11 votes

Strange snafu misroutes domestic US Internet traffic through China Telecom

19 comments

  1. patience_limited
    Link
    Of particular interest is the embedded reference to the recently released U.S. Naval War College and Tel Aviv University joint paper, China’s Maxim–Leave No Access Point Unexploited: The Hidden...

    Of particular interest is the embedded reference to the recently released U.S. Naval War College and Tel Aviv University joint paper, China’s Maxim–Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking [PDF], which claims that:

    Chinese government has brazenly used China Telecom for years to divert huge amounts of traffic to China-controlled networks before it’s ultimately delivered to its final destination. The report named four specific routes—Canada to South Korea, US to Italy, Scandinavia to Japan, and Italy to Thailand—that were reportedly manipulated between 2015 and 2017 as a result of BGP activities of China Telecom.

    “While one may argue such attacks can always be explained by ‘normal’ BGP behavior, these, in particular, suggest malicious intent, precisely because of their unusual transit characteristics—namely the lengthened routes and the abnormal durations,” the authors wrote. The Canada to South Korea leak, the report said, lasted for about six months and started in February 2016. The remaining three reported hijackings took place in 2017, with two of them reportedly lasting for months and the third taking place over about nine hours.

    The paper suggests reciprocal point-of-presence arrangements as part of the solution, but my suspicion is that we'll see attempts to eject China Telecom from the U.S. in the near future.

    6 votes
  2. tmburke
    Link
    There's a good twitter account to follow that posts BGP hijacks like this- https://twitter.com/bgpstream?lang=en

    There's a good twitter account to follow that posts BGP hijacks like this- https://twitter.com/bgpstream?lang=en

    6 votes
  3. [17]
    wise
    (edited )
    Link
    BGP, in general, is a really shitty protocol, led more by politics and diplomacy than actual efficiency goals. And what happens when you have a shitty protocol? It's easier to break. Edit: this...

    BGP, in general, is a really shitty protocol, led more by politics and diplomacy than actual efficiency goals. And what happens when you have a shitty protocol? It's easier to break.

    Edit: this post was written without much thought other than a personal unsubstantiated opinion. The discussion in what follows showed me that I was wrong (plus some internet drama from my part).

    3 votes
    1. [16]
      zendainc
      Link Parent
      I'm curious. What you would consider a non-shitty routing protocol?

      I'm curious. What you would consider a non-shitty routing protocol?

      3 votes
      1. [15]
        wise
        (edited )
        Link Parent
        So you may already know this, but for those who don't BGP is the routing protocol between "autonomous systems" (routing units, for the sake of discussion we can consider them ISP big routers)....

        So you may already know this, but for those who don't BGP is the routing protocol between "autonomous systems" (routing units, for the sake of discussion we can consider them ISP big routers). Every BGP router keeps a routing table for every address and sends it to the next BGP router when the table is updated. Eventually, a message will reach a router who has to access its internal network and will use (at least 6 years ago when I was taking the course on advanced network protocols) OSPF, ISIS or other internal routing protocols.

        Now in BGP there is no discovery of routes, it's only updated when other routers send you an update. Ideally, these updates will be shorter or have reduced bandwidth load, but more often than not they also are politically motivated (ISP A doesn't want to support the load of ISP B, country C doesn't want to use bandwidth for country D, for example Russia and US,... or the opposite, like we're seeing here with China). Because the protocol is designed this way, these "problems" are not bugs, but features, and as such any attempt to fix them becomes a patch over a patch over a patch... Making modern BGP, in my opinion, a mess. (And I won't talk here about routing table growth or flapping networks.)

        So, what is a non-shitty routing protocol? That is a great question. OSPF and IS-IS are both great but limited to IGPs. BGP is an EGP (External Gateway Protocol). I haven't looked at these things for about 6 years, but if I have to make an educated guess, the problems of BGP are unavoidable as long as we have multiple ISPs and Autonomous Systems (ASs hhhehehe) with misaligned goals. Therefore a solution is not easy, would involve game theory apart from technology and protocol design. It would require government regulation and diplomacy, and finding a way to transform a competitive game into a cooperative one or making a set of rules that guarantees that everybody will feel in a Nash equilibrium. But the latter is hard (like, even splitting a pie between 3 people so that all of them feel no one else had a better piece is hard...).

        Hope this somewhat answers the question :-)

        7 votes
        1. [12]
          zendainc
          Link Parent
          I work for an ISP, and have done a reasonable amount of certification and study regarding networking (since my job is to manage our carrier network). I am aware how BGP works. I am also aware that...

          I work for an ISP, and have done a reasonable amount of certification and study regarding networking (since my job is to manage our carrier network). I am aware how BGP works. I am also aware that BGP is pretty good at what it does, and most problems with it are caused by people who don't understand how BGP works.

          It seems to me that all of your problems with BGP are that it does the things that BGP is supposed to do.

          It also seems like you have some strong opinions about why you don't like it, but haven't put much thought into what you would use instead.

          2 votes
          1. [11]
            wise
            Link Parent
            Er... yes? I mean, it's not my job to think of better protocols, does that mean I can't say why I don't like it? I also don't like how neural networks work but since it is my job to do data...

            Er... yes? I mean, it's not my job to think of better protocols, does that mean I can't say why I don't like it? I also don't like how neural networks work but since it is my job to do data analysis I propose alternatives and improvements. What is your point? I am sure that you are an excellent worker and everybody who is working in that stuff do their best, in case you interpreted my opinion on BGP as a personal attack :-/ .

            Also, looks like some problems with BGP are caused by people who understand very well how it works, and they manipulate it to their advantage. So how does that invalidate my point?

            Edit: And I'm sorry for being blunt, but all your contribution to this post has been asking me what I would consider a better protocol, and when I gave a more detailed explanation of my first point (because I agree, it wasn't very developed) you responded with an argument by authority, of which I really don't have to believe anything, and that doesn't invalidate anything I said, and which sounds more like "I know stuff, you don't, shut up". That doesn't look to me as very deep and engaging debate.

            2 votes
            1. [10]
              zendainc
              Link Parent
              Well when you are making claims that a technology is bad, when you are coming from a place of inexperience and relatively low knowledge on it's practical application, it's worth pointing out. Your...

              Well when you are making claims that a technology is bad, when you are coming from a place of inexperience and relatively low knowledge on it's practical application, it's worth pointing out.

              Your reasons for disliking BGP could best be described as "BGP is bad because it does exactly what BGP is supposed to do".

              1. [9]
                wise
                Link Parent
                OK, last response if you don't stop with the condescending tone: Yes, those are my reasons. Maybe we could shift the discussion to "what BGP is supposed to do is not the most efficient or best way...

                OK, last response if you don't stop with the condescending tone:

                Yes, those are my reasons. Maybe we could shift the discussion to "what BGP is supposed to do is not the most efficient or best way to have a networking system". See my response to @bme, fishing laws also do "what they are supposed to do" but that doesn't mean they are perfect, we have improved them. Same with energy markets, deforestation, or other infrastructures. I don't see why ISPs and networking should be above this and why they don't warrant further research.

                1. [8]
                  bme
                  Link Parent
                  I think the thing that you are missing in all of this is that none of the constructs that you mention make sense to embed into the protocol. BGP is great because it is scalable method for...

                  I think the thing that you are missing in all of this is that none of the constructs that you mention make sense to embed into the protocol. BGP is great because it is scalable method for redistributing routes that doesn't embed into any knowledge of why those routes are being redistributed. for an interesting way to see how to (ab)use that see calico. It combines a control plane with higher knowledge about the how the network should be and redistributes them to cluster nodes with BGP. All of your suggestions are things that are easily layered in as an extra control plane. Some market somewhere could effect a transaction that causes a route update. It would be the height of poor planning and a massive layering violation to want to stuff such a notion into BGP. The only thing that needs to be solved with BGP is better filtering and trust assertions which people are working on.

                  Lastly @zendainc isn't being condescending. His comments are on point.

                  2 votes
                  1. [7]
                    wise
                    (edited )
                    Link Parent
                    OK I see what you mean, and I agree. I have been mixing the protocol and the actual communication planning. I apologize to the forefathers of BGP. The truth is that when I was learning about it,...

                    OK I see what you mean, and I agree. I have been mixing the protocol and the actual communication planning. I apologize to the forefathers of BGP. The truth is that when I was learning about it, it frustrated me because it initially looked cool and then I saw all these problems and left the subject with the idea "BGP sucks". Thanks for taking the time to clarify.

                    Still, it would have been easier to just have this discussion from the beginning instead of zen koans about how I know nothing without explaining anything, but hey to each their own I guess.

                    1. [5]
                      zendainc
                      Link Parent
                      Perhaps now you will think more about a topic before claiming to be an expert. I wasn't being condescending, I was pointing out fact.

                      Perhaps now you will think more about a topic before claiming to be an expert.

                      I wasn't being condescending, I was pointing out fact.

                      1. [4]
                        wise
                        Link Parent
                        Dude I never claimed to be an expert, what is your problem? I gave my opinion (I will admit I could have written it differently), I was wrong, I admitted it. Thanks to @bme I learned something and...

                        Dude I never claimed to be an expert, what is your problem? I gave my opinion (I will admit I could have written it differently), I was wrong, I admitted it. Thanks to @bme I learned something and changed my mind, the only thing I got from my interaction with you is the determination to avoid any future one.

                        I definitely won't stop giving my opinion, even if I am not an expert. I will try to be super clear about my level of expertise when I give it though.

                        1. [3]
                          zendainc
                          Link Parent
                          Perhaps you should try to offer facts, instead of an opinion. That is probably a better contribution to discussion. In this situation you simply offered unsubstantiated thoughts on the topic, and...

                          Perhaps you should try to offer facts, instead of an opinion. That is probably a better contribution to discussion.

                          In this situation you simply offered unsubstantiated thoughts on the topic, and when asked to back up your position you instead decided to give a barely coherent monologue about your vaguely related political opinions and ideas.

                          In this case, the whole issue would have been avoided if you had simply not tried to speak from a position of authority, on a topic which you don't actually know much about.

                          1. [2]
                            wise
                            Link Parent
                            I'm sorry, I see your point but I still think you are being unnecessarily aggressive in a personal way. I don't think there's more to get from this. I will edit my first post so that people don't...

                            I'm sorry, I see your point but I still think you are being unnecessarily aggressive in a personal way. I don't think there's more to get from this. I will edit my first post so that people don't think I know what I'm talking about and will avoid giving my opinion in the future.

                            1. zendainc
                              Link Parent
                              I'm not being aggressive, I'm simply pointing out the importance of presenting facts rather than opinions. If you are interpreting any maliciousness from this, then you are mistaken. I'm glad that...

                              I'm not being aggressive, I'm simply pointing out the importance of presenting facts rather than opinions. If you are interpreting any maliciousness from this, then you are mistaken.

                              I'm glad that you have taken a positive lesson from this, and will present better arguments and comments in the future.

                    2. bme
                      Link Parent
                      np, man. We're all learning.

                      np, man. We're all learning.

        2. [2]
          bme
          Link Parent
          You do realise that all network administration is fundamentally a human problem right? If I don't want to peer with you then I don't have to. There will never be a protocol that solves that. If it...

          You do realise that all network administration is fundamentally a human problem right? If I don't want to peer with you then I don't have to. There will never be a protocol that solves that. If it did it would mean that somehow I would no longer control my own networking hardware, and I would never use deploy or recommend such a thing to anyone with an ounce of common sense.

          1 vote
          1. wise
            Link Parent
            Hmm yes and no. I mean, yeah for sure this is fundamentally a human problem, but there are many human problems for which we've found second-best solutions (e.g., fisheries, energy markets,...

            Hmm yes and no. I mean, yeah for sure this is fundamentally a human problem, but there are many human problems for which we've found second-best solutions (e.g., fisheries, energy markets, deforestation, infrastructure...). Network administration isn't exactly a common good problem because bandwidth isn't exactly a common good (it is excludable), but it is not SUPER excludable and maybe it would be interesting to think of ways of either converting it to a common good (my preferred option) or making it completely private.

            2 votes