China Telecom Incident Rahul Hiran 1 , Niklas Carlsson 1 , Phillipa - - PowerPoint PPT Presentation

china telecom incident
SMART_READER_LITE
LIVE PREVIEW

China Telecom Incident Rahul Hiran 1 , Niklas Carlsson 1 , Phillipa - - PowerPoint PPT Presentation

Jul 15, 2023 413 likes •736 views

Characterizing Large-scale Routing Anomalies: A Case Study of the China Telecom Incident Rahul Hiran 1 , Niklas Carlsson 1 , Phillipa Gill 2 1 Linkping University, Sweden 2 University of Toronto, Canada 19 th March2013 China Telecom incident

slide-1
SLIDE 1

Characterizing Large-scale Routing Anomalies: A Case Study of the China Telecom Incident

Rahul Hiran1, Niklas Carlsson1, Phillipa Gill2

1 Linköping University, Sweden 2University of Toronto, Canada

19th March2013

slide-2
SLIDE 2

China Telecom incident

3/28/2013 2

slide-3
SLIDE 3

China Telecom incident

  • The incident occurred on 8th April 2010
  • The congress report, 2010 in USA mentions

the incident

  • Questions about what was done with the

data, attack or accident

  • We characterize this incident using only

publicly available data (e.g., Routeviews and iPlane)

slide-4
SLIDE 4

China Telecom

BGP (Border Gateway Protocol) refresher

ISP 1 Verizon Wireless Level 3 AS 22394

66.174.0.0/16

22394

66.174.0.0/16

slide-5
SLIDE 5

China Telecom

BGP (Border Gateway Protocol) refresher

ISP 1 Verizon Wireless Level 3 AS 22394

66.174.0.0/16

VZW, 22394

66.174.0.0/16

22394

66.174.0.0/16

slide-6
SLIDE 6

China Telecom

BGP (Border Gateway Protocol) refresher

ISP 1 Verizon Wireless Level 3

Level3, VZW, 22394

66.174.0.0/16

AS 22394

66.174.0.0/16

VZW, 22394

66.174.0.0/16

22394

66.174.0.0/16

slide-7
SLIDE 7

China Telecom

BGP (Border Gateway Protocol) refresher

ISP 1 Verizon Wireless Level 3 AS 22394 This prefix and 50K others were announced by China Telecom

66.174.0.0/16

22394

66.174.0.0/16

ChinaTel

66.174.0.0/16

slide-8
SLIDE 8

ChinaTel path is shorter

?

China Telecom

BGP (Border Gateway Protocol) refresher

ISP 1 Verizon Wireless Level 3 AS 22394 This prefix and 50K others were announced by China Telecom

66.174.0.0/16

22394

66.174.0.0/16

ChinaTel

66.174.0.0/16

slide-9
SLIDE 9

China Telecom

BGP (Border Gateway Protocol) refresher

ISP 1 Verizon Wireless Level 3 AS 22394 This prefix and 50K others were announced by China Telecom

66.174.0.0/16

22394

66.174.0.0/16

ChinaTel

66.174.161.0/24

ChinaTel prefix is more specific

?

slide-10
SLIDE 10

China Telecom

BGP (Border Gateway Protocol) refresher

ISP 1 Verizon Wireless Level 3 AS 22394 This prefix and 50K others were announced by China Telecom Traffic for some prefixes was possibly intercepted

66.174.0.0/16

22394

66.174.0.0/16

ChinaTel

66.174.161.0/24

slide-11
SLIDE 11

BGP routing policies: Business relationships

  • Heirarchical Internet

structure

3/28/2013 11

$$ $$

Transit ISP Transit ISP National ISP National ISP National ISP Local ISP Local ISP Local ISP Local ISP Local ISP

slide-12
SLIDE 12

BGP routing policies: Business relationships

  • Heirarchical Internet

structure

  • Different

relationships

– Customer-Provider – Peer-Peer

3/28/2013 12

$$ $$

Transit ISP Transit ISP National ISP National ISP National ISP Local ISP Loal ISP Local ISP Local ISP Local ISP

slide-13
SLIDE 13

BGP routing policies: Business relationships

  • Heirarchical Internet

structure

  • Different

relationships

– Customer-Provider – Peer-Peer

3/28/2013 13

$$ $$

Transit ISP Transit ISP National ISP National ISP National ISP Local ISP Local ISP Local ISP Local ISP Local ISP

Customer route

slide-14
SLIDE 14

BGP routing policies: Business relationships

  • Heirarchical Internet

structure

  • Different

relationships

– Customer-Provider – Peer-Peer

3/28/2013 14

$$ $$

Transit ISP Transit ISP National ISP National ISP National ISP Local ISP Local ISP Local ISP Local ISP Local ISP

Customer route Peer route

slide-15
SLIDE 15

BGP routing policies: Business relationships

  • Heirarchical Internet

structure

  • Different

relationships

– Customer-Provider – Peer-Peer

3/28/2013 15

$$ $$

Transit ISP Transit ISP National ISP National ISP National ISP Local ISP Local ISP Local ISP Local ISP Local ISP

Customer route Provider route Peer route

slide-16
SLIDE 16

BGP routing policies: Business relationships

  • Heirarchical Internet

structure

  • Different

relationships

– Customer-Provider – Peer-Peer

  • Preference order

– Customer route (high) – Peer route – Provider route (low)

3/28/2013 16

$$ $$

Transit ISP Transit ISP National ISP National ISP National ISP Local ISP Local ISP Local ISP Local ISP Local ISP

Customer route Provider route Peer route

slide-17
SLIDE 17

Analysis outline

  • Prefix hijack analysis

Country-based analysis

  • Subprefix hijack analysis
  • Interception analysis

Reasons for interception

3/28/2013 17

slide-18
SLIDE 18

Country-based analysis

  • Was any country targeted?
  • Geographic distribution of prefixes

3/28/2013 18

slide-19
SLIDE 19

Country-based analysis

Distribution of hijacked prefixes do not deviate from global distribution of prefixes

3/28/2013 19

slide-20
SLIDE 20

Subprefix hijack analysis

  • 21% (9,082) prefixes longer than existing prefixes

at all six Routeviews monitors

  • 95% of this prefixes belong to China Telecom
  • <1% (86) prefixes subprefix hijacked excluding the

top-3 ASes in table

3/28/2013 20

slide-21
SLIDE 21

Subprefix hijack analysis

No evidence for intentional subprefix hijacking

3/28/2013 21

slide-22
SLIDE 22

China Telecom, China Telecom DC, China Telecom DC 66.174.161.0/24

How did interception occur?

Two required routing decisions for traffic interception:

3/28/2013 22 China Telecom AT&T Level 3 Verizon Verizon wireless China Telecom data centre Level3, Verizon, Verizon W 66.174.161.0/24

slide-23
SLIDE 23

China Telecom, China Telecom DC, China Telecom DC 66.174.161.0/24

How did interception occur?

Two required routing decisions for traffic interception:

  • 1. A neighbor routes to China Telecom for hijacked

prefix

3/28/2013 23 China Telecom AT&T Level 3 Verizon Verizon wireless China Telecom data centre Level3, Verizon, Verizon W 66.174.161.0/24

slide-24
SLIDE 24

China Telecom, China Telecom DC, China Telecom DC 66.174.161.0/24

How did interception occur?

Two required routing decisions for traffic interception:

  • 1. A neighbor routes to China Telecom for hijacked

prefix

  • 2. Another neighbor does not do so

3/28/2013 24 China Telecom AT&T Level 3 Verizon Verizon wireless China Telecom data centre Level3, Verizon, Verizon W 66.174.161.0/24

slide-25
SLIDE 25

China Telecom, China Telecom DC, China Telecom DC 66.174.161.0/24

How did interception occur?

Two required routing decisions for traffic interception:

  • 1. A neighbor routes to China Telecom for hijacked

prefix

  • 2. Another neighbor does not do so

3/28/2013 25 China Telecom AT&T Level 3 Verizon Verizon wireless China Telecom data centre Level3, Verizon, Verizon W 66.174.161.0/24

slide-26
SLIDE 26
  • Identification of interception instances
  • Used traceroute data from iPlane project

Interception analysis

3/28/2013 26

1575

slide-27
SLIDE 27
  • Identification of interception instances
  • Used traceroute data from iPlane project

Interception analysis

3/28/2013 27

357

slide-28
SLIDE 28

Interception analysis

Reasons for neighbors not choosing 4134

3/28/2013 28

slide-29
SLIDE 29

Interception analysis:

Reasons for neighbors not choosing 4134

  • Routing policies and business relationships

resulted in interception

  • Accidental interception possible

3/28/2013 29

slide-30
SLIDE 30

Conclusion and discussion

  • Characterized the China Telecom incident

– Accidental interception possible – Sheds light on properties of announced prefixes – Supports the conclusion that incident was a leak

  • f random prefixes

– However, it does not rule out malicious intent

  • Our study highlights

– Challenges of diagnosing routing incidents – Importance of public and rich available data

3/28/2013 30

slide-31
SLIDE 31

Questions?

Rahul Hiran rahul.hiran@liu.se

Linköping University

expanding reality