About That Internet Traffic to China
June 10, 2019
The Cisco Talos researchers pointed out that a foundation server was under stress. I discussed this on June 4, 2019, in my lecture at the TechnoSecurity & Digital Forensics Conference. The idea of usurping control of lower level Internet services and devices is a wake up call. I noted the rerouting of Internet traffic to China in a number of reports such as this one: “For Two Hours, a Large Chunk of European Mobile Traffic Was Rerouted through China. It Was China Telecom, Again. The Same ISP Accused Last Year of “Hijacking the Vital Internet Backbone of Western Countries.”
According to the story:
The incident occurred because of a BGP route leak at Swiss data center colocation company Safe Host, which accidentally leaked over 70,000 routes from its internal routing table to the Chinese ISP.
My hunch is that the word “leak” which is used in the write up is short hand for hip hopping over more analytic explanations.
First, the BGP or border gateway protocol is one of those plumbing components which have become juicy targets of opportunity. The Internet Servicer Providers get these up and running and then worry only when something goes wrong.
China Telecom, the third largest ISP in China, noted the issue and, according to ZDNet,
re-announced Safe Host’s routes as its own, and by doing so, interposed itself as one of the shortest ways to reach Safe Host’s network and other nearby European telcos and ISPs.
When such issues like this magical “leak” occur, the fixes are applied quickly, often within minutes either by automated scripts or semi automated humans who are monitoring alerts or logs.
This problem took a couple of hours to remedy, and my thought is that one can learn a great deal in that two hour span; for example:
- Length of time between “leak” and someone noticing
- Facts about traffic volume, data types, handoff points in the flow, etc.
- After event consequences; that is, fixes put in place to prevent such “leaks” in the future.
In short, one might gain some operational intelligence. That’s hypothetical, of course. Of course.
Like the attacks on Netnod servers, the goal is to gain access. With that access savvy operators will remain invisible. There’s no reason to let anyone know that a vital component of the increasingly burdened Information Highway is in the hands of bandits riding Mongolian ponies.
Was this a “leak”? Good question.
Stephen E Arnold, June 10, 2019