traffic routed through unknown systems in China
am I the only one that finds this suspicious?
Bad routing information sourced from China has disrupted the internet for the second time in a fortnight. Global BGP (Border Gateway Routing) lookup tables sucked in data from a small ISP called IDC China Telecommunication, apparently accidentally broadcast by state-owned carrier China Telecommunications, IDG reports. ISPs …
Let's suppose that gov.cn wanted samples of all Internet traffic to be routed through Chinese networks for purpose of hacking.
For instance, if they have an anti-encryption exploit - or have an idea for one. Or maybe it's just for massive spoofing.
Maybe it was about hacking a few web sites and services under cover of disrupting thousands of sites.
Also: how about this for cyber warfare? Worldwide denial of service?
AS4134 blew my BGP peering session with them yesterday evening but only for a period of about 20 mins. I think this was as a result of mis-configuration. Normally I would only see 5000 prefixes announced by them.
The likes of Level3 et al should know better. Any downstream customer of a Tier 1 should only ever announce infrastructure routes and customer routes. It follows therefore that the upstream provider should set a limit on the number of prefixes they will accept before the peering session is torn down and disabled until the downstream customer corrects their mistake.
Internet is held together with BGP duct tape. There are BCP's to prevent or mitigate mis-configuration issues. But it does happen. It's easily done.
It did happen with Pakistan Telecom a few years back. They started to announce a prefix assigned to AIDSBook (a more specific prefix of one of AIDSBook's RIR allocation). This sucked traffic destined for AIDSBook toward Pakistan Telecom and into a black-hole, taking that associated part of AIDSBook infrastructure offline in a Denial-of-Service.
The standard practice at reputable ISPs is that you document what you or your customers will announce in a RIR such as RIPE - the upstream ISP is supposed to check this is valid and has been rightfully assigned to you/ your downstream customers AS before they will update their prefix/ AS-path filters and propagate into the core.
But you can imagine that in Pakistan this sort of thing might get easily over-looked.
Behind the Great FW of Chna that is China Telecom, AS4134 - there is a very, very powerful network.
"""So anyone could do this deliberately?"""
Not /anyone/ could do this, you have to have some sort of access to BGP as an AS, which isn't super easy to come by, but also not impossible.
And this isn't new at all - people have been doing interesting things with BGP for years, but there's no good way to fix the many problems with the protocol, so everyone just sort of ignores them. Someone managed to hijack the defcon16 internet connection, and did it sneakily enough that they didn't add hops to traceroute or affect TTL or anything. A fair amount of people can pretty much do that for any network they want. Yes it's scary, no, it's not going away soon.
If it was deliberate, China would have used a out of country network, like an black sheep ISP in the US. It is too obvious to actually route the traffic to China. And if you think it is so obvious, with the intent to make it appear more accidental, China's connection to the outside world are terrible. Tons of congestion, and terrible latency. There isn't enough capacity for their own needs, let alone back-hauling intercepted traffic.
As far as BGP goes, as someone who has worked on a national US ISP network that peered with 100+ networks, there are a variety of practices used. BGP isn't bad, but is sometimes used badly. In this case, a few ISPs got burned by a bad update. And those were big ISPs, so someone noticed. In the future, they are going to be keeping their BGP input filters updated. Sometimes it takes a small outage like this, to get the ops staff to start taking engineering seriously again.
This is a wake up call. All it takes to get an ASN is paying Arin a fee. As far as whatever else you have to pay to do it, China surely can afford it.
China spews so much garbage on the internet that it only makes sense that something like this happens. This doesn't sound like a mistake to me, it sounds like something China has been crafting accidently or intentionally made it's debut to see how the interwebz would handle it.
We see how the interwebz handled it. All we hear is "cyberattack cyberattack" and here is a form of a cyberattack and we're told it's a mistake.
Yeah im sorry that our cloned FBI network we host connected to our public. Im sure the FBI would say, okay mistake.
More garbage from China, these uplinks of ours know better. They're too busy bitching about having competition.
This post has been deleted by its author
Let's not get too hysterical about this. All we need is for the US to go all 'War on Cyber Terror' about this and to use it as an excuse start locking down the internet for your own safety, of course. If fact we should be putting in stuff that allows the internet to stay working even when states, good or evil try to do this kind off thing. Yeah, BGP has been around for a while....
Maybe they need to develop a certificate system for source address / AS advertisement, so that even if two places are advertising the same source, routers can tell which route is authentic even if a better metric is offered along a bogus routes.
BTW have my CCDP exam Monday wish me luck....
Biting the hand that feeds IT © 1998–2020