News of the “highjacking” of 15% of Internet traffic through China for 18 minutes has spread all over the web in the last few days. This news came from the US China-Economic and Security Review Commission’s report to Congress released on Wednesday. Additionally, McAfee’s Dmitri Alperovitch also mentioned the 15% figure in an interview before, and statement after the report was released.
The problem, according to some security experts, is that the report was “hyperbole” and “full of false data.”
The Commission’s report included this statement.
“For about 18 minutes on April 8, 2010, China Telecom advertised erroneous network traffic routes that instructed U.S. and other foreign Internet traffic to travel through Chinese servers. Other servers around the world quickly adopted these paths, routing all traffic to about 15 percent of the Internet’s destinations through servers located in China.”
In a post on ArborNetworks blog Craig Lebovitz walks through some of the objections in the security community to the much-repeated figure of 15%.
“(A) discussion thread on the North American Network Operator Group (NANOG) mailing list called media reports an exaggeration or “complete FUD”. Also on the NANOG mailing list, Bob Poortinga writes “This article … is full of false data. I assert that much less than 15%, probably on the order of 1% to 2% (much less in the US) was actually diverted.”
He further notes that the exact number of highjacked routes are not listed in the report, just the percentage number and that Atlas data does not bear out the size of the highjack. (He provides a graph of the traffic at the time.)
“Any corruption of DNS or global routing data (whatever the motive) is a cause of significant concern and reiterates the need for routing and DNS security. But in an industry crowded with security marketing and hype, it is important we limit the hyperbole and keep the discussion focused around the legitimate long-term infrastructure security threats and technical realities.”
And indeed for most readers, that corruption is the major concern. Information traveling to and from governmental and military senders and recipients was included in this diversion. Also, it was not the first time such a thing has occurred.
Mr. Lebovitz and others, however, believe the most likely explanation for this diversion, given their much lower analysis of the affected traffic, is that the bump was accidental.
Today, Mr. Alperovitch clarified some of these points.
“Based on our analysis, there were 53,353 network routing prefixes that had been announced false on April 8th, out of a total of roughly 330,000 network routes that existed in routing tables at that time. That amounts to 15% of the networks on the Internet, not necessarily 15% of the traffic. It is very difficult to estimate how much of the traffic was actually redirected and the true estimate can only come from the owner of the network that has routed all of this traffic” (My italics.)
Are you a security professional? What’s your take on what happened? If you’re a lay person, what, if anything, worries you in these events?
Wuxi photo from Wikipedia Commons | server farm photo by Mystery Bee