Chinese Internet data hijacking not unprecedented
The massive unauthorized rerouting of Internet traffic through China reported by a congressional watchdog group may, or may not, be malicious, said a security expert, but it’s not unprecedented.
A report released Nov. 17 by the US/China Economic Review Commission said on April 8, Chinese Internet service providers 'hijacked,' or rerouted, a massive amount--about 15 percent--of Internet traffic into the country for almost 20 minutes. "This incident affected numerous government sites, including those for the Senate and the Office of the Secretary of Defense," said commission vice chairman Carolyn Bartholomew. It affected .gov, .mil (including U.S. Army, Navy, Air Force, Marines, the National Aeronautics and Space Administration), as well as commercial sites like Dell, Yahoo! and IBM, according to the study.
China Telecom diverted the flow with “erroneous traffic routes,” the report said, instructing U.S. and other foreign Internet traffic to travel through Chinese servers. China Telecom denied it highjacked the traffic in a statement issued Nov. 18.
Even though the unauthorized rerouting of traffic is technically considered “hijacking,” said Dmitri Alperovitch, senior vice president of threat management at McAfee, whether it was intentional or not can’t readily be determined and it may never be known.
At its heart, traffic routing on the Internet is based on trust among those carrying the traffic, he said in an interview with Government Security News. Disruptions--even huge disruptions--can happen accidentally, he said. A ham-handed attempt by the Pakistani government to block YouTube traffic in that country in 2008 wound up blocking YouTube world wide for a short period of time, he said. In 2004, a Turkish Internet provider inadvertently reconfigured its routers so they received all Internet traffic worldwide, crippling the entire network for a time. “It can happen accidentally. These kinds of things happen every year,” said Alperovitch.
What makes the incident so concerning is the Chinese government’s ownership of China Telecom, however. The government owns the majority of the company and the Chinese government, according to the report, is notorious for Internet shenanigans.
The accidental re-routing of the Internet traffic is one of the network’s quirks. Traffic is carried by trusted partners who have route certification keys. Those partners can be telecommunications companies, or other entities. Like postal carriers, who trust each other to deliver incoming international mail to domestic addresses, those with route certification keys are trusted to deliver international traffic. They keys allow their holders to de-code encrypted traffic, so it can be transmitted to correct destinations. However, traffic can be de-coded, then re-encrypted by a key holder without much of a trace, said Alperovitch, in what is called a “man-in-the-middle” attack.
The report said it had no way to determine what, if anything, Chinese telecom companies did to the traffic, but “incidents of this nature could have a number of serious implications” including surveillance of specific sites or users; data disruption; or route traffic to an imposter site.
“Arbor Networks Chief Security Officer Danny McPherson has explained that the volume of affected data here could have been intended to conceal one targeted attack,” said the report. “Perhaps most disconcertingly, as a result of the diffusion of Internet security certification authorities, control over diverted data could possibly allow a telecommunications firm to compromise the integrity of supposedly secure encrypted sessions,” it said.