In a new paper published in the journal Military Cyber Affairs researchers from the US Naval War College and Tel Aviv University document the use of BGP spoofing by China Telecom to redirect massive swathes of internet traffic through the company’s routers as part of state military and commercial espionage efforts.
BGP is a notoriously insecure protocol used to route internet traffic; by design it is dynamic and responsive, moving traffic away from congested routes and onto those with more capacity: this flexibility can be exploited to force traffic to route through surveillance chokepoints, as well as for censorship (publishing BGP routes to censorsed services that dead-end in nonexistent addresses are a common technique in repressive regimes).
The researchers logged global BGP route announcements and discovered China Telecom publishing bogus routes that sucked up massive amounts of Canadian and US traffic and pushed it through Chinese listening posts. Much of today’s internet traffic is still unencrypted, meaning that the entities monitoring these listening posts would have been able to read massive amounts of emails, instant messages and web-sessions.
China Telecom’s BGP attacks were also used to black-hole traffic in some instances (for example, traffic from an “Anglo-American bank’s” branch in Milan was diverted wholesale to China, never arriving at its intended destination).
(Via Boing Boing)
Back in my network manager days we monitored our BGP routes. We had our own ASNs and managed our own connectivity, so we could easily keep tabs when an errant telco would make a mistake. That solution, which I think was a perl script run in each of our regions, would have detected this kind of maliciousness as well.
However, in the current XaaS and cloud-based world we live in, it becomes incumbent upon the cloud and service providers as well as the few remaining Internet backbone providers to police this. How effective they will be is debatable. What punishment would work? No one in their right mind will stop peering with CT.