Hacker News new | past | comments | ask | show | jobs | submit login
Large European routing leak sends traffic through China Telecom (apnic.net)
129 points by okket 39 days ago | hide | past | web | favorite | 33 comments



Periodic reminder: "Operators, where are your MANRS?"

https://www.manrs.org/


It seems like one of the hit ISPs (KPN) actually is part of MANRS. Shouldn't that have protected them and their customers?


I don't think so. When you're in the middle and neither the source nor the destination of a route implements MANRS, there is not much to protect/verify. MANRS does protect you from becoming a leak, among other things. (I am not a total expert on routing, so please take this with a grain of salt)


Would someone explain to a scrub what "route leaking" is? Would this be an issue because the leak receiver could inspect traffic that it wouldn't have gotten otherwise?


The way inter-ISP routing works is that every ISP advertises its IP ranges† (prefixes) to each ISP it's connected to, who in turn stamp them with their own addresses and relay them to all their connections; in this way, advertisements are eventually propagated to every ISP on the Internet.

A prefix can be connected to several ISPs, and thus be advertised multiple times from multiple places. Each ISP resolves all the advertisements and computes paths to each prefix, sending traffic towards the shortest path received.

The protocol that conducts this process, BGP4, is unauthenticated and managed by a combination of fiddly filtering configurations (often based on regular expressions) and trust. An ISP can advertise any prefix and stand a chance of getting some other ISPs to route that prefix towards them.

Here, what appears to have happened was that a Dutch ISP advertised a bunch of prefixes incorrectly (they may have been advertised in such a way as to make them unattractive options for routing, as a safeguard, but that proved ineffective). China Telecom picked them up and propagated them, and, in doing so, made itself an attractive path for the prefixes for many other ISPs.

Yes, this would allow China Telecom to inspect traffic mistakenly routed to them, though it's extraordinarily unlikely that anything like that occurred.

ISPs themselves have their own short numeric addresses, called ASNs.


Except GFW always check the traffic and likely 1) DNS poisoned, 2) TCP RST'ed some of the misrouted traffic?


That's exactly right. Think of it like modifying your GPS to get you to drive to a bad part of town (so that your car/valuables are stolen).

The fact that it's China Telecom speaks volumes to this being a suspected route hijack. It's possible it was just an error on the Swiss colo companies part but somehow I doubt that.


Is there still enough unencrypted traffic to make this attack have any value? Or are they like the NSA where they care more about who and when and not so much the content of the conversations.


Let's start prefixing IP packets with GF forbidden words just in case


Why do these routing leaks go through China and Russia so often?


The key bit is at the end:

>It also reveals that China Telecom, a major International carrier, has still implemented neither the basic routing safeguards necessary both to prevent the propagation of routing leaks nor the processes and procedures necessary to detect and remediate them in a timely manner when they inevitably occur.

So basically a lack of external pressure combined with a lack of caring about preventing this.


China Telecom has minimum routing safeguards. I don't know how it works exactly, but I've heard anecdotes from Chinese network operators on multiple occasions, they say you can even steal free IP addresses from China Telecom through BGP, and normally they don't even care...


The Great Firewall partially relies on spoofing IP addresses (via BGP) for active probing. Might be related?


> So basically a lack of external pressure combined with a lack of caring about preventing this

Could someone who's paranoid guess that this is done on purpose, the goal being to capture all the packets before sending them back towards the correct ISPs?


I guess they go through other places much more often, but that's not news. When it's through a suspicious country, it makes the news.


Never attribute to malice that which is adequately explained by stupidity.


Agreed. It’s remarkably easy to screw up BGP by misconfiguration by changing (or deleting) a route map or prefix list. There’s over 800K autonomous systems participating in BGP now, so I’m certain mistakes happen all the time but don’t get reported.


This rule is over applied. If someone doesn't hold the door for you then don't assume they did it out of malice. That would be an appropriate use of this rule. Applying it in cases where there are known and obvious instances of malice doesn't make sense.


“Once is an accident. Twice is a coincidence. Three times is an enemy action.”


You should go read the nanog-l archives and see how often this happens.


Because ISPs do not want to implement secure routing protocols.


>Today’s incident shows that the Internet has not yet eradicated the problem of BGP route leaks. It also reveals that China Telecom, a major International carrier, has still implemented neither the basic routing safeguards necessary both to prevent the propagation of routing leaks nor the processes and procedures necessary to detect and remediate them in a timely manner when they inevitably occur.

What incentives do they have not to route data from foreign adversaries through their networks? :')


[flagged]


The whole thing was a mistaken configuration made by a European company. If anything, the Chinese company is a victim who got a ton of unwanted traffic routed through them.


Then why did they publish the prefixes?


This happens more than you'd think, but it's more newsworthy when China or Russia plays some part.


I agree it's more newsworthy when countries known for generally being enemies of human rights and privacy have traffic that isn't theirs routed through them, and just happen to publish prefixes.


They didn't just happen to publish anything, one of CT's _European_ customers leaked prefixes to them and CT didn't have filters in place to block it. Which is how peering has worked from day 1, you know the openness and doing things based on mutual trust that the Internet has been 'plagued' with since forever has also applies to peering relationships.

The notion that they did this on purpose to record traffic is just silly.


> China Telecom then announced these routes onto the global Internet redirecting large amounts of Internet traffic destined for some of the largest European mobile networks through China Telecom’s network.

How is China recording internet traffic silly given their expansive use of facial recognition, their crackdown on journalists, interdiction of VPN services, and use of apps to monitor ethnic minorities? Capturing a bit of foreign internet traffic isn't anything, and would be extensively useful to a police state.

If China wants to convince the rest of the world that every single BGP hijack and leak isn't intelligence gathering, then they can implement the same standards and safeguards everyone else does...


That part is not silly. But the way it happened in this case (and most cases like this) makes it silly to think they did it on purpose because they didn't actually do anything, no active choice or action on their part was required for it to happen. You could suggest that they are dragging their feet on implementing safeguards and just hoping that one of their customers leaks some routes to them so they can capture some random data, but I would call that silly as well. When they do it will be targeted and effective.


Are there any Chinese guest workers in Europe? How about agents and/or Europeans who could be bribed to misroute?

What about the above, applied to a country that is between Europe and China? Such a country could passively listen while China takes the blame.


> What about the above, applied to a country that is between Europe and China? Such a country could passively listen while China takes the blame.

This statement doesn't make sense.

The BGP peering infrastructure has nothing to do with countries being "in between" europe and china.

I think you are overly paranoid, misrouting happens (quite a lot actually) and BGP routing changes are very easy to track thanks to the nature of BGP.

There are far more "stealthy" ways of getting desired traffic.


I think it's rather that it's only reported when traffic ends up redirected to a Chinese (gasp!) entity.


The traffic did no transit through China right?




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: