Chinese ISP Web Traffic Hijack Poses Huge Security Risk

News Analysis: The apparently innocuous rerouting of some Internet traffic through a Chinese ISP is a warning that next time it could be a real malicious event.

When a large amount of global Internet traffic was briefly rerouted through a small Chinese ISP back in April, there was likely little impact on the U.S. government addresses that were affected.  

However, the fact that a Chinese ISP could do this should be a significant warning that simple trust isn't adequate for the security of the Internet. The fact that a Chinese ISP could do such a redirection, even briefly, using the fundamentally insecure Border Gateway Protocol tells us that anyone else can do the same thing. 

This event took place because the Chinese ISP provided routing alternatives that told the Internet routers that sending traffic through the ISP was the most efficient route. Some routers accepted the suggested routes, and sent the traffic through this one network. This affected about 15 percent of the world's Internet sites, including some belonging to the U.S. military and other parts of the U.S. government.  

The traffic that was redirected in the U.S. appears to have been e-mail and Web traffic. In addition to affecting some government traffic, the redirection also affected some large companies including IBM, Dell and Microsoft. The disruption lasted about 18 minutes back at the beginning of April. The U.S. Congress, having only lately realized that this happened, is demanding an explanation.  

So here's an explanation. Traffic to about 15 percent of Web sites was affected. This is not the same thing as 15 percent of all Internet traffic. In fact, the most affected Web sites were those in Asia, most notably in China. Very little traffic from sites outside China and its immediate neighbors actually went to China before being sent along to its ultimate destination. It's not clear how much traffic from the U.S. was affected, but it was clearly not much of it.  

What's also not clear is what happened to that Internet traffic while it was transiting that ISP's network in China. It may have simply been routed across the network and back to its destination. It's possible that the Chinese government siphoned off some of the traffic for further examination. It's even possible that they read some of the e-mail intended for members of Congress. 

Assuming the theoretical Chinese monitors survived the experience of reading congressional e-mail, most of the rest was, at least in theory, unclassified in nature. The government doesn't send classified data across the open Internet for precisely this reason.