China hijacking internet traffic using BGP, claim researchers

China has been accused of hijacking the internet’s Border Gateway Protocol (BGP) to carry out covert man-in-the-middle surveillance on Western countries and companies.

BGP governs how traffic is routed between subdivisions of the internet known as autonomous systems (AS). It ensures that traffic reaches the correct servers – meaning messing around with it is bad news.

Usually, proving what’s been going on with hard technical evidence is extremely difficult when nations are accused of nefarious internet activities.

That should be true for BGP hijacking too, where deliberate attacks can be hard to distinguish from innocent router misconfiguration.

However, the authors of ‘China’s Maxim – Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking‘, Chris C. Demchak (US Naval War College) and Yuval Shavitt (Tel Aviv University), say they analysed data from a special route-tracing system hosted at the University of Tel Aviv that is capable of detecting unusual patterns of BGP ‘announcements’.

Since 2016, this helped them pick up a series of unusual routing events that they believe were too consistent in their duration and scale to be dismissed as accidents.

But what is BGP hijacking anyway?

The infamous illustration would be Pakistan Telecommunication Authority’s (PTA) 2008 hijack of YouTube traffic to block a contentious video.

PTA’s poorly executed approach was to try to sinkhole all traffic to a subset of IP addresses belonging to Google that gave access to the video in the country.

This was done via BGP, which advertised Pakistan Telecom as the route to this address, which other BGP routers noticed was more specific in its address than Google’s normal route.

BGP routers are programmed to favour this specificity and so this new routing perpetuated across most of the internet.

The result: YouTube went down, globally, for two hours as all its traffic went to Pakistan Telecom to be thrown into a sinkhole.

An accident perhaps but there have been other, even stranger incidents including one involving China Telecom itself in 2010 in which erroneous BGP saw as much as 15% of the world’s internet traffic routed through Points of Presence (POPs) controlled by the company.

Second helpings

The researchers claim China Telecom has essentially been doing the same again – abusing BGP to route international Net traffic via its POPs, of which it has eight located in the US and two in Canada.

These included months of ‘hijacking’ routes from Canada to Korea in 2016, which saw traffic take longer detours into China before completing its journey.

Or the traffic from the US to a bank in Milan, Italy which was diverted via China Telecom POPs in a way that only stood out because it never arrived.

The researchers offer several more examples, concluding:

While one may argue such attacks can always be explained by ‘normal’ BGP behavior, these, in particular, suggest malicious intent, precisely because of their unusual transit characteristics – namely the lengthened routes and the abnormal durations.

One defence against BGP hijacking is TLS encryption. It doesn’t stop the rerouting but if someone diverts web, email or DNS traffic encrypted with TLS through their POP it should be unreadable.

In theory, an attacker can still forge a TLS certificate, which serves as an encouragement to use extra layers of TLS security such as HTTP Public Key Pinning (HPKP).

But perhaps the unspoken worry about BGP hijacking is that if China is doing it then maybe other countries with similar resources and motivations are too. Another argument, if one were needed, for encryption everywhere.

More fundamental fixes to the BGP problem are on the way such as BGP Route Origin Validation (ROV), but it could still be years before that’s in place.

If only the people who designed the internet hadn’t set it up to be so trusting.