different ways for content review). I cannot investigate my connection at all. but in this way, it seems as if some one is making use of China's insane internet system to hide themselves with BGP spoofing.

    They modify data? most are encrypted ...

    Don't expect their IT or ITS to be competent.

  10. IPV6? by WindBourne · · Score: 2

    Seriously, it is time for the west to really make the move to IPV6. Protocols like SEND would help make a difference. We would have far less issues all the way around.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  11. sanctions by Kvasio · · Score: 2

    I still wonder why instead of current economic sanctions on Russia, USA did not enforce "cut all BGP traffic to Russia; if 3rd country operator transfers BGP traffic for Russia, it gets cut away". Just like in 2001 they forced nearly all nations to join "battle on terrorism".
    It would be much more efficient, resulting in:
    - cutting Russian hackers
    - cuttting Russian troll factories influencing US politics
    - cutting Russian espionage
    Just profit. Losses minimal compared to profits.

    With China such sanction would be more difficult, on the other hand it would make making business with China much more diffiult, so easier to replace Chinese products with local ones.

  12. Simple solution by kbg · · Score: 1

    The solution to this is of course not allowing the China Telecom to add anything to the BGP. Very simple.

  13. Okay, that does it! by DontBeAMoran · · Score: 1

    I'm going to write a very angry letter to Ottawa!

    Signed,
    a Canadian.

    --
    #DeleteFacebook