Traffic misdirection is happening, say experts at Oracle

It's starting to look pretty possible that China Telecom, the state-owned internet service provider, has been misdirecting large quantities of internet traffic, after Oracle experts backed the claims made late last month.

As you may recall, researchers Chris Demchak of the US Naval War College and Yuval Shavitt of Tel Aviv University described in a paper how they analysed data from a specially-built route-tracing system that detects unusual patterns of BGP (Border Gateway Protocol) announcements.

They say they were able to identify patterns that suggested accidental or deliberate hijacking during the last couple of years. China Telecom, it seems, was publishing bogus routes – misdirecting large quantities of internet traffic via China before delivering it with a slight delay.

The events they found include the hijacking of routes from Canada to South Korean government sites between February and August 2016; the October 2016 hijacking of several US routes to the headquarters of an Anglo-America bank in Milan; and the hijacking of traffic between Scandinavia and Japan during April and May 2017, targeting a major US news organisation.

BGP configuration errors are far from rare, and it’s not known for sure whether the misdirection was caused by a simple mistake or by a deliberate hijacking.

The researchers suggest, however, that China was in this case copying the traffic to aid them in the surveillance of Western countries and companies.

“While one may argue such attacks can always be explained by ‘normal’ BGP behaviour, these, in particular, suggest malicious intent, precisely because of their unusual transit characteristics – namely the lengthened routes and the abnormal durations,” they wrote.

The researchers pointed out that China has ten ‘Points of Presence’ (PoPs) in North America and Europe, making traffic delays less noticeable and interference harder to detect.

The reason for the misdirection may be debatable. But the fact that this is ongoing has now been confirmed by Doug Madory, director of internet analysis at Oracle’s Internet Intelligence team.

“I don’t intend to address the paper’s claims around the motivations of these actions. However, there is truth to the assertion that China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years,” he writes.

“I know because I expended a great deal of effort to stop it in 2017.”

He cites a routing leak which persisted for less than a minute in 2015, that apparently kicked off a series of misrouting events lasting until earlier this year – many of which involved the hijacking of US-to-US traffic that was then rerouted through China Telecom.

According to Madory, the misdirection was the result of AS4134, the autonomous system belonging to China Telecom, incorrectly handling the routing announcements of AS703, Verizon’s Asia-Pacific AS.

Madory urges internet service providers to support up-and-coming BGP security standards such as the Internet Engineering Task Force (IETF) standard for RPKI-based AS path verification, spearheaded by Alexander Azimov at QRator Labs.

“China Telecom has been known for poorly maintaining BGP ingress filters, and there were similar events during this year, originating from this network. It’s hard to say if it is done on purpose, but what I can prove - such problems occur not only within China Telecom,” Azimov tells The Daily Swig.

“Similar traffic redirection issues are also happening at US networks and all over the world, even at the level of Tier-1 providers. Anyway, a result of BGP misconfiguration, accidental or malicious, is traffic redirection.”

The IETF group, he says, has now completed the first draft of a standard aimed at preventing mistakes in BGP configuration.

“The most recent work is devoted to the detection of malicious traffic redirection that may bypass error protection means.

“Unlike its predecessors it doesn't update BGP itself, though, with the new RPKI object providing a way to check crucial BGP path attributes,” he explains.

“With community support, it has a chance to change the landscape of risks at inter-domain routing.”

The Daily Swig has approached China Telecom for comment and will update this article accordingly.