
Large European routing leak sends traffic through China Telecom - okket
https://blog.apnic.net/2019/06/07/large-european-routing-leak-sends-traffic-through-china-telecom/
======
okket
Periodic reminder: "Operators, where are your MANRS?"

[https://www.manrs.org/](https://www.manrs.org/)

~~~
rocqua
It seems like one of the hit ISPs (KPN) actually _is_ part of MANRS. Shouldn't
that have protected them and their customers?

~~~
okket
I don't think so. When you're in the middle and neither the source nor the
destination of a route implements MANRS, there is not much to protect/verify.
MANRS does protect you from becoming a leak, among other things. (I am not a
total expert on routing, so please take this with a grain of salt)

------
x86_64Ubuntu
Would someone explain to a scrub what "route leaking" is? Would this be an
issue because the leak receiver could inspect traffic that it wouldn't have
gotten otherwise?

~~~
tptacek
The way inter-ISP routing works is that every ISP advertises its IP ranges†
(prefixes) to each ISP it's connected to, who in turn stamp them with their
own addresses and relay them to all their connections; in this way,
advertisements are eventually propagated to every ISP on the Internet.

A prefix can be connected to several ISPs, and thus be advertised multiple
times from multiple places. Each ISP resolves all the advertisements and
computes paths to each prefix, sending traffic towards the shortest path
received.

The protocol that conducts this process, BGP4, is unauthenticated and managed
by a combination of fiddly filtering configurations (often based on regular
expressions) and trust. An ISP can advertise any prefix and stand a chance of
getting some other ISPs to route that prefix towards them.

Here, what appears to have happened was that a Dutch ISP advertised a bunch of
prefixes incorrectly (they may have been advertised in such a way as to make
them unattractive options for routing, as a safeguard, but that proved
ineffective). China Telecom picked them up and propagated them, and, in doing
so, made itself an attractive path for the prefixes for many other ISPs.

Yes, this would allow China Telecom to inspect traffic mistakenly routed to
them, though it's extraordinarily unlikely that anything like that occurred.

† _ISPs themselves have their own short numeric addresses, called ASNs._

~~~
yegle
Except GFW always check the traffic and likely 1) DNS poisoned, 2) TCP RST'ed
some of the misrouted traffic?

------
raverbashing
Let's start prefixing IP packets with GF forbidden words just in case

------
nnnmnten
Why do these routing leaks go through China and Russia so often?

~~~
godzillabrennus
Never attribute to malice that which is adequately explained by stupidity.

~~~
kps
“Once is an accident. Twice is a coincidence. Three times is an enemy action.”

~~~
OBLIQUE_PILLAR
You should go read the nanog-l archives and see how often this happens.

------
nroah
>Today’s incident shows that the Internet has not yet eradicated the problem
of BGP route leaks. It also reveals that China Telecom, a major International
carrier, has still implemented neither the basic routing safeguards necessary
both to prevent the propagation of routing leaks nor the processes and
procedures necessary to detect and remediate them in a timely manner when they
inevitably occur.

What incentives do they have not to route data from foreign adversaries
through their networks? :')

------
ecares
The traffic did no transit through China right?

