Chinese Web Hijack Poses Huge Security Risk

When a large amount of global Internet traffic was briefly rerouted through a small Chinese ISP back in April, there was likely little impact on the US government addresses that were affected.

However, the fact that a Chinese ISP could do this should be a significant warning that simple trust isn’t adequate for the security of the Internet. The fact that a Chinese ISP could do such a redirection, even briefly, using the fundamentally insecure Border Gateway Protocol tells us that anyone else can do the same thing.

This event took place because the Chinese ISP provided routing alternatives that told the Internet routers that sending traffic through the ISP was the most efficient route. Some routers accepted the suggested routes, and sent the traffic through this one network. This affected about 15 percent of the world’s Internet sites, including some belonging to the US military and other parts of the US government.

The traffic that was redirected in the US appears to have been email and web traffic. In addition to affecting some government traffic, the redirection also affected some large companies including IBM, Dell and Microsoft. The disruption lasted about 18 minutes back at the beginning of April. The US Congress, having only lately realised that this happened, is demanding an explanation.

Mostly Chinese traffic

So here’s an explanation. Traffic to about 15 percent of web sites was affected. This is not the same thing as 15 percent of all Internet traffic. In fact, the most affected websites were those in Asia, most notably in China. Very little traffic from sites outside China and its immediate neighbors actually went to China before being sent along to its ultimate destination. It’s not clear how much traffic from the US was affected, but it was clearly not much of it.

What’s also not clear is what happened to that Internet traffic while it was transiting that ISP’s network in China. It may have simply been routed across the network and back to its destination. It’s possible that the Chinese government siphoned off some of the traffic for further examination. It’s even possible that they read some of the emails intended for members of Congress.

Assuming the theoretical Chinese monitors survived the experience of reading congressional email, most of the rest was, at least in theory, unclassified in nature. The government doesn’t send classified data across the open Internet for precisely this reason.

But that doesn’t mean the information can’t be used for bad things. First, if you go through a great deal of any communications, including unclassified email, it’s still possible to determine at least the outline of what the traffic means.

So while the details of a classified operation wouldn’t be found, there might be enough references to it that something meaningful could be discerned. To accomplish this, you have to go through a LOT of data. The US used to do this kind of monitoring on the old Soviet Union’s communications by tapping its undersea cables, and recording everything. In the process, the spooks involved were eventually able to decrypt the traffic, but in the mean time they could figure out the broad outlines.

The data itself is not the point

The problem here is that there was only 18 minutes of data, most of which was for places like joy.cn, not for army.mil. So even if some information was captured, it was unlikely that it was enough to be useful.

However, the Chinese did learn something that may be extremely useful. They learned that they could, in fact, redirect a significant portion of the world’s traffic through their servers. However, they also found out that network managers noticed.

So the question is, was this really a sort of proof-of-concept? Was the Chinese government really probing the Internet to see what it could do and how quickly it would be found out? If so, they learned that they can, indeed reroute some of the Internet. They also found out that they would be noticed.

But think about what could be accomplished even with 18 minutes of redirecting the right kind of traffic. You could create targeted Internet outages, for example. You could probably read commercial traffic, which has been a significant target for the Chinese government for a while. You could also disable communications for some agencies for long enough to be a diversion for some other activity.

Furthermore, the Chinese aren’t the only people who now realise that this is possible. Use your imagination and you’ll think of any number of groups for whom disrupting even a portion of international communications would be considered a victory.

This event has also done one other thing that we should thank the Chinese for. It has forcefully illustrated just how susceptible the Internet is to tampering. The problem is, unlike other critical protocols, there is no move to make BGP secure. Basically, if someone decides they want to do something like redirect Internet traffic, they’ll get what they want. There’s no protection. Maybe it’s time that the IETF or some other group started paying attention to this problem.

Wayne Rash

Wayne Rash is senior correspondent for eWEEK and a writer with 30 years of experience. His career includes IT work for the US Air Force.

View Comments

  • Arbor Networks chief scientist Craig Labovitz says:

    "Any corruption of DNS or global routing data (whatever the motive) is a cause of significant concern and reiterates the need for routing and DNS security. But in an industry crowded with security marketing and hype, it is important we limit the hyperbole and keep the discussion focused around the legitimate long-term infrastructure security threats and focused on technical realities.

    "ATLAS data from 80 carriers around the world graphed below shows no statistically significant increase due to the hijack on April 14, 2010. I highlight April 14th in yellow.

    "While traffic may have increased slightly to the Chinese Internet provider (ASAS23724), I’d estimate traffic never topped 1Gbps. And an Internet quickly approaching 80Tbps, 1Gbps of traffic is far from 15% (much closer to 0.015%)."

Recent Posts

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

12 hours ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

14 hours ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

15 hours ago

VW, Rivian Launch Joint Venture, As Investment Rises To $5.8 Billion

Volkswagen and Rivian officially launch their joint venture, as German car giant ups investment to…

16 hours ago

AMD Axes 4 Percent Of Staff, Amid AI Chip Focus

Merry Christmas staff. AMD hands marching orders to 1,000 employees in the led up to…

19 hours ago

Tesla Recalls 2,431 Cybertrucks Over Propulsion Issue

Recall number six in 2024 for Tesla Cybertruck, and this time the fault cannot be…

20 hours ago