Analysis of actual data from the April 8 BGP hijack by China Telecom indicates reports of 15 percent of Internet traffic being diverted are incorrect and overhyped, experts say.
The furor over a Chinese Internet service provider
hijacking Internet traffic in April is in danger of being overhyped and
obscuring real security issues, according to security experts.
The hijacking incident occurred for 18 minutes on April
8, when China
largest Internet service provider, published a set of instructions under the
Border Gateway Protocol (BGP) that
incorrectly directed Web traffic from about 37,000 networks to route through
its servers. According to BGPmon
group that collects routing data from around the world, China Telecom normally
routes about 40 networks.
Economic and Security Review Commission report
addressed the incident,
noting that the "erroneous" network traffic instructions routed Internet
traffic through Chinese servers. "Other servers around the world quickly
adopted these paths, routing all traffic to about 15 percent of the Internet's
destinations through servers located in China,"
the report said.
That "15 percent" appeared to be problematic
for many security experts. Craig Labovitz, chief scientist at Arbor
, told eWEEK that despite sundry reports and analysis, the hijack
did not route 15 percent of Internet traffic.
"This information didn't propagate. It didn't impact
the world," Labovitz said.
Labovitz compared China Telecom's publishing BGP
instructions to publishing a "corrupted" telephone directory. While
the potential was there for traffic to get misrouted, the directory, or the
actual instructions, did not actually spread very far, he said.
Even though China Telecom claimed to route networks not
assigned to them, "only about 10 percent" propagated outside of China,
according to the BGPmon blog. The majority were Chinese networks, although Websites
belonging to CNN, Dell and Amazon were on the list.
also listed specific U.S.
government-owned sites, including those belonging to all four military
branches, the office of the Secretary of Defense and NASA, as well as Yahoo and
"Most of the Internet ignored the hijack for various
technical reasons," wrote Labovitz on his blog.
Labovitz cited an April post from Robert
Kisteleki of R??Â«seaux IP Europ??Â«ens
(RIPE, French for "European IP
Networks") claiming the incorrect instructions had not reached European
networks. "No one in Europe actually got diverted,"
and the ones mostly affected were the Chinese networks, said Labovitz.
Arbor Networks also collects information from about 120
carriers around the world, collecting real-time data about their traffic in its
ATLAS system. The ATLAS data can be viewed on a country level, and Labovitz
said there was no "statistically significant increase" in traffic
being routed to China
on April 8. "Diverting 15 percent of the Internet even for just 15 minutes
would be a major event," said Labovitz, and would have shown up as a
significant spike in ATLAS' country data.
If European traffic was unaffected and the data doesn't
show a traffic spike to China,
what could have happened?
Labovitz said that "15 percent" could refer to
actual routes, or the instructions, China Telecom published, and not actual
Internet traffic volume. So it was possible-and more likely-that China Telecom
took it upon itself to claim 15 percent of all the routes that it wasn't
assigned to, and that was significantly different from actual Web traffic, said
The language in the report doesn't explicitly state
whether it refers to traffic or routes.
Labovitz expressed concern over the lack of security in
DNS, saying the world was on "borrowed time" before a serious
incident occurred. But he said that misrepresenting the incident was dangerous.
It obscured "important security issues" surrounding the fact that
Internet traffic was routed on a system relying "primarily on trust"
and had no security standards.
"But in an industry crowded with security marketing
and hype, it is important we limit the hyperbole and keep the discussion focused
around the legitimate long-term infrastructure security threats and technical
realities," Labovitz wrote.
While the report did not outright accuse the Chinese
wireless service provider of doing harm, the commission said "the
capability could enable severe malicious activities."
So how much traffic really did get diverted? Labovitz
hedged his reply, saying the significance depended on actual companies and
sites affected, before saying his data shows the actual number was "orders
and orders of magnitude smaller, at 0.015 percent."
China Telecom has called the accusations "groundless"
and that it "has never done such an act." Labovitz and several other
industry watchers have speculated that it was an accident because of the
incident's short interval.