{"id":17154,"date":"2018-10-26T13:35:46","date_gmt":"2018-10-26T13:35:46","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/29449\/No-Surprise-China-Has-Been-Hijacking-BGP-Routes.html"},"modified":"2018-10-26T13:35:46","modified_gmt":"2018-10-26T13:35:46","slug":"no-surprise-china-has-been-hijacking-bgp-routes","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/no-surprise-china-has-been-hijacking-bgp-routes\/","title":{"rendered":"No Surprise, China Has Been Hijacking BGP Routes"},"content":{"rendered":"

\"china-telecom-bgp-hijack.jpg\"\/<\/span>Image: Demchak et al. \/\/ Edited: ZDNet<\/span><\/p>\n

A Chinese state-owned telecommunications company has been “hijacking the vital internet backbone of western countries,” according to an academic paper published this week by researchers from the US Naval War College and Tel Aviv University.<\/p>\n

\n

More security news<\/span><\/h3>\n<\/div>\n

The culprit is China Telecom, the country’s third-largest telco and internet service provider (ISP), which has had a presence inside North American networks since the early 2000s when it created its first point-of-presence (PoP).<\/p>\n

PoPs are data centers that do nothing more than re-route traffic between all the smaller networks that make up the larger internet.<\/p>\n

These smaller networks are known as “autonomous systems” (AS) and they can be the networks of big tech companies like Google, your friendly neighborhood ISP, big tier-1 ISPs like Verizon, university networks, bank networks, web hosting companies, and all entities big enough to have received their own block of IP addresses.<\/p>\n

Traffic travels between these AS networks with the help of the Border Gateway Protocol (BGP). This protocol was created in the early 80s and does not feature any security controls, allowing anyone to announce a bad BGP route and receive traffic that was not intended for their network.<\/p>\n

In the vast majority of cases, these incidents –called BGP hijacks– happen because of configuration mistakes and are resolved in minutes or hours.<\/p>\n

But there are also some networks that hijack BGP routes to send legitimate traffic through malicious servers. They do this to carry out man-in-the-middle traffic interception, phishing attacks to steal passwords, or to record HTTPS-encrypted traffic to later decrypt it by leveraging cryptographic attacks such as DROWN<\/a> or Logjam<\/a>.<\/p>\n

\n<\/section>\n

In a research paper published this week, researchers reveal that China Telecom has been one of the internet’s most determined BGP hijackers around.<\/p>\n

Researchers point out that the Chinese government, through China Telecom, has started abusing BGP hijacks after it entered into a pact with the US in September 2015<\/a> to stop all government-back cyber operations aimed at intellectual property theft.<\/p>\n

“This necessitated new ways to get information while still technically adhering to the agreement,” said the researchers. “Since the agreement only covered military activities, Chinese corporate state champions could be tasked with taking up the slack. […] Enter China Telecom.”<\/p>\n

The research duo says they’ve built “a route tracing system monitoring the BGP announcements and distinguishing patterns suggesting accidental or deliberate hijacking.”<\/p>\n

Using this system, they tracked down long-lived BGP hijacks to the ten PoPs –eight in the US and two in Canada– that China Telecom has been silently and slowly setting up in North America since the early 2000s.<\/p>\n

“Using these numerous PoPs, [China Telecom] has already relatively seamlessly hijacked the domestic US and cross-US traffic and redirected it to China over days, weeks, and months,” researchers said.<\/p>\n

“While one may argue such attacks can always be explained by normal’ BGP behavior, these, in particular, suggest malicious intent, precisely because of their unusual transit characteristics -namely the lengthened routes and the abnormal durations.”<\/p>\n

In their paper, the duo lists several long-lived BGP hijacks that have hijacked traffic for a particular network, and have made it take a long detour through China Telecom’s network in mainland China, before letting it reach its intended and final destination.<\/p>\n