Chinese ISP hijacks the Internet
This morning many BGPmon.net users received an alert regarding a possible prefix hijack by a Chinese network. AS23724 is one of the Data Centers operated by China Telecom, China's largest ISP. Normally AS23724 CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation only originates about 40 prefixes, however today for about 15 minutes they originated about ~37,000 unique prefixes that are not assigned to them. This is what we typically call a prefix hijack.
This incident follows another concerning incident from China 2 weeks ago.
Although it seems they have leaked a whole table, only about 10% of these prefixes propagated outside of the Chinese network. These include prefixes for popular websites such as dell.com, cnn.com, www.amazon.de, www.rapidshare.com and www.geocities.jp.
A large number of networks impacted this morning were actually Chinese networks. These include some popular Chinese website such as
www.joy.cn , www.pconline.com.cn , www.huanqiu.com, www.tianya.cn and www.chinaz.com
A list of all prefixes that were announced/hijacked can be found here
The event has been detected globally by peers in The Netherland, UK, Rusia, Italy, Sweded USA, Japan and Brazil. However not all individual prefix 'hijacks' were detected globally, many only by a few peers, in one or 2 countries, but some by more.
Some details
All announcement had part of the AS path in common. The common part in the ASpath is (note the prepend).
4134 23724 23724
Which are:
AS4134 CHINANET-BACKBONE No.31,Jin-rong Street
AS23724 CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation
ASns peering with AS4134 seem to have picked this up and propagated that to their customers.
Some of these ASns include:
AS9002 RETN-AS ReTN.net Autonomous System
AS12956 TELEFONICA Telefonica Backbone Autonomous System
AS209 ASN-QWEST - Qwest Communications Company, LLC
AS3320 DTAG Deutsche Telekom AG
AS3356 LEVEL3 Level 3 Communications
AS7018 ATT-INTERNET4 - AT&T WorldNet Services
All RIS peers that detected this where behind (transit/peer) one of those ANS's.
AS2914 NTT-COMMUNICATIONS-2914 - NTT America, Inc. customers
Looking at more routing information it seems that AS2914 saw more then just the 10% mentioned above. So the impact for NTT America customers might have been bigger.
Impact
28% of the RIS collectors used by BGPmon.net have detected these events. This means that quite a number of networks were impacted by this. The first announcement was detected at 2010-04-08 17:54:31 (UTC), the last 'hijack' announcement was at 2010-04-08 18:10:14.
Most 'alerts' have now been cleared, they typically lasted a few minutes.
Probably more then the 51 peers mention above would have detected the prefix, but not have chosen this as the best path. Most likely due to the ASpath length or other policies. I believe it's fair to assume that the impact in China and probably Asia was far bigger then the rest of the world.
Possible Cause
I have not spoken with engineers from AS23724, so I can only speculate. Given the large number of prefixes and short interval I don't believe this is an intentional hijack.
Most likely it's because of configuration issue, i.e. fat fingers. But again, this is just speculation.
Prefix distribution
Most prefixes impacted by this were prefixes from the US and China. Below you'll find the top countries impacted:
Country => number of prefixes hijacked by AS23724
US => 10547
CN => 10298
KR => 2857
AU => 1650
MX => 885
IN => 719
JP => 604
BR => 592
FR => 508
RU => 471
CA => 425
TH => 372
ID => 369
IT => 338
CO => 328
GB => 322
CL => 302
SE => 281
HK => 276
EC => 272
DE => 227
Example alert message
====================================================================
Possible Prefix Hijack (Code: 10)
====================================================================
Your prefix: 203.190.56.0/21:
Prefix Description: www.infoseek.co.jp
Update time: 2010-04-08 16:09 (UTC)
Detected by #peers: 4
Detected prefix: 203.190.56.0/21
Announced by: AS23724 (CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation)
Upstream AS: AS4134 (CHINANET-BACKBONE No.31,Jin-rong Street)
ASpath: 8331 9002 9002 4134 23724 23724
Alert details: http://bgpmon.net/alerts.php?details&alert_id=6617721
Mark as false alert: http://bgpmon.net/fp.php?aid=6617721
25 comments
[…] For the second time in two weeks, bad networking information spreading from China has disrupted the Internet. […]
[…] the folks at BGPMon, who monitor such things, discovered that IDC-China Telecom had leaked spurious route announcements for such popular sites as dell.com, […]
[…] recent incident (ok 2 recent incidents) shows how scary dependence on DNS can be. Hosted VoIP solutions are […]
[…] Bad routing information sourced from China has disrupted the internet for the second time in a fortnight. […]
[…] said Andree Toonk, founder and lead developer of BGPmon.net, a BGP monitoring service that has been tracking the situation.[..]
[…] there is information at bgmon.net http://bgpmon.net/?p=282 they are also following the […]
[…] said Andree Toonk, founder and lead developer of BGPmon.net, a BGP monitoring service that has been tracking the situation. “Many people probably didn’t prefer the path because they had a better […]
[…] the folks at BGPMon, who monitor such things, discovered that IDC-China Telecom had leaked spurious route announcements for such popular sites as dell.com, […]
[…] Defense Magazine has a story about an incident in April of 2010 where China hijacked a significant portion of the Internet including many networks in the United States. One would think that such a significant incident […]
This is an excellent and very thorough analysis of what happened. Thank you for providing this valuable information!
[…] The BGP incident overview on bgpmon.net. […]
[…] large volumes of traffic were involved. And curiously, the cited blog at the heart of the report never mentions traffic at all — only routes. You have to go to an interview with a third-party security researcher in a […]
[…] incorrectly rerouted Web traffic from about 37,000 networks through its servers. According to BGPmon, a group that collects routing data from around the world, China Telecom normally routes about 40 […]
[…] they hijacked a significant portion of the Internet routes. Proof of this has been published by BGPmon as well as […]
[…] According to Labovitz, this appears to have been calculated by comparing the 40,000 affected BGP routes to the 340,000 in the routing table as a whole, a calculation originally cited by the industry BGPmon website. […]
[…] Discussion of the April China BGP Hijack Incident My blog post last week on the April 8th China BGP hijack incident generated significant discussion and raised additional questions in both the media and research / […]
[…] doesn’t correlate to 15 percent of all Net traffic. (Craig Libovitz of Arbor Networks and BGPMon.net both have good summary analyses of what […]
[…] suggestion that any unencrypted sensitive data was intercepted by China during that time. (Source: BGPmon, plus the more knowledgeable comments on Slashdot and Reddit.) The Royal Navy’s website was […]
[…] bekommt geht der ganze Traffic nun nach Kasachstan… Ein fundamentaler Bug der auch vorher schon exploitet […]
[…] described the situation as “an administrative nightmare.” In April 2010, a huge amount of Internet traffic was diverted by hackers traced to China. Diverted email messages could easily have been copied and methodically searched. According to the […]
[…] blog post last week on the April 8th China BGP hijack incident generated significant discussion and raised additional questions in both the media and research / […]
[…] To review, shortly around 4am GMT on April 8th a Chinese Internet provider announced 40,000 routes belonging to other ISPs / enterprises around the world (though many were for China based companies). During a subsequent roughly 15 minute window, a small percentage of Internet providers around the world redirected traffic for a small percentage of these routes to Chinese address space. RIPE provides a link to a list of some of these prefixes (as well as indicating the impact on European carriers was minimal) and Andree Toonk and his colleagues at BGPmon have a nice synopsis at the BGPMon blog. […]
[…] There are also vulnerabilities in the protocol at the core of the internet – the Border Gateway Protocol (BGP) – that have led to some failures. In 2010 a Chinese ISP caused a brief outage of a substantial part of the internet through what is thought to be a BGP configuration error. […]
[…] suggestion that any unencrypted sensitive data was intercepted by China during that time. (Source: BGPmon, plus the more knowledgeable comments on Slashdot and Reddit.) The Royal Navy’s website was […]
[…] Human error can also cause major problems. Publishing incorrect rules which are then blindly accepted by other nodes can be done accidentally or deliberately, resulting in blocking IP access worldwide (e.g. Pakistan blocking YouTube in 2008 and a Chinese ISP hijacking certain IPs in 2010). […]