FacebookTwitterLinkedIn

European Internet Traffic Rerouted to Chinese ISP

Karolis Liucveikis Written by on

On Thursday, June 6, 2019, for approximately two hours a large amount of European Internet traffic was rerouted through the infrastructure of China Telecom, China's third-largest telco and internet service provider (ISP). According to experts, the traffic was rerouted following a BGP route leak at Swiss data center colocation company Safe Host. It has been estimated that over 70,000 routes from its internal routing table had been leaked and subsequently rerouted to the Chinese ISP. This is the second time the ISP has been caught hijacking traffic from Western countries.

A BGP route leak has been defined by the Internet Engineering Task Force (IETF) as “the propagation of routing announcement(s) beyond their intended scope. That is, an announcement from an Autonomous System (AS) of a learned BGP route to another AS is in violation of the intended policies of the receiver, the sender, and/or one of the ASes along the preceding AS path.” That is a mouthful of technical terms that sounds like a foreign language to even InfoSec researchers. In summary, the Border Gateway Patrol (BGP) is used to reroute traffic at the ISP level. It has been known to be problematic with leaks occurring frequently. However, there are safeguards and safety procedures that providers usually set up to prevent BGP route leaks from influencing each other's networks. However, instead of ignoring the BGP leak, China Telecom re-announced Safe Host's routes as its own, and by doing so, interposed itself as one of the shortest ways to reach Safe Host's network and other nearby European communication companies and ISPs.

The practical result of the rerouting of traffic meant that many European mobile networks were rerouted through China Telecom's network. According to Doug Madory, Director of Oracle's Internet Analysis division, the most impacted European networks included Swisscom (AS3303) of Switzerland, KPN (AS1130) of Holland, and Bouygues Telecom (AS5410) and Numericable-SFR (AS21502) of France.

european Internet traffic rerouted to chinese isp

In a report published by Internet Analysis division, Madory further stated that these leaks generally only occur for a few minutes, not the two hours experienced during this BGP leak. For users of the affected network, they experienced slow connections and the inability to connect to certain servers. Madory stated in the report that,

“Today's incident shows that the internet has not yet eradicated the problem of BGP route leaks…It also reveals that China Telecom, a major international carrier, has still implemented neither the basic routing safeguards necessary both to prevent the propagation of routing leaks nor the processes and procedures necessary to detect and remediate them in a timely manner when they inevitably occur. Two hours is a long time for a routing leak of this magnitude to stay in circulation, degrading global communications.”

Simple Mistake or More Sinister

This, of course, begs the question if the rerouting of traffic was a simple mistake or something more sinister. Given China Telecom’s past meant that the scenario could not be ignored as previously mentioned, the company had done the same thing in 2018. In a report published by experts from the US Naval War College and Tel Aviv University concluded that Chinese ISPs including China Telecom were hijacking traffic from western countries. This hijacking was confirmed by a report published by Oracle. The report published by the Naval War College went on to argue that the Chinese government was using local ISPs for intelligence gathering by systematically hijacking BGP routes to reroute western traffic through its country, where it can log it for later analysis. Researchers noted that,

“That imbalance in access allows for malicious behavior by China through China Telecom at a time and place of its choosing, while denying the same to the US and its allies. The prevalence of and demonstrated the ease with which one can simply redirect and copy data by controlling key transit nodes buried in a nation's infrastructure requires an urgent policy response.”

The report by the US Naval War College has come under some scrutiny since publication and has been criticized for its politically charged agenda. Despite these criticisms, Madory, who authored the second earlier report confirming the stands by the findings of the actual hijacking of the traffic but not necessarily the political conclusions the Naval War College made, stating categorically that,

“In this blog post, I don’t intend to address the paper’s claims around the motivations of these actions. However, there is truth to the assertion that China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years. I know because I expended a great deal of effort to stop it in 2017.”

Whether intentional or not Madory has suggested that telecoms companies begin to adopt more stringent BGD security controls. Madory and others propose that an IETF standard is created for RPKI-based AS path verification. Such a measure is hoped to drop BGP announcements with AS paths that violate the valley-free property, for example, based on a known set of AS-AS relationships. Such a mechanism would have at very least contained some of the bad routing described above. Until this is done more articles, accusations, and politically charged language will be hurled at China Telecom if another incident such as this repeats itself given their past indiscretions whether intentional or not. It is hoped that telecoms companies begin taking Madory’s suggestions to heart to prevent the problem of bad routing, not for fear of any political repercussions, but merely to provide customers with a stable, private and safe connection.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog