Chinese BGP hijack, putting things into perspective

Posted by Andree Toonk - November 21, 2010 - Hijack - 2 Comments


Everyone who follows Internet security just a little bit will have seen an article this week talking about the Chinese BGP hijack in April of this year. I’ve seen articles on Fox, BBC, CBC, Slashdot and the nationaldefensemagazine.org. Apparently Wolf Blitzer talked about it on CNN and the BBC on one of its radio channels (starts at 1h:34min). All of these stories are in response to a report to the US congress from the ‘US China Economic and Security Review Commission’. The actual report can be found here , details about this specific incidents can be found on page 243. This report references BGPmon.net as the source of its data for this incident.

China denies hijacking
Interestingly several stories have reported that China denied any hijack of internet traffic. It’s unclear what ‘exactly’ they deny, but it’s a fact that they hijacked a significant portion of the Internet routes. Proof of this has been published by BGPmon as well as Renesys.

Prefixes does not equal Traffic
The report to Congress mentions that according to BGPmon.net: “The Chinese telecommunications firm ‘‘hijacked’’ massive volumes of Internet traffic”. Although close, this is technically incorrect. In April I reported that ~37,000 unique prefixes were announced by AS23724 (one of the Data Centers operated by China Telecom, China’s largest ISP). This is approximately 11% of the total number of prefixes in April 2010.
However, as Craig Labovitz of Arbor networks explains, the number of prefixes ‘hijacked’ is not necessarily equal to the amount of traffic hijacked. Craig analyzed Arbor’s ‘Atlas’ data and published an excellent blog article about this here.

Putting things into perspective
The report also states that the incident affected traffic to and from U.S. government (.gov) and military (.mil) sites, including those for the Senate, the army, the navy, the Marine Corps, the air force and several others. While this is factually correct, it has to be understood that because of the large amount of affected networks, it’s only logical that some of these sites were affected as well.
To put things in perspective, according to our analysis in April, 10547 US networks and 10298 Chinese networks were affected by this incident. If you keep in mind that there are 10 times more US registered prefixes (128471) than Chinese registered prefixes (12346) (Source: BGPmon weathermap) you should now also understand that the China was 10 times more affected than the US. If this attack were intentional, why would they hijack their own space?

Having said that, most of what was reported in the report is correct. This includes that it’s unknown if this was perpetrated intentionally. As well as that it’s currently unknown what, if anything, was done with this data.

This event again shows how vulnerable the BGP routing infrastructure is. Some of the media have done a good job of describing what could happen in case an attack like this is intentional. Data could be stored, altered or just be thrown away. The Internet community has been working on securing the routing system for a while, but progress is slow. In the mean time all we can do is keep a good eye on our networks by monitoring carefully.

2 comments

  • andree says:

    I received several requests from people to check if their network was affected.
    I generated a new more detailed list of networks affected, including AS numbers and descriptions of AS and prefix.

    Just search for your AS in this list:
    http://www.bgpmon.net/prefix-detail-apr8-2010.txt

    For those interested here are ‘some’ of the US government prefixes that were affected:

    138.18.0.0/16|US|668|ASN-DREN-NET - DoD Network Information Center|Defense Research and Engineering Network
    164.49.0.0/16|US|668|ASN-DREN-NET - DoD Network Information Center|US Army Space and Strategic Defense
    192.5.18.0/24|US|22238|DARPA - Defense Advanced Research Projects Agency(DARPA)|RS Information Services-AS22238(added by MAINT-AS6517)
    129.109.241.0/24|US|6922|TEXASAGENCYNET - Texas Department of Information Resources|
    152.132.192.0/19|US|29992|VA-TMP-CORE - Department of Veterans Affairs|
    152.119.0.0/16|US|2576|DOT-AS - U. S. Department of Transportation|USDOT
    206.212.160.0/19|US|33138|AS-NYPD - New York City Police Department|
    205.83.128.0/19|US|27066|DNIC-ASBLK-27032-27159 - DoD Network Information Center|
    12.196.34.0/23|US|3495|SENATE-AS - US Senate|
    12.32.27.0/24|US|3495|SENATE-AS - US Senate|
    156.33.0.0/17|US|3495|SENATE-AS - US Senate|
    156.33.0.0/17|US|3495|SENATE-AS - US Senate|
    156.33.128.0/17|US|3495|SENATE-AS - US Senate|
    156.33.255.0/24|US|3495|SENATE-AS - US Senate|
    63.82.114.0/24|US|3495|SENATE-AS - US Senate|
    63.82.116.0/24|US|3495|SENATE-AS - US Senate|
    63.82.118.0/24|US|3495|SENATE-AS - US Senate|
    
  • blqblqblq says:

    I am not sure where you’re getting your info, however great topic. I must spend some time learning more or understanding more. Thank you for excellent info I used to be in search of this information for my mission.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>