About That Internet Traffic to China

June 10, 2019

The Cisco Talos researchers pointed out that a foundation server was under stress. I discussed this on June 4, 2019, in my lecture at the TechnoSecurity & Digital Forensics Conference. The idea of usurping control of lower level Internet services and devices is a wake up call. I noted the rerouting of Internet traffic to China in a number of reports such as this one: “For Two Hours, a Large Chunk of European Mobile Traffic Was Rerouted through China. It Was China Telecom, Again. The Same ISP Accused Last Year of “Hijacking the Vital Internet Backbone of Western Countries.”

According to the story:

The incident occurred because of a BGP route leak at Swiss data center colocation company Safe Host, which accidentally leaked over 70,000 routes from its internal routing table to the Chinese ISP.

My hunch is that the word “leak” which is used in the write up is short hand for hip hopping over more analytic explanations.

First, the BGP or border gateway protocol is one of those plumbing components which have become juicy targets of opportunity. The Internet Servicer Providers get these up and running and then worry only when something goes wrong.

China Telecom, the third largest ISP in China, noted the issue and, according to ZDNet,

re-announced Safe Host’s routes as its own, and by doing so, interposed itself as one of the shortest ways to reach Safe Host’s network and other nearby European telcos and ISPs.

When such issues like this magical “leak” occur, the fixes are applied quickly, often within minutes either by automated scripts or semi automated humans who are monitoring alerts or logs.

This problem took a couple of hours to remedy, and my thought is that one can learn a great deal in that two hour span; for example:

Length of time between “leak” and someone noticing
Facts about traffic volume, data types, handoff points in the flow, etc.
After event consequences; that is, fixes put in place to prevent such “leaks” in the future.

In short, one might gain some operational intelligence. That’s hypothetical, of course. Of course.

Like the attacks on Netnod servers, the goal is to gain access. With that access savvy operators will remain invisible. There’s no reason to let anyone know that a vital component of the increasingly burdened Information Highway is in the hands of bandits riding Mongolian ponies.

Was this a “leak”? Good question.

Stephen E Arnold, June 10, 2019

Written by Stephen E. Arnold · Filed Under News, Security

Comments

Comments are closed.

Search the site
Subscribe to Beyond Search
Feature archive
News archive

Stephen E. Arnold monitors search, content processing, text mining and related topics from his high-tech nerve center in rural Kentucky. He tries to winnow the goose feathers from the giblets. He works with colleagues worldwide to make this Web log useful to those who want to go "beyond search". Contact him at sa [at] arnoldit.com. His Web site with additional information about search is arnoldit.com.