Large European routing leak sends traffic through China Telecom(blog.apnic.net)
blog.apnic.net
Large European routing leak sends traffic through China Telecom
https://blog.apnic.net/2019/06/07/large-european-routing-leak-sends-traffic-through-china-telecom/
36 comments
It seems like one of the hit ISPs (KPN) actually is part of MANRS. Shouldn't that have protected them and their customers?
I don't think so. When you're in the middle and neither the source nor the destination of a route implements MANRS, there is not much to protect/verify. MANRS does protect you from becoming a leak, among other things. (I am not a total expert on routing, so please take this with a grain of salt)
Would someone explain to a scrub what "route leaking" is? Would this be an issue because the leak receiver could inspect traffic that it wouldn't have gotten otherwise?
The way inter-ISP routing works is that every ISP advertises its IP ranges† (prefixes) to each ISP it's connected to, who in turn stamp them with their own addresses and relay them to all their connections; in this way, advertisements are eventually propagated to every ISP on the Internet.
A prefix can be connected to several ISPs, and thus be advertised multiple times from multiple places. Each ISP resolves all the advertisements and computes paths to each prefix, sending traffic towards the shortest path received.
The protocol that conducts this process, BGP4, is unauthenticated and managed by a combination of fiddly filtering configurations (often based on regular expressions) and trust. An ISP can advertise any prefix and stand a chance of getting some other ISPs to route that prefix towards them.
Here, what appears to have happened was that a Dutch ISP advertised a bunch of prefixes incorrectly (they may have been advertised in such a way as to make them unattractive options for routing, as a safeguard, but that proved ineffective). China Telecom picked them up and propagated them, and, in doing so, made itself an attractive path for the prefixes for many other ISPs.
Yes, this would allow China Telecom to inspect traffic mistakenly routed to them, though it's extraordinarily unlikely that anything like that occurred.
† ISPs themselves have their own short numeric addresses, called ASNs.
A prefix can be connected to several ISPs, and thus be advertised multiple times from multiple places. Each ISP resolves all the advertisements and computes paths to each prefix, sending traffic towards the shortest path received.
The protocol that conducts this process, BGP4, is unauthenticated and managed by a combination of fiddly filtering configurations (often based on regular expressions) and trust. An ISP can advertise any prefix and stand a chance of getting some other ISPs to route that prefix towards them.
Here, what appears to have happened was that a Dutch ISP advertised a bunch of prefixes incorrectly (they may have been advertised in such a way as to make them unattractive options for routing, as a safeguard, but that proved ineffective). China Telecom picked them up and propagated them, and, in doing so, made itself an attractive path for the prefixes for many other ISPs.
Yes, this would allow China Telecom to inspect traffic mistakenly routed to them, though it's extraordinarily unlikely that anything like that occurred.
† ISPs themselves have their own short numeric addresses, called ASNs.
Except GFW always check the traffic and likely 1) DNS poisoned, 2) TCP RST'ed some of the misrouted traffic?
That's exactly right. Think of it like modifying your GPS to get you to drive to a bad part of town (so that your car/valuables are stolen).
The fact that it's China Telecom speaks volumes to this being a suspected route hijack. It's possible it was just an error on the Swiss colo companies part but somehow I doubt that.
The fact that it's China Telecom speaks volumes to this being a suspected route hijack. It's possible it was just an error on the Swiss colo companies part but somehow I doubt that.
Is there still enough unencrypted traffic to make this attack have any value? Or are they like the NSA where they care more about who and when and not so much the content of the conversations.
Let's start prefixing IP packets with GF forbidden words just in case
Why do these routing leaks go through China and Russia so often?
The key bit is at the end:
>It also reveals that China Telecom, a major International carrier, has still implemented neither the basic routing safeguards necessary both to prevent the propagation of routing leaks nor the processes and procedures necessary to detect and remediate them in a timely manner when they inevitably occur.
So basically a lack of external pressure combined with a lack of caring about preventing this.
>It also reveals that China Telecom, a major International carrier, has still implemented neither the basic routing safeguards necessary both to prevent the propagation of routing leaks nor the processes and procedures necessary to detect and remediate them in a timely manner when they inevitably occur.
So basically a lack of external pressure combined with a lack of caring about preventing this.
China Telecom has minimum routing safeguards. I don't know how it works exactly, but I've heard anecdotes from Chinese network operators on multiple occasions, they say you can even steal free IP addresses from China Telecom through BGP, and normally they don't even care...
The Great Firewall partially relies on spoofing IP addresses (via BGP) for active probing. Might be related?
> So basically a lack of external pressure combined with a lack of caring about preventing this
Could someone who's paranoid guess that this is done on purpose, the goal being to capture all the packets before sending them back towards the correct ISPs?
Could someone who's paranoid guess that this is done on purpose, the goal being to capture all the packets before sending them back towards the correct ISPs?
I guess they go through other places much more often, but that's not news. When it's through a suspicious country, it makes the news.
Because ISPs do not want to implement secure routing protocols.
Never attribute to malice that which is adequately explained by stupidity.
Agreed. It’s remarkably easy to screw up BGP by misconfiguration by changing (or deleting) a route map or prefix list. There’s over 800K autonomous systems participating in BGP now, so I’m certain mistakes happen all the time but don’t get reported.
This rule is over applied. If someone doesn't hold the door for you then don't assume they did it out of malice. That would be an appropriate use of this rule. Applying it in cases where there are known and obvious instances of malice doesn't make sense.
“Once is an accident. Twice is a coincidence. Three times is an enemy action.”
You should go read the nanog-l archives and see how often this happens.
>Today’s incident shows that the Internet has not yet eradicated the problem of BGP route leaks. It also reveals that China Telecom, a major International carrier, has still implemented neither the basic routing safeguards necessary both to prevent the propagation of routing leaks nor the processes and procedures necessary to detect and remediate them in a timely manner when they inevitably occur.
What incentives do they have not to route data from foreign adversaries through their networks? :')
What incentives do they have not to route data from foreign adversaries through their networks? :')
Havoc(2)
https://www.manrs.org/