China Hijacks 15% of Internet Traffic?

On Wednesday, the US China Economic and Security Review Commission released a wide-ranging report on China trade, capital markets, human rights, WTO compliance, and other topics. If you have time to spare, here is a link to the 324 page report.

Tucked away in the hundreds of pages of China analysis is a section on the Chinese Internet, including the well-documented April 8, 2010 BGP hijack of several thousand routes (starting on page 244).

To review, shortly around 4am GMT on April 8th a Chinese Internet provider announced 40,000 routes belonging to other ISPs / enterprises around the world (though many were for China based companies). During a subsequent roughly 15 minute window, a small percentage of Internet providers around the world redirected traffic for a small percentage of these routes to Chinese address space. RIPE provides a link to a list of some of these prefixes (as well as indicating the impact on European carriers was minimal) and Andree Toonk and his colleagues at BGPmon have a nice synopsis at the BGPMon blog.

Following shortly on the heels of the China hijack of DNS addresses in March, the April BGP incident generated a significant amount of discussion in the Internet engineering community.


panic

Any corruption of DNS or global routing data (whatever the motive) is a cause of significant concern and reiterates the need for routing and DNS security. But in an industry crowded with security marketing and hype, it is important we limit the hyperbole and keep the discussion focused around the legitimate long-term infrastructure security threats and technical realities.

So, it was with a bit of a surprise that I watched an alarmed Wolf Blitzer report on prime time CNN about the China hijack of “15% of the Internet” last night. A bit less diplomatic, a discussion thread on the North American Network Operator Group (NANOG) mailing list called media reports an exaggeration or “complete FUD”. Also on the NANOG mailing list, Bob Poortinga writes “This article … is full of false data. I assert that much less than 15%, probably on the order of 1% to 2% (much less in the US) was actually diverted.”

If you read the USCESRC report, the committee only claims China hijacked “massive volumes” of Internet traffic but never get as specific as an exact percentage. The relevant excerpt from the report below:



The USCESRC cites the BGPMon blog as the source of data on “massive traffic volumes”. But curiously, the BGPMon blog makes no reference to traffic — only the number of routes.

You have to go to a National Defense interview with Dmitri Alperovitch, vice president of threat research at McAfee, to first come up with the 15% number. Several hundred media outlets, including CNN, the Wall Street Journal, Time Magazine and many more picked up this interview and eagerly reported on China’s hijack of “massive Internet traffic volumes of 15% or more”.

Now certainly, diverting 15% of the Internet even for just 15 minutes would be a major event. But as earlier analysis by Internet researchers suggested, this hijack had limited impact on the Internet routing infrastructure — most of the Internet ignored the hijack for various technical reasons.

And indeed, ATLAS data from 80 carriers around the world graphed below shows little statistically significant increase due to the hijack on April 8, 2010. I highlight April 8th in yellow and each bar shows the maximum five minute traffic volume observed each day in April going to the Chinese provider at the center of the route hijack.


china hijack

While traffic may have exhibited a modest increase to the Chinese Internet provider (AS23724), I’d estimate diverted traffic never topped a handful of Gbps. And in an Internet quickly approaching 80-100 Tbps, 1-3 Gbps of traffic is far from 15% (it is much closer to 0.015%).

In fairness, I should note that I don’t know how Mr. Alperovitch obtained his 15% number (the article does not say) and a hijack of 40k routes out of a default-free table of ~340K is not far from fifteen percent. But of course, routes are different from traffic. I also add that both China denied the hijack and some Internet researchers suspect the incident was likely accidental.

The global BGP Internet routing system is incredibly insecure. Fifteen years ago, I wrote a PhD thesis (link available here) using experiments in part capitalizing on the lack of routing security. My research injected hundreds of thousands fake routes (harmless!) into the Internet and redirected test traffic over the course of two years. A decade or more later, none of the many BGP security proposals have seen significant adoption due to a lack of market incentives and non-legitimate routes still regularly get announced and propagated by accident or otherwise. Overall, the Internet routing system still relies primarily on trust (or “routing by rumor” if you are more cynical).

We need to fix Internet infrastructure security, but we also need to be precise in our analysis of the problems.

UPDATE: Additional discussion and statistics on the incident are now available in a follow-up blog at /2010/11/additional-discussion-of-the-april-china-bgp-hijack-incident.

– Craig

 
 

28 Responses to “China Hijacks 15% of Internet Traffic?”

November 19, 2010 at 9:58 am, Dave Piscitello said:

OMG an article with facts, statistical evidence, and constructive insight.

Well done, Craig!

November 19, 2010 at 11:14 am, China Hijacks 15% of Internet Traffic! | Security to the Core | Arbor Networks Security « Yahyasheikho786's Blog said:

[…] China Hijacks 15% of Internet Traffic! | Security to the Core | Arbor Networks Security. […]

November 19, 2010 at 12:27 pm, Claims About China’s April Internet Hijack Are Overblown | JetLib News said:

[…] In a review of real data and actual facts, Arbor Nework’s Craig Labovitz has a blog post looking at the traffic volumes involved in the incident (only a couple of Gigabits per second, or a ‘statistically insignificant’ percentage of […]

November 19, 2010 at 1:06 pm, Anon said:

Hey Craig!

I found the source of the 15%, it’s oddly enough in the same congressional report cited(page 252):

For about 18 minutes on April 8, 2010, China Telecom advertised
erroneous network traffic routes that instructed U.S. and other foreign
Internet traffic to travel through Chinese servers.* Other servers
around the world quickly adopted these paths, routing all traffic
to about 15 percent of the Internet’s destinations through servers
located in China.

Source 116 is a briefing that Dmitri Alperovitch gave to the Commission Staff on Aug 25 2010. Your assessment of ‘15% of routes’ vs. ‘15% of volume traffic’ is correct, and it looks like Dmitri was misinterpreted.

November 20, 2010 at 6:20 pm, Craig Labovitz said:

Ron:

Thanks for the comment and finding the reference in the report (I searched for the number — any number — but somehow missed this).

BGP hijacking events are complicated for the media to explain / interpret. It is pretty clear at this point that many of the original statements in the report and interviews were accurate but later mischaracterized / misinterpreted by the press.

– Craig

November 19, 2010 at 1:55 pm, batz said:

Excellent post. So necessary. Get thee on CNN.

When I talked about this at Blackhat back in the day, I wasn’t aware of your thesis or Steve’s paper (can’t remember his name, had beard, did peacock maps using caida’s skitter and walrus.)

Perhaps even more cynically, it’s probably useful for someone to announce random junk every once in a while to improve filters. I’ve been out of the ISP game for years, but going through the list archives, it is notable that Nanog handled this admirably and particularly without regulatory intervention. Error or not, however, I can’t help but cringe to think that China can attack a 10-15 yr old vulnerability with any success.

Main question now is why make a thing of it in Congress unless someone in government is angling for a regulatory lever to pull. Is this attack the Internet regulation equivalent of the “yellow cake and aluminium tubes” from the Plame affair?

November 19, 2010 at 6:20 pm, Social Security Disability–How to Apply said:

[…] China Hijacks 15% of Internet Traffic! | Security to the Core … […]

November 19, 2010 at 3:20 pm, China Hijacks 0.015% of Internet Traffic! – flyingpenguin said:

[…] is his report: China Hijacks 15% of Internet Traffic! While traffic may have exhibited a modest increase to the Chinese Internet provider (AS23724), […]

November 19, 2010 at 3:35 pm, China Internet Diversion Clarified « MadMark's Blog said:

[…] re-routing of Internet traffic to China reported earlier this week by multiple news sources.  In a blog post, the actual source of the “15%” at McAfee is identified, and the math […]

November 19, 2010 at 3:54 pm, Gabriel said:

Hi,

link to wikipedia article on Blitzer is broken (remove double colon before en).

November 19, 2010 at 5:43 pm, Bob Poortinga said:

Thanks for setting the record straight, Craig. The report’s statement of “Other servers around the world quickly adopted these paths, routing all traffic to about 15 percent of the Internet’s destinations through servers located in China.” contains three false assertions. 1) All traffic for these destinations were routed to China, 2) 15% of prefixes is 15% of IP addresses (destinations), 3) the phrase “through servers in China” implies that the traffic was intercepted in China and re-routed to its original destinations. None of this is true.

November 19, 2010 at 8:34 pm, Digital Society » Blog Archive » Clarifying the China Internet hijacking incident said:

[…] 2 – Arbor Networks estimates that the actual amount of traffic hijacked to China Telecom is on the order of 0.015% of the Interntet (via Andy Greenburg).  Arbor Network’s Craig Labovitz makes a great point that the […]

November 19, 2010 at 8:36 pm, From the Listening Post… 11/20/2010 (a.m.) « Sean Lawson, Ph.D. said:

[…] China Hijacks 15% of Internet Traffic! | Security to the Core | Arbor Networks Security […]

November 20, 2010 at 12:45 am, China Highjacked 15% of World’s Internet Traffic – Or Did It? : Home Jobs said:

[…] a post on ArborNetworks blog Craig Lebovitz walks through some of the objections in the security community to the much-repeated […]

November 19, 2010 at 11:20 pm, Brighten Godfrey said:

Thanks for the article, Craig. I’m wondering how to interpret the ATLAS chart, though. It shows little or no increase in the daily 5-minute maximum traffic volume to AS23724. However,

(1) If the event didn’t push the traffic volume over the maximum 5-minute period for the day, then it wouldn’t show up at all in this plot. Do I understand correctly? So if the event happened at a time of day that normally had low traffic, it may have significantly increased traffic volume to AS23724 during the event, despite what this plot shows.

(2) The change in traffic to AS23724 doesn’t really tell us how much traffic was affected. Unless it was a perfect interception attack, some or many or nearly all of the application-level connections to hijacked prefixes would have failed or been cancelled by the users, causing data to be not sent at all rather than being sent to AS23724.

While I assume you’re right about the volume of affected traffic being vastly smaller than 15%, I’d be curious to see a better estimate if you have one.

Thanks,
Brighten Godfrey

November 20, 2010 at 6:11 pm, Craig Labovitz said:

Brighten,

Thanks for the comments.

With regards to “if the event didn’t push the traffic volume over the maximum 5-minute period for the day, then it wouldn’t show up at all in this plot.” Correct.

We maintain data at five minute granularity for 4-5 months. After that, disk limitations / budget force us to round-robin data up to hour and day granularity. So eight months after the April hijack, we’re left with the average and max per day. And unfortunately, I did not think the hijack significant enough back in April to generate graphs or otherwise save off the data.

Your observation that our graph will obscure an increase in traffic if it occurred during a normal diurnal low period is also accurate. But the main goal of my blog was to indicate that we did not see traffic increase in line with 15% of all Internet traffic (and we would have seen this massive spike no matter when the event occurred).

Finally, I’ll address your second point about “the change in traffic to AS23724 doesn’t really tell us how much traffic was affected” in a blog post next week. Though, I will say now that traffic volume is not a particularly meaningful measure of the security risk posed by a hijack.

– Craig

November 20, 2010 at 2:14 am, Experts Say China Web Traffic Hijack Claims Are ‘Overhyped’ | eWEEK Europe UK said:

[…] figure appeared to be disputable to many security experts. Craig Labovitz, chief scientist at Arbor Networks, told eWEEK that, despite sundry reports and analyses, the hijack did not route 15 percent of […]

November 20, 2010 at 1:15 pm, Dmitri Alperovitch said:

I have posted an updated blog on this topic here: http://blogs.mcafee.com/mcafee-labs/april-route-hijack-sifting-through-the-confusion-2

The network that should be examined for any traffic volume anomalies is AS4134, not AS23724

November 22, 2010 at 12:35 pm, Craig Labovitz said:

Dmitri,

Thanks for the pointer to your blog. Per your suggestion, I added some additional discussion and statistics for AS23724 in a new blog post (/blog/asert/2010/11/additional-discussion-of-the-april-china-bgp-hijack-incident/).

– Craig

November 20, 2010 at 6:43 pm, BGPmon.net Blog said:

Chinese BGP hijack, putting things in perspective…

China denies hijacking a huge chunk of US net traffic Internet Traffic from U.S. Government Websites Was Redirected Via Chinese Networks……

November 22, 2010 at 10:53 am, Week 46 in Review – 2010 | Infosec Events said:

[…] China Hijacks 15% of Internet Traffic? – arbornetworks.com […]

November 23, 2010 at 6:58 am, Additional Discussion of the April China BGP Hijack Incident said:

[…] Discussion of the April China BGP Hijack Incident My blog post last week on the April 8th China BGP hijack incident generated significant discussion and raised additional […]

November 23, 2010 at 1:24 pm, China did not hijack 15% of the Net, counters researcher « Axxera Inc. said:

[…] a blog post earlier Friday, Labovitz called BGP “incredibly insecure,” and bemoaned the lack of […]

November 23, 2010 at 11:08 pm, Tune Up Your PC » Post Topic » Hey, China? The Internet called! It wants its traffic back. said:

[…] China trade, capital markets, human rights, and other top issues.  Craig Labovitz has a good summary on his blog: Tucked away in the hundreds of pages of China analysis is a section on the Chinese […]

November 24, 2010 at 11:59 am, B2B Tech Talk » China Telecom debacle exposes Internet’s biggest vulnerability said:

[…] of Internet sites was affected, which doesn’t correlate to 15 percent of all Net traffic. (Craig Libovitz of Arbor Networks and BGPMon.net both have good summary analyses of what […]

December 01, 2010 at 8:52 pm, Home Business Ideas And Opportunities at Caldet.com Blog | Home Business Ideas and Opportunties at Caldet.com said:

[…] China Hijacks 15% of Internet Traffic! | Security to the Core … […]

December 03, 2010 at 6:23 am, Internet Infrastractural Fragility: BGP and DNS | Collision Resistant said:

[…] /blog/asert/2010/11/china-hijacks-15-of-internet-traffic/ […]

August 26, 2011 at 9:10 pm, IT Chur said:

IT Service Ostschweiz…

China Hijacks 15% of Internet Traffic? | Security to the Core | Arbor Networks Security…

Comments are closed.