China Telecom Constantly Misdirects Internet Traffic
8.11.2018 securityweek BigBrothers
Over the past years, China Telecom has been constantly misdirecting Internet traffic through China, researchers say.
The telecommunication company, one of the largest in China, has had a presence in North American networks for nearly two decades, and currently has 10 points-of-presence (PoPs) in the region (eight in the United States and two in Canada), spanning major exchange points.
Courtesy of this presence, the company was able to hijack traffic through China several times in the past, Chris C. Demchak and Yuval Shavitt revealed in a recent paper (PDF). China Telecom’s PoPs in North America made the rerouting not only possible, but also unnoticeable for a long time, the researchers say.
Back in 2010, China Telecom hijacked 15% of the world’s Internet prefixes, which resulted in popular websites being rerouted through China for around 18 minutes. The incident impacted US government (‘‘.gov’’) and military (‘‘.mil’’) sites as well, the commission assigned to investigate the incident revealed (PDF).
For the past several years, the Internet service provider (ISP) has been engaging in various forms of traffic hijacking, in some cases for days, weeks, and months, Demchak and Shavitt claim.
“The patterns of traffic revealed in traceroute research suggest repetitive IP hijack attacks committed by China Telecom. While one may argue such attacks can always be explained by ‘normal’ BGP behavior, these in particular suggest malicious intent, precisely because of their unusual transit characteristics –namely the lengthened routes and the abnormal durations,” the researchers note.
Doug Madory, Director of Internet Analysis at Oracle, confirms the paper’s findings that the ISP has been engaged in traffic hijacking for a long time, but says the purpose of the action remains unclear. Oracle has gained deep visibility into Web traffic after the acquisition of web traffic management firm Dyn in 2016.
“China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years. I know because I expended a great deal of effort to stop it in 2017,” Madory says.
One of the observed incidents happened on December 9, 2015, when networks around the world who accepted the misconfigured routes inadvertently sent traffic to Verizon APAC through China Telecom.
After being alerted on the issue “over the course of several months last year,” two of the largest carriers of the affected routes implemented filters to no longer accept Verizon routes from China Telecom, which “reduced the footprint of these routes by 90%,” Madory notes.
Last year, he says, traffic was sent via mainland China even if it was supposed to travel only between peers in the United States. The issue repeated several times and resulted in a major US Internet infrastructure company deploying “filters on their peering sessions with China Telecom to block Verizon routes from being accepted.”
Referred to as BGP hijacking attacks (and also known as prefix or route hijacking), such incidents have become increasingly frequent over the past years, with a recent attack targeting payment processing companies in the US. According to Cloudflare, Resource Public Key Infrastructure (RPKI) could be the answer to securing BGP (Border Gateway Protocol) routing.