Claims China Hijacked '15 Percent' of Web Traffic Are 'Overhyped,' Experts Say

Analysis of actual data from the April 8 BGP hijack by China Telecom indicates reports of 15 percent of Internet traffic being diverted are incorrect and overhyped, experts say.

The furor over a Chinese Internet service provider hijacking Internet traffic in April is in danger of being overhyped and obscuring real security issues, according to security experts.

The hijacking incident occurred for 18 minutes on April 8, when China Telecom, China's largest Internet service provider, published a set of instructions under the Border Gateway Protocol (BGP) that incorrectly directed Web traffic from about 37,000 networks to route through its servers. According to BGPmon, a group that collects routing data from around the world, China Telecom normally routes about 40 networks.

The U.S.-China Economic and Security Review Commission report addressed the incident, noting that the "erroneous" network traffic instructions routed Internet traffic through Chinese servers. "Other servers around the world quickly adopted these paths, routing all traffic to about 15 percent of the Internet's destinations through servers located in China," the report said.

That "15 percent" appeared to be problematic for many security experts. Craig Labovitz, chief scientist at Arbor Networks, told eWEEK that despite sundry reports and analysis, the hijack did not route 15 percent of Internet traffic.

"This information didn't propagate. It didn't impact the world," Labovitz said.

Labovitz compared China Telecom's publishing BGP instructions to publishing a "corrupted" telephone directory. While the potential was there for traffic to get misrouted, the directory, or the actual instructions, did not actually spread very far, he said.

Even though China Telecom claimed to route networks not assigned to them, "only about 10 percent" propagated outside of China, according to the BGPmon blog. The majority were Chinese networks, although Websites belonging to CNN, Dell and Amazon were on the list.

The Congressional report also listed specific U.S. government-owned sites, including those belonging to all four military branches, the office of the Secretary of Defense and NASA, as well as Yahoo and Microsoft.

"Most of the Internet ignored the hijack for various technical reasons," wrote Labovitz on his blog.

Labovitz cited an April post from Robert Kisteleki of R??«seaux IP Europ??«ens (RIPE, French for "European IP Networks") claiming the incorrect instructions had not reached European networks. "No one in Europe actually got diverted," and the ones mostly affected were the Chinese networks, said Labovitz.

Arbor Networks also collects information from about 120 carriers around the world, collecting real-time data about their traffic in its ATLAS system. The ATLAS data can be viewed on a country level, and Labovitz said there was no "statistically significant increase" in traffic being routed to China on April 8. "Diverting 15 percent of the Internet even for just 15 minutes would be a major event," said Labovitz, and would have shown up as a significant spike in ATLAS' country data.

If European traffic was unaffected and the data doesn't show a traffic spike to China, what could have happened?

Labovitz said that "15 percent" could refer to actual routes, or the instructions, China Telecom published, and not actual Internet traffic volume. So it was possible-and more likely-that China Telecom took it upon itself to claim 15 percent of all the routes that it wasn't assigned to, and that was significantly different from actual Web traffic, said Labovitz.

The language in the report doesn't explicitly state whether it refers to traffic or routes.

Labovitz expressed concern over the lack of security in DNS, saying the world was on "borrowed time" before a serious incident occurred. But he said that misrepresenting the incident was dangerous. It obscured "important security issues" surrounding the fact that Internet traffic was routed on a system relying "primarily on trust" and had no security standards.

"But in an industry crowded with security marketing and hype, it is important we limit the hyperbole and keep the discussion focused around the legitimate long-term infrastructure security threats and technical realities," Labovitz wrote.

While the report did not outright accuse the Chinese wireless service provider of doing harm, the commission said "the capability could enable severe malicious activities."

So how much traffic really did get diverted? Labovitz hedged his reply, saying the significance depended on actual companies and sites affected, before saying his data shows the actual number was "orders and orders of magnitude smaller, at 0.015 percent."

China Telecom has called the accusations "groundless" and that it "has never done such an act." Labovitz and several other industry watchers have speculated that it was an accident because of the incident's short interval.