

For 18 minutes, China hijacked 15 percent of the world’s Internet traffic - pc
http://webcache.googleusercontent.com/search?q=cache:4lR05JZoeUMJ:www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx%3FID%3D249+http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx%3FID%3D249&hl=en&gl=us&strip=0

======
johnthedebs
Disclaimer: I am not a security expert, but I did study networking and network
security for a few years.

This article seems a bit over the top. It's pure speculation, and it seems
much more likely that an engineer configured a router incorrectly, panicked
for 15 minutes, then fixed it.

"What set this incident apart from other such mishaps was the fact that China
Telecom could manage to absorb this large amount of data and send it back out
again without anyone noticing a disruption in service."

We've got a technically inclined community here: When your Internet access is
slow for a while, what do you attribute it to? I doubt anyone's first instinct
is "must be a man-in-the-middle attack." Again, it seems much more likely that
they simply had the capacity to handle most of that traffic (biggest country
in the world, modernization, etc.) and no one noticed because the Internet is
often flaky.

~~~
btmorex
When my internet is slow, my first inclination is traceroute (mainly so I can
complain to comcast is it's their fault which it usually is), which presumably
would show what was happening.

~~~
andre3k1
I wouldn't consider your behavior normal. :)

The parent makes a valid claim.

~~~
electromagnetic
I've only done traceroute a couple of times, normally when my internet is
crawling at a bizarre time of day. I expect some slow down at primetime when
everyone is home from work and school, I don't expect it when I'm up at 5-6am.

------
swombat
_Internet encryption depends on two keys. One key is private and not shared,
and the other is public, and is embedded in most computer operating systems.
Unknown to most computer users, Microsoft, Apple and other software makers
embed the public certificates in their operating systems. They also trust that
this system won’t be abused._

Umm, yeah, right. Basic fail at understanding public/private key cryptography.

If crypto systems relied on trusting that everyone does the right thing, they
would be useless.

After such a fundamental failure, it's hard to take the rest of the article
seriously.

~~~
Robin_Message
Actually, I think the article is right. They have not failed to understand
public/private key cryptography; you have failed to understand where you
actually get your bank's public key from. Obviously, the bank has to send it
to you. But then the problem is, how can you trust it really is your bank's
key? The way we use is to trust a long list of people (CAs) to sign
certificates saying "this key belongs to this domain."

So, if your browser has a CA belonging to CCNIC, a Chinese corporation which
could certainly act for the Chinese government, they could pull off this
spoofing. The question then is, is CCNIC in people's browsers? According to
<http://www.mozilla.org/projects/security/certs/included/>, it is in Firefox.

As to how to pull off the spoofing, if you have a root CA, you can sign
arbitrary certs, i.e. for domains you don't own.

So, the article is right and SSL does require trusting all your trusted CAs
are trustworthy.

(edited for clarity and tone)

~~~
tptacek
SSL may require "trusting all your trusted CA's", but that statement is a
tautology. If you don't want to trust a Chinese CA, remove them from your root
certificate store. SSL will continue to work, and you probably won't even
notice the impact.

~~~
Robin_Message
Yes, the last sentence was meant to be a tautology — the trusted CAs are
trusted, if a trusted element is hosed, you are hosed, that's what trusted
means. I have no doubt you are more knowledgeable and experienced in this than
me, and of course you're right that you can remove the Chinese CA, but I don't
think that is a sufficient solution to the proposed attack.

Firstly, I doubt that US (say) government personnel will remove Chinese CAs,
never mind contractors or even ordinary business people or citizens, so to my
mind this is a risk to trusting SSL, even if expert users can mitigate it as
you have described.

Secondly, I believe CAs can also sign other CAs (and indeed Entrust did this
for this very Chinese CA) so it's not that simple. You might need to distrust
most CAs, which makes using SSL slightly tricky.

Thirdly, even if you remove the CA now, how do you know you weren't already
MITM-attacked back in February? It's too late.

As for mitigation, alerting the user on CA or certificate changes might help,
but getting the UX right will be hard. I could see a solution in the future
where your bank sends you a memory stick with portable firefox installed on it
and precisely one trusted certificate — the bank's. Of course, that means
trusting the mail system, but since we already trust the mail system (e.g.
using mailed statements for ID verification) we can't be worse off. An attack
would require hijacking the USB stick _and_ your connection to the bank at the
beginning of the same session for it not to be noticeable — not so easy.

------
danio
It seems to me that data going over a publicly accessible network that is
designed to let that data go by whatever route is necessary has been routed
over a part of that network.

How is that a problem? You cannot expect your internet data to be private: the
nature of the beast is that it will be public. Anything sensitive must be
encrypted in such a way that by the time the encryption is broken by your
enemy (considering the likely resources they have) the data is no longer
useful.

Did I miss something?

------
jwr
I'm a little bit surprised that peers did not have filters on inbound BGP
advertisements. As an operator you typically don't trust most of your peers
and only accept advertisements for ASs and network blocks previously agreed
upon. Filters are modified manually.

The largest operators have peering links with no filters ("everyone is
equal"), but that implies a lot of trust. And "trust" should not be a word
placed next to a communist country name.

~~~
CWuestefeld
_And "trust" should not be a word placed next to a communist country name._

The word "trust" shouldn't be placed next to _any_ government.

------
smutticus
RIPE stores every BGP update message sent through the AMSIX in an Oracle DB. I
know this because I know the guy that does it. I don't know specifically about
ARIN but we can safely assume they do the same.

Unless someone actually goes and looks at what was being sent by Chinese BGP
routers at the time of this supposed outage they should STFU. I'm not saying
this is definitely BS. But the article is seriously short on details.

------
pc
Can anyone with more knowledge comment on plausibility of this?

Google Cache:
[http://webcache.googleusercontent.com/search?q=cache:4lR05JZ...](http://webcache.googleusercontent.com/search?q=cache:4lR05JZoeUMJ:www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx%3FID%3D249+http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx%3FID%3D249&hl=en&gl=us&strip=1)

~~~
tptacek
Presumably, a broken BGP advertisement. These days, they create breathless
"news" stories like this one. Back in the '90s, when small-town ISPs managed
to accidentally advertise short paths to huge chunks of the Internet, they
broke the whole Internet. It's hard to get too wound up about it.

If you're worried that China is going to MITM your SSL sessions, remove their
certificate from your cert store.

If I was a Chinese supercyberspy, I probably wouldn't do something as blatant
as _routing the entire Internet to China_ just to get traffic I wanted. I
think I'd do something much more akin to spearphishing an overseas Google
employee to get onto their internal network.

~~~
erik
"Also, the list of hijacked data just happened to include preselected
destinations around the world that encompassed military, intelligence and many
civilian networks in the United States and other allies such as Japan and
Australia"

If this claim is valid, it would seem likely that the bad BGP advertisement
was not accidental.

~~~
pyre
If it wasn't accidental, then I doubt it was a serious operation. Most likely
a fishing expedition. Testing the waters to see what the reaction is and what
data (or kinds of data) they are able to harvest.

~~~
shykes
China just validated that they can intercept trafic for malicious intent, with
no international retaliation to speak of. How is that not serious?

~~~
johnthedebs
"This happens accidentally a few times per year, Alperovitch said."

They aren't the only ones.

------
guelo
BGP could stand to get a security update but as with most fundamental internet
protocols it will probably never happen. Most people seem to believe this
incident was accidental. More info,

<http://bgpmon.net/blog/?p=282>

[http://www.nytimes.com/external/idg/2010/04/08/08idg-a-
chine...](http://www.nytimes.com/external/idg/2010/04/08/08idg-a-chinese-isp-
momentarily-hijacks-the-internet-33717.html)

------
TallGuyShort
Interesting note about public keys that are automatically trusted by
proprietary operating systems, and the potential for abuse by foreign powers.
Reminded me of the discussion a while back about how it's relatively easy to
become a root certificate authority in Firefox. Everyday cryptography needs
some serious revamping.

~~~
tptacek
The UI for everyday cryptography needs some serious revamping.

It's _not_ relatively easy to become a Firefox root CA, but too many people
are, and part of the reason why is that your cert store configuration is
buried deep in the "don't touch, no user serviceable parts" bowels of your
configuration.

~~~
ohashi
And how does one fix/change it?

------
kevindication
If you want more technical internet routing information, always look to NANOG.
These two threads are discussing what happened, as it happened, by the people
who are likely to fix/deal with it:

[http://mailman.nanog.org/pipermail/nanog/2010-April/020789.h...](http://mailman.nanog.org/pipermail/nanog/2010-April/020789.html)

[http://mailman.nanog.org/pipermail/nanog/2010-April/020865.h...](http://mailman.nanog.org/pipermail/nanog/2010-April/020865.html)

------
da5e
I got a message alert in Gmail two days ago saying that my email had been
accessed from China. I wonder if that was related.

~~~
johnfn
It says that the hijacking occurred in April. Someone in China accessing your
email just two days ago is probably just coincidence. However, it would still
be a good idea to look into it (and change your password)

~~~
da5e
Thanks. I did change the password. A search indicates that something similar
has been reported by others about every month this year.
[http://www.google.com/search?sourceid=chrome&ie=UTF-8...](http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=gmail+accessed+from+china)

