Massive Chinese Net Reroute Exposes Web's Achilles' Heel
Nov 17, 2010 12:29 PM PT
China Telecom has reportedly denied accusations by a U.S. government organization that it was behind the rerouting of 15 percent of the world's Web traffic to servers in China for a short period earlier this year.
The Chinese state-owned carrier was pinpointed by the U.S.-China Economic and Security Review Commission as being involved in the incident.
"For about 18 minutes on April 8, 2010, China Telecom advertised erroneous network traffic routes that instructed U.S. and other foreign Internet traffic to travel through Chinese servers," the Commission's report stated.
China Telecom denied the hijacking in a statement to Reuters.
The Commission presented its report to Congress on Wednesday.
The Chinese Way
The U.S.-China Economic and Security Review Commission said that all traffic to about 15 percent of the Internet's destinations was rerouted to servers in China during an 18-minute period in April.
Traffic to and from U.S. government websites -- including that for the Senate, the office of the Secretary of Defense, the National Aeronautics and Space Administration, and the Department of Commerce -- was hijacked.
Some commercial websites, including those for Dell, Yahoo, Microsoft and IBM, were also affected.
There's no indication yet of what was done to or with the allegedly hijacked data, but the Commission said incidents like this could disrupt data transactions, enable surveillance of specific users or sites, and divert data to a site it was not intended for. It might also let a telecommunications carrier compromise the integrity of encrypted communications.
Perhaps there's a link to the Chinese government's revival in May of a proposed set of rules that will compel makers of intrusion detection systems, secure network routers and other technology products to disclose sensitive cryptography information. Those rules were first set forth in 2008 and had a deadline for compliance by 2009, but were suspended for a year because of resistance from U.S. and European institutions, the Commission said. No foreign firms had complied with the rules as of June 2010, the report stated.
Other actions by the Chinese authorities over the years give credence to the view that the Chinese may be targeting American computer systems and networks as well as those of other foreign countries, the Commission stated.
The Commission did not respond to requests for comment by press time.
With Malice Aforethought?
The apparent hijacking was the result of tainted networking routing tables.
A routing table is a table of routes to particular network destinations, such as servers. Routing tables are created by routing protocols. They are used to generate the information for forwarding tables, which contain only the routes chosen by routing algorithms as preferred routes for forwarding packets of information over a network. A tainted table misdirects traffic to a destination the originator of the information packets or messages being transmitted over the network did not select.
However, many of the networks affected were actually Chinese networks. They included some popular Chinese websites such as www.joy.cn; www.pconline.com.cn; and www.chinaz.com, according to the BGMON blog.
This attack could have been due to a mistake, or it could be malicious. Either way, it required administrative access to sophisticated network routing equipment inside the China Telecom network, Dmitri Alperovitch, vice president of threat research at McAfee Labs, told TechNewsWorld.
"It's highly unlikely that this was a result of a hack into China Telecom," Alperovitch pointed out. "Certainly, anything is possible, but a hack giving that level of access privileges to the most key network infrastructure inside a major telecom provider such as China Telecom would be very significant in its own right. It could have been a human mistake by a network administrator inside the company."
However, no one will know for sure unless China Telecom releases more details about the incident, Alperovitch remarked.
The Weakness of the Web
The problem apparently lies with the Border Gateway Protocol (BGP), which is, essentially, a routing table for the Internet. Most Internet service providers must use BGP to establish routing among one another, making this one of the most important protocols on the Internet.
However, BGP is flawed -- hijacking traffic by posting false tables is easy. Researchers at the 2008 Defcon hacker conference in Las Vegas demonstrated this by putting up false tables that routed all conference traffic to a computer they controlled before sending that traffic to its destination.
Internet engineers apparently not yet addressed this flaw.
This is one of the biggest such redirections so far, Alperovitch said. It could happen again, since a number of major telecommunications companies routing a lot of Internet traffic have the same capability, he warned.
"This is not something unique to China," Alperovitch added. "It's unclear whether the incident was deliberate."