Re: OT: China telecom operator denies hijacking Internet

Because it was a very specific event where a random ASN (valid number,
but not allocated to anyone) started announcing specific sets of
prefixes "magically" belonging to certain government and military
organizations as if it were a customer of China Telecom.

Some people may not have noticed due to BGPs normal path selection
process, but it still generated lots of questions and concerns and
thinking. :)

It was too specific to be an "accident" in my opinion. The only way
that I would believe it to be an accident is if China ALWAYS filtered
access to those networks via a honeypot or null-route network and then
accidentally removed a filter.

Given other reports of all the attacks going on to US military/gov't
networks out of China, I would find that to not be a plausible explanation.

And prepending would result in something NOT getting chosen. These were
re-originated routes.

*Scott Morris*, CCIE/x4/ (R&S/ISP-Dial/Security/Service Provider) #4713,

CCDE #2009::D, JNCIE-M #153, JNCIS-ER, CISSP, et al.

CCSI #21903, JNCI-M, JNCI-ER

swm_at_emanon.com

Knowledge is power.

Power corrupts.

Study hard and be Eeeeviiiil......

On 11/18/10 11:10 PM, Jack Router wrote:
> How do we actually know that China hijacked traffic and not an ISP caused
> the error ? In my lab I can easily make a mistake by prepending as-path to a
> wrong route and/or sending it to a wrong neighbor. Can something like that
> happen on much larger scale ?
>
> On 18 November 2010 20:29, Tom Kacprzynski <tom.kac_at_gmail.com> wrote:
>
>> I think the problem doing prefix-list for carriers is that you don't know
>> who they will be used by for transit. So a European network could advertise
>> their Provider Independent network through China Telecom and you would not
>> be able to count all of their clients using them for transit or other
>> carriers with these filters. I don't think the issue is as simple as
>> filtering when dealing with transit provider and not end users. I think we
>> should be talking about how Secure BGP should play a role in Internet
>> security.
>>
>> My two cents.
>>
>> Now back to DHCP Servers lab for ccie.
>>
>> On Thu, Nov 18, 2010 at 7:15 PM, Joseph L. Brunner
>> <joe_at_affirmedsystems.com>wrote:
>>
>>> The carriers should write very simple prefix lists that they will only do
>>>
>>> ip prefix-list china-nets seq 5 permit 61.0.0.0/8 le 24
>>> ip prefix-list china-nets seq 10 permit 202.0.0.0/8 le 24
>>>
>>>
>>> etc. for all the china netblocks when peering with them, so they can't
>>> announce ANYTHING they dont own.
>>>
>>> PERIOD.
>>>
>>> If i can't get to EVERYTHING else though ANOTHER carrier it would better
>> to
>>> have it down than go through china
>>>
>>> ________________________________________
>>> From: nobody_at_groupstudy.com [nobody_at_groupstudy.com] On Behalf Of Ahmed
>>> Elhoussiny [aelhoussiny_at_gmail.com]
>>> Sent: Thursday, November 18, 2010 7:52 PM
>>> To: --Hammer--
>>> Cc: Ronnie Angello; Cisco certification
>>> Subject: Re: OT: China telecom operator denies hijacking Internet
>> traffic
>>> Its just an example for how BGP attributes/communities, filters can
>> easily
>>> affect the whole internet.
>>>
>>>
>>> On Fri, Nov 19, 2010 at 12:37 AM, --Hammer-- <bhmccie_at_gmail.com> wrote:
>>>
>>>> Why complying with the groupstudy posting rules is important....
>>>>
>>>>
>>>>
>>>> --Hammer
>>>>
>>>> "I was a normal American nerd."
>>>> -Jack Herer
>>>>
>>>> -----Original Message-----
>>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
>> Of
>>>> Ronnie Angello
>>>> Sent: Thursday, November 18, 2010 4:29 PM
>>>> To: Ahmed Elhoussiny
>>>> Cc: Cisco certification
>>>> Subject: Re: OT: China telecom operator denies hijacking Internet
>> traffic
>>>> Why route filtering is important... :)
>>>>
>>>> On Thu, Nov 18, 2010 at 5:20 PM, Ahmed Elhoussiny
>>>> <aelhoussiny_at_gmail.com>wrote:
>>>>
>>>>> Dears, just sharing some news, BGP & International Gateways
>>>>>
>>>>> *For 18 minutes, about 15 percent of all web traffic was redirected
>>>> through
>>>>> China, including traffic to and from the sites of the U.S. Army,
>> Navy,
>>>>> Marine Corps, Air Force, the office of the Secretary of Defense, the
>>>> Senate
>>>>> and NASA, according to a report delivered to Congress by the
>> U.S.-China
>>>>> Economic and Security Review Commission.*
>>>>>
>>>>> *The report says that the irregular routing could have allowed the
>>>>> surveillance of users or sites, the disruption or diversion of
>>>>> communications and the compromising of supposedly secure encrypted
>>>>> sessions.
>>>>> *
>>>>>
>>>>> *The report alleges that the diversion was caused when China Telecom
>>>>> briefly
>>>>> offered a false electronic notification to internet traffic on the
>> web,
>>>>> causing some traffic to mistakenly conclude that the quickest way to
>>>> reach
>>>>> its destination was to travel through the company's servers in
>> China.*
>>>>> *
>>>>>
>>>>>
>>>>
>> http://edition.cnn.com/2010/US/11/17/websites.chinese.servers/index.html?hpt
>>>> =T1<
>> http://edition.cnn.com/2010/US/11/17/websites.chinese.servers/index.html?hpt%0A=T1
>>>>> *
>>>>>
>>>>> * *
>>>>>
>>>>>
>>>>>
>>>>> *Solution: filters that deny BGP updates about your prefixes that
>> is
>>>>> originated from your country, including some bgp reg_exp, accepting
>>> only
>>>>> this prefixes from trusted BGP (e or i)sources*
>>>>>
>>>>> *
>>>>> A new update about this from Network World magazine:*
>>>>>
>>>>> The incident could have been an
>>>>> accident<
>>>>>
>>>>
>> http://www.pcworld.com/article/193849/a_chinese_isp_momentarily_hijacks_the_
>>>> internet.html<
>> http://www.pcworld.com/article/193849/a_chinese_isp_momentarily_hijacks_the_%0Ainternet.html
>>>>>> that
>>>>> stems from a weakness of the Border Gateway Protocol (BGP), which is
>>>>> used to help route traffic and connect the Internet together.
>>>>>
>>>>> BGP data is sent from small service providers like IDC China
>>>>> Telecommunication and then shared with larger providers. Small
>>> providers
>>>>> generally direct Internet traffic to about 30 routes. For some
>> reason,
>>> on
>>>>> April 8 IDC China Telecommunication began directing to tens of
>>> thousands
>>>> of
>>>>> networks. The bad information was then accepted by larger Internet
>>>>> providers
>>>>> like China Telecom, which then propagated the data.
>>>>>
>>>>> * *
>>>>>
>>>>> *
>>>>>
>>>>>
>>>>
>> http://www.networkworld.com/news/2010/111810-china-telecom-operator-denies-h
>>>> ijacking.html?hpg1=bn<
>> http://www.networkworld.com/news/2010/111810-china-telecom-operator-denies-h%0Aijacking.html?hpg1=bn
>>>>> *
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Thanks & B.regards
>>>>> Ahmed Elhoussiny,2x CCIE# 21988 (R&S-SP)
>>>>> Network Consultant & Cisco Academy Instructor
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>>
>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Ronald Angello
>>>> Senior Network Architect
>>>> CCIE 17846
>>>> CCDP, CCIP, CCNP
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>> --
>>>
>>> Thanks & B.regards
>>> Ahmed Elhoussiny,2x CCIE# 21988 (R&S-SP)
>>> Network Consultant & Cisco Academy Instructor
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Nov 19 2010 - 08:23:24 ART