Monday’s blog post comes two weeks after researchers at the US Naval War College and Tel Aviv University published a report that quickly got the attention of BGP security professionals. Titled China’s Maxim–Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking, it claimed the Chinese government has brazenly used China Telecom for years to divert huge amounts of traffic to China-controlled networks before it’s ultimately delivered to its final destination. The report named four specific routes—Canada to South Korea, US to Italy, Scandinavia to Japan, and Italy to Thailand—that were reportedly manipulated between 2015 and 2017 as a result of BGP activities of China Telecom.
“While one may argue such attacks can always be explained by ‘normal’ BGP behavior, these, in particular, suggest malicious intent, precisely because of their unusual transit characteristics—namely the lengthened routes and the abnormal durations,” the authors wrote. The Canada to South Korea leak, the report said, lasted for about six months and started in February 2016. The remaining three reported hijackings took place in 2017, with two of them reportedly lasting for months and the third taking place over about nine hours.
Definitely concerning
The report was unusual in that it didn’t provide AS numbers, specific dates and other specifics that allowed other researchers to confirm the claims. Ars and other researchers asked the authors to make the data available, and they responded with a small amount of traceroute data. Madory said the Scandinavia-to-Japan event reported in the paper two weeks ago was actually a small part of the two-and-a-half-year misdirection he reported Monday.
“We are describing the same thing in different ways,” he told Ars, speaking of the two-and-a-half-year event he documented and the two-month hijacking reported two weeks ago. “They may have only known about it for those two months in 2017, but I can guarantee you that it was going [on] for much longer.”
Madory said he was unable to confirm the three other hijackings the authors report. His report on Monday, however, leaves little doubt that China Telecom has either knowingly or otherwise engaged in BGP leaks that have affected large chunks of Internet traffic for a sustained period.
The domestic US traffic, in particular, “becomes an even more extreme example,” he told Ars. “When it gets to US-to-US traffic traveling through mainland China, it becomes a question of is this a malicious incident or is it accidental? It’s definitely concerning. I think people will be surprised to see that US-to-US traffic was sent through China Telecom for days.”