Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
China Canada Communications Network Networking The Internet United States

China Telecom Hijacks US, Canadian Internet Traffic On a Regular Basis, Report Says (itnews.com.au) 64

Bismillah writes: China Telecom is up to no good with Border Gateway Protocol (BGP) shenanigans researchers have discovered. The state-owned telco is hijacking and rerouting internet traffic to China via it's U.S. and Canadian points of presence (PoPs). As for how the researchers came to their conclusion, they reportedly "built a route tracing system that monitors BGP announcements and which picks up on patterns suggesting accidental or deliberate hijacks and discovered multiple attacks by China Telecom over the past few years," reports iTNews.

In one example occurring in 2016, "China Telecom diverted traffic between Canada and Korean government networks to its PoP in Toronto," the report says. "From there, traffic was forwarded to the China Telecom PoP on the U.S. West Coast and sent to China, and finally delivered to Korea. Normally, the traffic would take a shorter route, going between Canada, the U.S. and directly to Korea." The telecommunications company is able to reroute the traffic by announcing fake routes via the BGP, which "governs data flow between Autonomous Systems, the large networks operated by telcos, internet providers and corporations."
This discussion has been archived. No new comments can be posted.

China Telecom Hijacks US, Canadian Internet Traffic On a Regular Basis, Report Says

Comments Filter:
  • by Anonymous Coward on Thursday October 25, 2018 @10:36PM (#57538147)

    Is anyone going to impose any actual consequences, or are they just too damn big?

    • We could just block bgp updates from them. You got a new network? Too bad no one can find it!
      • by Anonymous Coward

        My hunch is that they are doing this at peering exchanges where you normally have wide open filters with a prefix limit.

        If they keep pulling these kind of route highjacking, you could probably set up bgbmon and setup a script to auto block any prefixes they are hijacking.

    • by Narcocide ( 102829 ) on Thursday October 25, 2018 @11:03PM (#57538207) Homepage

      Oh, I have an idea. How about we stop allowing border gateway maintenance to be policed exclusively by the honor system?

      • There are moves afoot to address this, but not currently going so well: https://blog.apnic.net/2018/10... [apnic.net]

        The first is that only 63 networks appear to reject routes where the ROA indicates an invalid origination of the route. Out of some 63,000 networks in today’s routing system that’s a very small number. Hopefully, this situation will improve over time.

        The second observation is that the ROAs would only have been effective if these route leaks were inadvertent operational mistakes. If these

  • so use RPKI (Score:5, Informative)

    by johnjones ( 14274 ) on Thursday October 25, 2018 @10:39PM (#57538157) Homepage Journal

    the canadian government is surprised to find china did exactly the same thing to them as they did to china...

    come on just implement signing and validation...
    https://blog.benjojo.co.uk/post/are-bgps-security-features-working-yet-rpki

    also get on your DNSSEC and DANE implementations

    • Re: (Score:3, Insightful)

      by houstonbofh ( 602064 )
      Or just block bgp from China entirely. Yes, it would suck for them. So sad. :)
      • by jon3k ( 691256 )
        Who? Everyone other country on earth? Otherwise traffic would just pass through some other transit network. Not every country is directly connected to a network physically inside China.
  • Repeat after me (Score:5, Interesting)

    by Nkwe ( 604125 ) on Thursday October 25, 2018 @11:04PM (#57538209)
    "The Internet is not a secure network."

    As an Internet user you have no control over where your packets go or how they are routed. China could re-route them. The NSA could re-route them. Your ISP could re-route them. The only "guarantee" you get is the Internet will try really hard to get your packets there by any means necessary. Because there is no way to know where your packets are going to go, you should assume that *anyone* could be reading your packets. ("Packets" meaning the web pages your browse, the credit card details you enter on a website, the emails you send, etc.)

    This of course doesn't matter because you encrypt everything you send across the Internet right?
    • by Kaenneth ( 82978 )

      Tor in a VPN in another VPN.

    • by Anonymous Coward

      Encryption is not a fix-all measure.
      It can be hacked or circumvented (corrupted certificate system for example).
      You do not always have the choice to select your desired level of encryption (accessing internet based services)
      And metadata is data too.

  • by Anonymous Coward

    I've given up trying to tell ISP's when their networks are hijacked (it happens, a lot). It's not just China either, Comcast likes to engage in it's own hijacking for example. Many networks simply don't give a shit or want free consulting.

    I'm sure there are some of you here that understand BGP but for the rest, in short it's not necessarily a case of Provider C announces Provider A's networks such that Provider B routes through C. There are quite a few metrics that go into how routers decide one route

  • by Anonymous Coward

    Just encrypt your traffic.

  • The fact that the Internet's design allows this behavior has been known for decades. The only thing that is new is China was caught doing it, though probably most world governments have done it by now. That is why many in the industry are pushing for 100% HTTPS adoption. It's free and easy now thanks to https://letsencrypt.org/ [letsencrypt.org]
  • USA is worse. (Score:1, Flamebait)

    by stooo ( 2202012 )

    >> China Telecom Hijacks US, Canadian Internet Traffic On a Regular Basis, Report Say

    Stop whining when others follow your bad example it !
    "USA Government Hijacks Worldwide Internet Traffic On a Constant Basis"
    Everybody.
    All the time.
    Consistently.

    Get real solid open encryption, and stop whining.

  • Was this China just spying, or did they modify the data ? If the first, then not as big a deal. But modified data could be seen as act of war. it
  • by Anonymous Coward

    well, you see the beginning of the story. I am a client of China-telecom, but I find my CN-2-CN traffic is routed via China-Taiwan node (yep. you can say it is china), which makes no sense at all. Judging from this report, it is some Canada-China-(another AS)-(perhaps China again)-specified destination. In my understanding it is now a Tor-like relaying structure.

    To make it worse, in order to protect China's internet censor system (content review on .., e.g,, similar to china's version of whatisup message, n

  • by WindBourne ( 631190 ) on Friday October 26, 2018 @07:52AM (#57539187) Journal
    Seriously, it is time for the west to really make the move to IPV6. Protocols like SEND would help make a difference. We would have far less issues all the way around.
  • by Kvasio ( 127200 ) on Friday October 26, 2018 @07:57AM (#57539205)

    I still wonder why instead of current economic sanctions on Russia, USA did not enforce "cut all BGP traffic to Russia; if 3rd country operator transfers BGP traffic for Russia, it gets cut away". Just like in 2001 they forced nearly all nations to join "battle on terrorism".
    It would be much more efficient, resulting in:
    - cutting Russian hackers
    - cuttting Russian troll factories influencing US politics
    - cutting Russian espionage
    Just profit. Losses minimal compared to profits.

    With China such sanction would be more difficult, on the other hand it would make making business with China much more diffiult, so easier to replace Chinese products with local ones.

  • The solution to this is of course not allowing the China Telecom to add anything to the BGP. Very simple.

  • I'm going to write a very angry letter to Ottawa!

    Signed,
    a Canadian.

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...