China hijacked UK internet traffic, says McAfee

China hijacked UK internet traffic, says McAfee

Summary: The security company has said that internet traffic for 15 percent of the world, including for UK and US military and civilian governments, was redirected through Chinese servers in April

SHARE:
TOPICS: Security
0

China redirected internet traffic from UK and US public sector bodies through its own servers in April, according to security company McAfee.

At 3:00pm UTC on 8 April, all traffic coming from military and civilian government networks in the UK, the US, Australia and South Korea started re-directing through China Telecom, said Dmitri Alperovitch, McAfee's vice president of threat research. Traffic coming from commercial organisations was also routed through Chinese servers.

"Traffic destined for 15 percent of the world's destinations was hijacked via internet routing protocols," Alperovitch told ZDNet UK on Tuesday. "China Telecom also had Dell, Microsoft and Yahoo as part of the re-routing." In addition, traffic coming from various parts of Russian and Indian networks was also hijacked.

The redirection occurred when China Telecom advertised itself as being the best route for data packets being sent from and to destinations. The core internet routing protocol, the Border Gateway Protocol (BGP), allows for the exchange of information between networks of autonomous systems. BGP maintains a table of available IP networks and finds the most efficient routes for internet traffic. Service providers can announce BGP routes, which are then shared between other service providers. All affected traffic was re-routed by China Telecom for 18 minutes, but the after-effects were extended due to caching.

"The impact was longer than 18 minutes," said Alperovitch. "Later, China Telecom withdrew [the routing], but there was a delay. Some destinations were still being routed through China as much as an hour later."

Alperovitch said it is not possible to determine whether the traffic was re-routed accidentally or whether it was deliberately changed and intercepted.

"China said, when approached, that it was accidental, but there's usually downtime associated with a mistake, and a noticeable system overload," said Alperovitch. "This was a huge amount of traffic, and a huge amount of bandwidth."

However, there was no latency in delivering the traffic, which is unusual for a re-routing error, Alperovitch said.

Encryption via public key cryptography, which is commonly used, would not have been effective to shield re-routed internet traffic. Sensitive military and intelligence communications may use other forms of encryption, but services such as internet banking and virtual private network (VPN) traffic would have been visible.

"The issue is that browsers and operating systems trust multiple root certificate authorities, which gives an attacker the opportunity to use a man-in-the-middle attack against encryption," Alperovitch said. "If you have root certificate authority, you can sit in the middle of traffic and monitor it."

Read this

Leader

Leader: Google takes the China mountain by strategy

Google is one company against a state that controls the lives of billions. Yet it will prevail.

Read more

On Wednesday, the US-China Economic and Security Review Commission issued a report to Congress, which said US data traffic had been hijacked by China in April. In addition, US users had been censored by China in March, according to the commission's report (PDF).

"In early 2010, two incidents demonstrated that China has the ability to substantially manipulate data flows on the internet," said the report. "First, for several days in March, China's internet controls censored US internet users. Second, in April, a Chinese internet service provider briefly hijacked a large volume of internet traffic."

In March, one of the internet's root servers was hijacked by China, said Alperovitch. The DNS, which handles internet addressing, runs on 13 distributed root name servers. In late March, China hijacked the i.root server, which is distributed around the world, and redirected all of the traffic for that server through Beijing. Certain names, like Facebook, would not resolve properly on that server, said Alperovitch, limiting affected services.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion