Hacker News new | past | comments | ask | show | jobs | submit login
For 18 minutes, China hijacked 15 percent of the world’s Internet traffic (googleusercontent.com)
224 points by pc on Nov 16, 2010 | hide | past | web | favorite | 57 comments

Disclaimer: I am not a security expert, but I did study networking and network security for a few years.

This article seems a bit over the top. It's pure speculation, and it seems much more likely that an engineer configured a router incorrectly, panicked for 15 minutes, then fixed it.

"What set this incident apart from other such mishaps was the fact that China Telecom could manage to absorb this large amount of data and send it back out again without anyone noticing a disruption in service."

We've got a technically inclined community here: When your Internet access is slow for a while, what do you attribute it to? I doubt anyone's first instinct is "must be a man-in-the-middle attack." Again, it seems much more likely that they simply had the capacity to handle most of that traffic (biggest country in the world, modernization, etc.) and no one noticed because the Internet is often flaky.

When my internet is slow, my first inclination is traceroute (mainly so I can complain to comcast is it's their fault which it usually is), which presumably would show what was happening.

I wouldn't consider your behavior normal. :)

The parent makes a valid claim.

I've only done traceroute a couple of times, normally when my internet is crawling at a bizarre time of day. I expect some slow down at primetime when everyone is home from work and school, I don't expect it when I'm up at 5-6am.

More than once a traceroute has shown traffic stopped at my home router, and a walk outside and around the house showed the comcast man fiddling with the junction box. No knock on the door or "hey, I'm going to be yanking the cable out of your house. hope you saved that file you were editing in vim"

I mostly sometimes remember to use gnu screen now.

I'd also emphasize the unlikelihood that China can handle that amount of traffic.

As anyone who's surfed on the internet in China can attest, the bandwidth into and out of China is basically nil. You can test this out yourself by trying to watch anything on youku.com - it takes years to load. If they magically had the capacity to actually handle the load of the world, I wish they would turn it on already.

The fact that the internet service for regular users is terrible does not mean that China does not have the capacity to make it otherwise. My impression of China's relationship with the internet is that they would prefer if their citizens stayed off it. Maybe the crap service for the average person is intentional?

If you're running a large chinese business with billions of dollars of dealings I bet they sort you out a decent pipe.

Re both of you:

Yeah, it could be by design, and yes a number of corporations have direct fiber lines out to Japan. I used to work at Microsoft in Beijing, which had a line out to Japan and it was easily the fastest internet I've ever use in my life (goes without saying also uncensored).

From my understanding, one of the main reasons that internet is so slow in China is because everything has to pass through the Great Fire Wall.

When my Internet access is slow, I'm inclined to attribute it to Comcast. Then I log into my router, verify things are down own that link (I multihome with a slower DSL connection), and reboot my cable modem. Sadly, that fixes things nine times out of ten.

Internet encryption depends on two keys. One key is private and not shared, and the other is public, and is embedded in most computer operating systems. Unknown to most computer users, Microsoft, Apple and other software makers embed the public certificates in their operating systems. They also trust that this system won’t be abused.

Umm, yeah, right. Basic fail at understanding public/private key cryptography.

If crypto systems relied on trusting that everyone does the right thing, they would be useless.

After such a fundamental failure, it's hard to take the rest of the article seriously.

Actually, I think the article is right. They have not failed to understand public/private key cryptography; you have failed to understand where you actually get your bank's public key from. Obviously, the bank has to send it to you. But then the problem is, how can you trust it really is your bank's key? The way we use is to trust a long list of people (CAs) to sign certificates saying "this key belongs to this domain."

So, if your browser has a CA belonging to CCNIC, a Chinese corporation which could certainly act for the Chinese government, they could pull off this spoofing. The question then is, is CCNIC in people's browsers? According to http://www.mozilla.org/projects/security/certs/included/, it is in Firefox.

As to how to pull off the spoofing, if you have a root CA, you can sign arbitrary certs, i.e. for domains you don't own.

So, the article is right and SSL does require trusting all your trusted CAs are trustworthy.

(edited for clarity and tone)

Great points. Another thing to keep in mind is that traffic encrypted using 1024 bit RSA keys, which the vast majority of SSL sites use, is no longer considered secure enough to withstand brute force decryption. In fact, the NIST has recommended that all sites upgrade to 2048 bit private keys by Jan. 1, 2011. They wouldn't make this recommendation unless people with GPGPU could crack it.

You are not going to do an exhaustive search on a 1024bit keyspace, ever.

You break RSA by factoring n into p x q.

SSL may require "trusting all your trusted CA's", but that statement is a tautology. If you don't want to trust a Chinese CA, remove them from your root certificate store. SSL will continue to work, and you probably won't even notice the impact.

Yes, the last sentence was meant to be a tautology — the trusted CAs are trusted, if a trusted element is hosed, you are hosed, that's what trusted means. I have no doubt you are more knowledgeable and experienced in this than me, and of course you're right that you can remove the Chinese CA, but I don't think that is a sufficient solution to the proposed attack.

Firstly, I doubt that US (say) government personnel will remove Chinese CAs, never mind contractors or even ordinary business people or citizens, so to my mind this is a risk to trusting SSL, even if expert users can mitigate it as you have described.

Secondly, I believe CAs can also sign other CAs (and indeed Entrust did this for this very Chinese CA) so it's not that simple. You might need to distrust most CAs, which makes using SSL slightly tricky.

Thirdly, even if you remove the CA now, how do you know you weren't already MITM-attacked back in February? It's too late.

As for mitigation, alerting the user on CA or certificate changes might help, but getting the UX right will be hard. I could see a solution in the future where your bank sends you a memory stick with portable firefox installed on it and precisely one trusted certificate — the bank's. Of course, that means trusting the mail system, but since we already trust the mail system (e.g. using mailed statements for ID verification) we can't be worse off. An attack would require hijacking the USB stick and your connection to the bank at the beginning of the same session for it not to be noticeable — not so easy.

Does this lead to certificate revocation as the next form of economic trade wars?

The discussion about CNNIC's inclusion in Firefox is here: http://news.ycombinator.com/item?id=1095121

This is a failure of the journalist to understand the distinction between "public/private key cryptography" and "public/private key cryptography as used in the SSL/TLS certificate authority scheme". I'm pretty sure that they guy (s)he was interviewing knew the difference.

Of course, configuring your system to trust any valid certificate is just stupid.

You are right, this explanation of public key encryption is wrong. Maybe this stems from misunderstanding by the author, or is just the result of oversimplification.

However, that threat of Chinese authorities sniffing on SSL traffic is real. Just remember the root certificate issued by the China Internet Network Information Center that ended up in Firefox, see http://news.ycombinator.com/item?id=1244444

> If crypto systems relied on trusting that everyone does the right thing, they would be useless.

Acutally, in-brower SSL crypto without certificate verification (as in "is this the same certificate that it was before?", not as in "is this certificate signed by trusted CA?") relies exactly on that assumption.

In this case, wouldn't a leaked CA private/signing key constitute "abuse"?

It seems to me that data going over a publicly accessible network that is designed to let that data go by whatever route is necessary has been routed over a part of that network.

How is that a problem? You cannot expect your internet data to be private: the nature of the beast is that it will be public. Anything sensitive must be encrypted in such a way that by the time the encryption is broken by your enemy (considering the likely resources they have) the data is no longer useful.

Did I miss something?

I'm a little bit surprised that peers did not have filters on inbound BGP advertisements. As an operator you typically don't trust most of your peers and only accept advertisements for ASs and network blocks previously agreed upon. Filters are modified manually.

The largest operators have peering links with no filters ("everyone is equal"), but that implies a lot of trust. And "trust" should not be a word placed next to a communist country name.

And "trust" should not be a word placed next to a communist country name.

The word "trust" shouldn't be placed next to any government.

You may have meant to say: > As a responsible operator

Which is categorically different than the majority of operators. Additionally, what does communism have to do with it?

RIPE stores every BGP update message sent through the AMSIX in an Oracle DB. I know this because I know the guy that does it. I don't know specifically about ARIN but we can safely assume they do the same.

Unless someone actually goes and looks at what was being sent by Chinese BGP routers at the time of this supposed outage they should STFU. I'm not saying this is definitely BS. But the article is seriously short on details.

Can anyone with more knowledge comment on plausibility of this?

Google Cache: http://webcache.googleusercontent.com/search?q=cache:4lR05JZ...

Presumably, a broken BGP advertisement. These days, they create breathless "news" stories like this one. Back in the '90s, when small-town ISPs managed to accidentally advertise short paths to huge chunks of the Internet, they broke the whole Internet. It's hard to get too wound up about it.

If you're worried that China is going to MITM your SSL sessions, remove their certificate from your cert store.

If I was a Chinese supercyberspy, I probably wouldn't do something as blatant as routing the entire Internet to China just to get traffic I wanted. I think I'd do something much more akin to spearphishing an overseas Google employee to get onto their internal network.

"Also, the list of hijacked data just happened to include preselected destinations around the world that encompassed military, intelligence and many civilian networks in the United States and other allies such as Japan and Australia"

If this claim is valid, it would seem likely that the bad BGP advertisement was not accidental.

If it wasn't accidental, then I doubt it was a serious operation. Most likely a fishing expedition. Testing the waters to see what the reaction is and what data (or kinds of data) they are able to harvest.

China just validated that they can intercept trafic for malicious intent, with no international retaliation to speak of. How is that not serious?

"This happens accidentally a few times per year, Alperovitch said."

They aren't the only ones.

Because so can practically any random company.

By 'serious operation,' I mean something they were after a specific goal, vs just probing for weaknesses.

Internet routing is supposed to be a distributed system alright, but most of the internet services (except China's) are not hosted in China. Wouldn't it be easy to add a policy to BGP that effectively blacklists (or gives a low priority) to routers in Chinese AS's?

I guess what would be difficult is to reach a consensus on adding the above route.. oh well.

Also relevant: http://asert.arbornetworks.com/2008/02/internet-routing-inse...

ever heard about Net Neutrality?

This has nothing to do with net neutrality - we're talking about routing policy, not traffic policy.

What the article describes can absolutely be done. Well, sort of. China can't advertise its routes as the "fastest", because internet routing cares little about performance[1], but they can otherwise work to make them an attractive option. It's certainly plausible that they could have pulled in 15% of global traffic.

It's not plausible that they could have pulled in any traffic they so choose, but (depending on where their border is placed) they could have grabbed most of it. Also, it's not necessarily obvious to a casual observer what they could have grabbed.

[1] Internet routing in practice is based mostly on politics, a little bit on cost, and basically just uses performance as a tie-breaker.

BGP could stand to get a security update but as with most fundamental internet protocols it will probably never happen. Most people seem to believe this incident was accidental. More info,



Interesting note about public keys that are automatically trusted by proprietary operating systems, and the potential for abuse by foreign powers. Reminded me of the discussion a while back about how it's relatively easy to become a root certificate authority in Firefox. Everyday cryptography needs some serious revamping.

The UI for everyday cryptography needs some serious revamping.

It's not relatively easy to become a Firefox root CA, but too many people are, and part of the reason why is that your cert store configuration is buried deep in the "don't touch, no user serviceable parts" bowels of your configuration.

And how does one fix/change it?

This is a good point, and it is something that the authors of http://web.monkeysphere.info/ are trying to solve.

More info: http://web.monkeysphere.info/why/#index1h2

Because this project (sensibly) doesn't override X509 authentication, it does nothing to address the problem observed by the parent commenter, or for that matter the fever dream of the article we're commenting on.

Thankfully, it is very unlikely that anything like this would ever see widespread adoption, thus allowing us to sidestep the question of how it might work if they turned X509 off.

If you want more technical internet routing information, always look to NANOG. These two threads are discussing what happened, as it happened, by the people who are likely to fix/deal with it:



I got a message alert in Gmail two days ago saying that my email had been accessed from China. I wonder if that was related.

It says that the hijacking occurred in April. Someone in China accessing your email just two days ago is probably just coincidence. However, it would still be a good idea to look into it (and change your password)

Thanks. I did change the password. A search indicates that something similar has been reported by others about every month this year. http://www.google.com/search?sourceid=chrome&ie=UTF-8...

This article is about something that happened 7 months ago.

Looked at your message and logged into my email account.

Got a message that it was accessed by United States (webcontrolcenter.com: 21 hours ago.

WTF is happening

Advise on what to do now is welcomed here

Why the hell am I being down voted? I think this is a serious issue here. And I am not alone. There are many other people who had something like this.

Please leave a comment as the down votes are cryptic to me.

I didn't downvote you, but I don't come to HN to give tech support either. Change your password to a stronger one, don't use it on other sites, don't type it on suspect computers, etc; you should know this.

Sorry for the harsh words.

Are you in Cocos Islands? Maybe the downvoters assumed you're in the US?

I am in India. And was not looking for tech support but you take on what to make of this. I never ask for tech support from a community which is not meant for this.

Cool. Keep us posted.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact