Last Wednesday, Nov 17, the US China Economic and Security Review Commission released a wide-ranging report on China trade, capital markets, human rights, and other top issues. Craig Labovitz has a good summary on his blog:
Tucked away in the hundreds of pages of China analysis is a section on the Chinese Internet, including the well-documented April 8, 2010 BGP hijack of several thousand routes (starting on page 244).
To review, shortly around 4am GMT on April 8th a Chinese Internet provider announced 40,000 routes belonging to other ISPs / enterprises around the world (though many were for China based companies). During a subsequent roughly 15 minute window, a small percentage of Internet providers around the world redirected traffic for a small percentage of these routes to Chinese address space. RIPE provides a link to a list of some of these prefixes (as well as indicating the impact on European carriers was minimal) and Andree Toonk and his colleagues at BGPmon have a nice synopsis at the BGPMon blog.
Following shortly on the heels of the China hijack of DNS addresses in March, the April BGP incident generated a significant amount of discussion in the Internet engineering community.
So, it was with a bit of a surprise that I watched an alarmed Wolf Blitzer report on prime time CNN about the China hijack of “15% of the Internet” last night…. You have to go to a National Defense interview with Dmitri Alperovitch, vice president of threat research at McAfee, to first come up with the 15% number. Several hundred media outlets, including CNN, the Wall Street Journal, Time Magazine and many more picked up this interview and eagerly reported on China’s hijack of “massive Internet traffic volumes of 15% or more”.
15% of Internet traffic? Holy smokes! That’s a ton of traffic! Cause for alarm? Labovitz says no:
Now certainly, diverting 15% of the Internet even for just 15 minutes would be a major event. But as earlier analysis by Internet researchers suggested, this hijack had limited impact on the Internet routing infrastructure — most of the Internet ignored the hijack for various technical reasons.
While traffic may have exhibited a modest increase to the Chinese Internet provider (AS23724), I’d estimate diverted traffic never topped a handful of Gbps. And in an Internet quickly approaching 80-100 Tbps, 1-3 Gbps of traffic is far from 15% (it is much closer to 0.015%).
James Cowie over at the reneys blog has an even more in-depth discussion discussing what happened and most likely it was an accident. Routing around the Internet is done on the honor system and actually breaks (gets misrouted) on a semi-regular basis. Furthermore, China wasn’t really in a position to intercept actual traffic or even do analysis:
But how much traffic were they really in a position to intercept? As the hijacking propagated, ten minutes passed, and then twenty. Nobody seems to have noticed anything amiss during the event itself, which seems strange, since it was lunchtime on a busy Thursday in the USA. No increased delays? No closed connections? No tweets about the Internets being broken?
One clue lies in the nature of hijacking. If two US networks are talking to each other, even if both are hijacked, traffic will probably continue to flow normally between them. Why? Both are closer to each other than they are to the hijacker. They both choose the legitimate routes, because they’re closer than the fake routes. No traffic is diverted. (There’s an interesting corner case where one of two US participants is at a US Internet exchange point where the attacker is also present, and therefore artificially "close enough" to take the traffic, but let’s skip that for the moment.)
How much data could have been intercepted, then? Basically, the packets in flight at the time of the route hijack .. a few kilobytes of effectively random content in the middle of each TCP window, times (at a guess) millions of redirected conversations between largely unknown participants. It would be pretty hard to plan such an attack so that you ended up with anything useful to read!
Cowie doesn’t claim that this is much ado about nothing, though:
Conclusion: Watch Your Backs, People
There you have it. The route hijacking took place, pretty much as described by the Congressional report and the media. Once you dig into the details, the conclusion you reach is up to you. On one hand, Internet routing is an exceedingly blunt instrument with which to attack an organization or capture man-in-the-middle traffic. It’s about as subtle as a firecracker in a funeral home — the effects are visible for all to see, planetwide.
The government doesn’t seem to up in arms about this, however. They say that “all of their traffic was encrypted” and therefore have nothing to worry about. That’s not what National Defense Magazine says:
In short, the Chinese could have carried out eavesdropping on unprotected communications — including emails and instant messaging — manipulated data passing through their country or decrypted messages, Dmitri Alperovitch, vice president of threat research at McAfee said.
Said Alperovitch: “This is one of the biggest — if not the biggest hijacks — we have ever seen.” And it could happen again, anywhere and anytime. It’s just the way the Internet works, he explained. “What happened to the traffic while it was in China? No one knows.”
McAfee has briefed U.S. government officials on the incident, but they were not alarmed. They said their Internet communications are encrypted. However, encryption also works on a basis of trust, McAfee experts pointed out. And that trust can be exploited. Internet encryption depends on two keys. One key is private and not shared, and the other is public, and is embedded in most computer operating systems. Unknown to most computer users, Microsoft, Apple and other software makers embed the public certificates in their operating systems. They also trust that this system won’t be abused.
Among the certificates is one from the China Internet Information Center, an arm of the China’s Ministry of Information and Industry.
“If China telecom intercepts that [encrypted message] and they are sitting on the middle of that, they can send you their public key with their public certificate and you will not know any better,” he said. The holder of this certificate has the capability to decrypt encrypted communication links, whether it’s web traffic, emails or instant messaging, Alperovitch said. “It is a flaw in the way the Internet operates,” said Yoris Evers, director of worldwide public relations at McAfee.
Encryption works wherein if the sender and receiver want to exchange secure information over an insecure channel, you can do so. They exchange a key with each other and encode the information with one and decode it with the other. If someone intercepts it, the data is not particularly useful because the amount of time it takes to decrypt the data renders the information it was protecting becomes stale.
Alperovitch is warning that if a communication channel was set up doing encryption and China Telecom intercepted the data, passed its own fake certificates to the end users and they each sent each other information encrypting with a key they thought belonged to the other party but actually belonged to China Telecom, then China Telecom could decrypt the data. Presumably, because this passed through China, they would pass this information along to the Chinese government. Thus, the brush off on encrypted traffic is premature and doesn’t really account for the nature of the threat.
On the other hand, everyone knows that the Internet is not particularly secure. If you really, really want to have secure communications, you do it over encrypted channels over your own private network. Yes, stuff can still be intercepted, and yes, you can still learn about someone’s intent by watching where mail is going to (i.e., if the Defense Secretary is regularly communicating with the Chairman of the Joint Chiefs, you know something is up). However, encryption is as good a technology as you are going to get. Did China intercept Internet traffic? Yes. Did they do it intentionally to learn something (that sure would be a heck of a lot of data mining for a small period of time), it’s possible but not probable.