China Probably Didn't Hijack the Internet on Purpose, Researcher Says

An incident earlier this year in which a large chunk of global Internet traffic was rerouted through servers in China was almost certainly not aimed specifically at U.S. government or military networks, according to an analysis by Renesys, an Internet network monitoring firm.

The April 8 incident affected networks in 170 countries, including thousands in China itself, Renesys CTO James Cowie said in a blog post Thursday.

And it resulted in traffic from networks belonging to several governments, not just the U.S, being rerouted through servers belonging to China Telecom, a state-owned telecommunications company. Networks in China, Korea, India, Australian and Japan were disproportionately affected because they were closer to the source of the problem.

"The scattershot nature of the hijack suggests a random mistake, not a deliberate attack on anyone in particular," Cowie said. "Of course, it's impossible to know for sure."

In a report to Congress on Wednesday, the U.S.-China Economic and Security Review Commission expressed concern over the traffic rerouting. The incident lasted 18 minutes and affected several U.S. government and military networks, including those belonging to the Army, Navy, Air Force and Marine Corps and the Department of Defense.

The Commission report made it clear that there was no evidence to suggest that Chinese authorities had deliberately rerouted traffic. But it pointed to the incident as an example of China's ability to control and manipulate Internet traffic if it wanted to.

In a blog post Thursday, James Cowie, the chief technology officer at Renesys, said that the incident began when a small portion of China Telecom's network erroneously "asserted ownership of more than 50,000 different blocks of IP addresses."

In effect, the China Telecom's servers were erroneously advertising themselves as the best routes for a large chunk of Internet traffic to take between destinations. The error was quickly propagated to other networks and pretty soon resulted in traffic from around the Internet being routed through China Telecom.

Such accidental rerouting happens quite often, but typically involves small ISPs.

"Usually, if a small operator 'hijacks' a large part of the Internet, they simply get buried under the weight of all the random traffic that suddenly come their way," he wrote. "The traffic goes down a hole and dies, and that quickly alerts people to the problem, and it gets fixed."

But China Telecom is the 11th largest Internet provider in the world and had the capacity to handle the additional traffic flows through its networks, he said. "People have suggested to us that this rerouting creates the ideal conditions for a traffic-archiving man-in-the-middle attack, but cooler heads have observed that there's absolutely no evidence that such a thing actually took place," Cowie said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

Subscribe to the Daily Downloads Newsletter

Comments