Oracle 'net-watcher agrees, China Telecom is a repeat offender for misdirecting traffic
Network admins really need to mind their MANRS
Oracle has backed claims that China Telecom Border Gateway Protocol (BGP) announcements regularly take internet traffic on an unwanted tour of the Middle Kingdom.
At the end of October, a paper by Chris Demchak of the US Naval War College and Yuval Shavit from Tel Aviv University documented what the pair said were "unusual and systematic hijacking patterns associated with China Telecom" (PDF).
Now that report has received a degree of corroboration from Oracle Internet Intelligence (OII).
While declining to comment on possible motivations, OII's Director of Internet Analysis Doug Madory blogged today that he "expended a great deal of effort" to end traffic misdirection by China Telecom in 2017.
As evidence, Madory described a leak lasting "less than a minute" from 2015, when an announcement from China Telecom's AS4134 resulted in transit customer South Korea Broadband (AS9318) sending traffic to China via Verizon APAC (AS703).
That event illustrated how far an error can reach and how long it could persist: 18 months later, traffic starting out in a Telia router in London, and destined for Australia's Department of Defence, was sent to Verizon APAC via China Telecom. Madory provided a traceroute as proof:
In other words, having let their systems accept the route announcements, network admins failed to correct the error for up to two-and-a-half years.
Madory told The Register: "BGP routes from Verizon APAC were partially routed through China Telecom beginning in December 2015 and going until April 2018 (~2.5 years). Those routes should never have gone through China Telecom for anywhere except in China."
Verizon APAC errors had a knock-on effect, he explained: "Verizon APAC ... were announcing [routes] to the internet on behalf of their customers. A couple of AS hops away, China Telecom was mishandling them - announcing them in a manner that would cause internet traffic destined for those IP address ranges to flow back through China Telecom's network."
Verizon APAC was involved in another erroneous announcement, and in his blog post, Madory wrote: "When these routes were in circulation, networks peering with China Telecom (including those in the US) accepted AS701 routes via AS4134, sending US-to-US traffic via mainland China. One of our affected clients was a major US internet infrastructure company."
While path monitoring can help prevent leaks, it's not a complete solution because leaks can occur "multiple hops from the origin".
"Verizon APAC (AS703) likely established a settlement-free peering relationship with SK Broadband (AS9318), unaware that AS9318 would then send Verizon’s routes exclusively on to China Telecom and who would in turn send them on to the global internet," Madory said.
Networks also need to watch the announcements they receive from their peers, which Madory noted is rare, and he directed his readers to the Internet Society's MANRS project. ®
Madory's post is a welcome corroboration of the Demchack/Shavit paper, even without addressing the question of intent.
China has been accused of BGP hijacks in the past – for example, in 2010, when tainted tables twice redirected as many as 37,000 networks to China Telecom.
However, BGP hijacks are almost routine. At the time of writing, BGPStream reported 18 BGP advertisements as "possible hijacks" for the few first days of November alone.
Some of these are already going on a bit – there's currently a mixup between Harmony Hosting and France's internet exchange GIXE that's lasted more than 100 hours.
Whether malicious or accidental, China Telecom's repeated BGP errors mean providers should handle its route announcements with care – and, as Madory wrote, the more networks that join the MANRS initiative, the better.
Sponsored: Becoming a Pragmatic Security Leader