
US Dept of Energy AS32982 Network Possibly BGP Hijacked by China Telecom - mmaunder
https://bgpstream.com/event/171779
======
notabot
So? What is the significance of one single event? Looking at that site it is
not that uncommon. Did this event catch your attention simply because it had
the right keywords (US Dept of Energy and China)?

MIT hijacked someone's route?
[https://bgpstream.com/event/171889](https://bgpstream.com/event/171889)

An US ISP?
[https://bgpstream.com/event/171683](https://bgpstream.com/event/171683)

Another US ISP?
[https://bgpstream.com/event/170328](https://bgpstream.com/event/170328)

China Telecom could have been a victim too?
[https://bgpstream.com/event/155707](https://bgpstream.com/event/155707)

The list goes on...

(edited: formatting)

~~~
toomuchtodo
"Who is responding to such an event during the government shutdown?" was my
first thought. Assuming nefarious intent, now would be an ideal time to stage
an attack.

~~~
gh02t
DoE is currently not affected by the partial shutdown. It's business as usual
at the national laboratories and with other employees/contractors. The way
it's funded means that there would have to be a prolonged shutdown before DoE
would have to start shutting down, but I think even then security and safety
essential personnel are exempt.

[https://www.directives.doe.gov/directives-
documents/100-seri...](https://www.directives.doe.gov/directives-
documents/100-series/0137-1-border-b-recertified)

~~~
toomuchtodo
But is ESnet [1]? They are the org responsible for providing inter-org
networking services between US DOE labs and other associated institutions.

[1] [http://es.net/](http://es.net/)

~~~
gh02t
The plan includes pay for external contractors and security-essential
functions, so yes I would assume so (though I don't know firsthand about them
specifically). To the best of my knowledge, DoE will continue to run entirely
as normal until carryover funding from previous allocations runs out. Couple
months at least. After that it basically goes into hibernation, but I expect
that communications and network security would be considered as essential and
hence would remain funded even then.

~~~
toomuchtodo
Thank you!

------
lgierth
It's not neccessarily AS4812 / China Telecom announcing this themselves.
Anyone could be announcing AS4812,192.208.19.0/24\. For some degree of
attribution, you need to go and figure out where the actual announcement is
coming from.

The "beauty" of BGP :)

edit: It's also interesting to note that the bogus announcement is for /24,
which is more specific than the original /23, so it takes precedence.

~~~
CKN23-ARIN
For reference, the path observed by BGPMon was:

    
    
      11039 The George Washington University
      46887 Lightower Fiber Networks I, LLC
      6939 Hurricane Electric LLC
      4134 China Telecom Backbone
      4134 China Telecom Backbone
      4134 China Telecom Backbone
      4812 China Telecom (Group)
    

Hurricane Electric has been known to not apply route filters to large peers,
leading to hijacks like this. I suspect that was the case here, too. Although
you are right, this path could have been spoofed by GWU or Lightower (or
BGPMon!)

------
thechao
Article describing BGP hijacking. It is the first article from a DDG search,
and I know nothing of the topic so YMMV.

[https://www.internetsociety.org/blog/2018/05/what-is-bgp-
hij...](https://www.internetsociety.org/blog/2018/05/what-is-bgp-hijacking-
anyway/)

~~~
duality
Wikipedia article:
[https://en.wikipedia.org/wiki/BGP_hijacking](https://en.wikipedia.org/wiki/BGP_hijacking)

~~~
sgc
The article mentions there are mitigations to this type of attack available.
Does anyone know of how an individual user could (practically) reduce their
exposure to this type of attack?

~~~
gruez
By using encryption. That way if such attack occurs, the only negative effects
is downtime, rather than data exposure.

~~~
altmind
Encryption does not help BGP hijacks at all. You need to filter the accepted
upstream routes. But filtering ultimatively defeats the purpose of BGP - route
learning is no longer fully dynamic and need some manual approvals.

------
pizza
Just noticed this one, too:
[https://bgpstream.com/event/170070](https://bgpstream.com/event/170070)

Does it mean an Iranian telecom hijacked some of AT&T's traffic?

~~~
dogecoinbase
Notionally yes, though as with a lot of these hijackings it's really a
question of how far it propagated/who is correctly filtering routes. This
happens with Iran Tele from time to time, typically when they are trying to
block something specific internally and let the route leak out (e.g. their
Telegram block back in July).

