Bad routing information sourced from China has disrupted the internet for the second time in a fortnight. Global BGP (Border Gateway Routing) lookup tables sucked in data from a small ISP called IDC China Telecommunication, apparently accidentally broadcast by state-owned carrier China Telecommunications, IDG reports. ISPs …
traffic routed through unknown systems in China
am I the only one that finds this suspicious?
Reminds me of an old saying...
"Never assume malignant intent when it could just be pure incompetence."
Or something like that.
Still, with their track record...
"Never attribute to malice that which can be adequately explained by stupidity."
Three times is enemy action; twice is, um, ...
Let's suppose that gov.cn wanted samples of all Internet traffic to be routed through Chinese networks for purpose of hacking.
For instance, if they have an anti-encryption exploit - or have an idea for one. Or maybe it's just for massive spoofing.
Maybe it was about hacking a few web sites and services under cover of disrupting thousands of sites.
Also: how about this for cyber warfare? Worldwide denial of service?
> Most likely it’s because of configuration issue, i.e. fat fingers.
Yeah, that's right. Blame Budai.
While on the subject of BGP screw ups
Will the Reg be publishing any stories about Colt's problems yesterday (8th of April)?
Or were we the only Reg readers affected?
AS4134 China Telecom
AS4134 blew my BGP peering session with them yesterday evening but only for a period of about 20 mins. I think this was as a result of mis-configuration. Normally I would only see 5000 prefixes announced by them.
The likes of Level3 et al should know better. Any downstream customer of a Tier 1 should only ever announce infrastructure routes and customer routes. It follows therefore that the upstream provider should set a limit on the number of prefixes they will accept before the peering session is torn down and disabled until the downstream customer corrects their mistake.
A series of tubes?
I've just thought of a better analogy for the Internet, airline baggage handling.
Millions of things routed all over the place daily. One cockup and your* luggage gets sent to China.
*Well, mine anyway.
So anyone could do this deliberately? shouldn't that be fixed before Kim Ill or someone decides to have some fun?
AS4134 China Telecom - FIXIT
Internet is held together with BGP duct tape. There are BCP's to prevent or mitigate mis-configuration issues. But it does happen. It's easily done.
It did happen with Pakistan Telecom a few years back. They started to announce a prefix assigned to AIDSBook (a more specific prefix of one of AIDSBook's RIR allocation). This sucked traffic destined for AIDSBook toward Pakistan Telecom and into a black-hole, taking that associated part of AIDSBook infrastructure offline in a Denial-of-Service.
The standard practice at reputable ISPs is that you document what you or your customers will announce in a RIR such as RIPE - the upstream ISP is supposed to check this is valid and has been rightfully assigned to you/ your downstream customers AS before they will update their prefix/ AS-path filters and propagate into the core.
But you can imagine that in Pakistan this sort of thing might get easily over-looked.
Behind the Great FW of Chna that is China Telecom, AS4134 - there is a very, very powerful network.
"""So anyone could do this deliberately?"""
Not /anyone/ could do this, you have to have some sort of access to BGP as an AS, which isn't super easy to come by, but also not impossible.
And this isn't new at all - people have been doing interesting things with BGP for years, but there's no good way to fix the many problems with the protocol, so everyone just sort of ignores them. Someone managed to hijack the defcon16 internet connection, and did it sneakily enough that they didn't add hops to traceroute or affect TTL or anything. A fair amount of people can pretty much do that for any network they want. Yes it's scary, no, it's not going away soon.
There are methods to filter route updates, but these are almost never implemented between carriers. However, the threat of loosing peering and not getting it back keeps everyone in line.
What happens when you assume
Particularly when you assume that, when on two recent occasions 'foreign' net traffic 'accidentally' got routed throuogh China, that it's "just fat fingers.
Talk to Silicon valley companies about what happens when China takes in interest in your 'net traffic.
If it was deliberate, China would have used a out of country network, like an black sheep ISP in the US. It is too obvious to actually route the traffic to China. And if you think it is so obvious, with the intent to make it appear more accidental, China's connection to the outside world are terrible. Tons of congestion, and terrible latency. There isn't enough capacity for their own needs, let alone back-hauling intercepted traffic.
As far as BGP goes, as someone who has worked on a national US ISP network that peered with 100+ networks, there are a variety of practices used. BGP isn't bad, but is sometimes used badly. In this case, a few ISPs got burned by a bad update. And those were big ISPs, so someone noticed. In the future, they are going to be keeping their BGP input filters updated. Sometimes it takes a small outage like this, to get the ops staff to start taking engineering seriously again.
Perhaps neither a conspiracy nor a cock-up...
...but a test?
Somewhere in China, an official State geek is saying "no, but thanks for the tip!"
This is a wake up call. All it takes to get an ASN is paying Arin a fee. As far as whatever else you have to pay to do it, China surely can afford it.
China spews so much garbage on the internet that it only makes sense that something like this happens. This doesn't sound like a mistake to me, it sounds like something China has been crafting accidently or intentionally made it's debut to see how the interwebz would handle it.
We see how the interwebz handled it. All we hear is "cyberattack cyberattack" and here is a form of a cyberattack and we're told it's a mistake.
Yeah im sorry that our cloned FBI network we host connected to our public. Im sure the FBI would say, okay mistake.
More garbage from China, these uplinks of ours know better. They're too busy bitching about having competition.
Let's not get too hysterical about this. All we need is for the US to go all 'War on Cyber Terror' about this and to use it as an excuse start locking down the internet for your own safety, of course. If fact we should be putting in stuff that allows the internet to stay working even when states, good or evil try to do this kind off thing. Yeah, BGP has been around for a while....
Maybe they need to develop a certificate system for source address / AS advertisement, so that even if two places are advertising the same source, routers can tell which route is authentic even if a better metric is offered along a bogus routes.
BTW have my CCDP exam Monday wish me luck....
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
- Feast your PUNY eyes on highest resolution phone display EVER
- AMD demos 'Berlin' Opteron, world's first heterogeneous system architecture server chip