At the end of October, a Naval War College paper by Chris Demchak and Yuval Shavit documented what the pair said were "unusual and systematic hijacking patterns associated with China Telecom" (PDF).
Advertisement
Now that report has received a degree of corroboration from Oracle Internet Intelligence (OII).
While declining to comment on possible motivations, OII's Director of Internet Analysis Doug Madory blogged today that he "expended a great deal of effort" to end traffic misdirection by China Telecom in 2017.
As evidence, Madory described a leak lasting "less than a minute" from 2015, when an announcement from China Telecom's AS4134 resulted in transit customer South Korea Broadband (AS9318) sending traffic to China via Verizon APAC (AS703).
That event illustrated how far an error can reach and how long it could persist: 18 months later, traffic starting out in a Telia router in London, and destined for Australia's Department of Defence, was sent to Verizon APAC via China Telecom. Madory provided a traceroute as proof:
Doug Madory's traceroute
The long way home ... London to Sydney via China
(Image: Oracle Internet Intelligence)
In other words, having let their systems accept the route announcements, network admins failed to correct the error for up to two-and-a-half years.
Madory told The Register: "BGP routes from Verizon APAC were partially routed through China Telecom beginning in December 2015 and going until April 2018 (~2.5 years). Those routes should never have gone through China Telecom for anywhere except in China."
Verizon APAC errors had a knock-on effect, he explained: "Verizon APAC ... were announcing [routes] to the internet on behalf of their customers. A couple of AS hops away, China Telecom was mishandling them - announcing them in a manner that would cause internet traffic destined for those IP address ranges to flow back through China Telecom's network."
Verizon APAC was involved in another erroneous announcement, and in his blog post, Madory wrote: "When these routes were in circulation, networks peering with China Telecom (including those in the US) accepted AS701 routes via AS4134, sending US-to-US traffic via mainland China. One of our affected clients was a major US internet infrastructure company."
While path monitoring can help prevent leaks, it's not a complete solution because leaks can occur "multiple hops from the origin".
"Verizon APAC (AS703) likely established a settlement-free peering relationship with SK Broadband (AS9318), unaware that AS9318 would then send Verizon’s routes exclusively on to China Telecom and who would in turn send them on to the global internet," Madory said.
Networks also need to watch the announcements they receive from their peers, which Madory noted is rare, and he directed his readers to the Internet Society's MANRS project. ®
No comments:
Post a Comment