China hijacked UK internet traffic, says McAfee
China redirected internet traffic from UK and US public sector bodies through its own servers in April, according to security company McAfee.
At 3:00pm UTC on 8 April, all traffic coming from military and civilian government networks in the UK, the US, Australia and South Korea started re-directing through China Telecom, said Dmitri Alperovitch, McAfee's vice president of threat research. Traffic coming from commercial organisations was also routed through Chinese servers.
"Traffic destined for 15 percent of the world's destinations was hijacked via internet routing protocols," Alperovitch told ZDNet UK on Tuesday. "China Telecom also had Dell, Microsoft and Yahoo as part of the re-routing." In addition, traffic coming from various parts of Russian and Indian networks was also hijacked.
The redirection occurred when China Telecom advertised itself as being the best route for data packets being sent from and to destinations. The core internet routing protocol, the Border Gateway Protocol (BGP), allows for the exchange of information between networks of autonomous systems. BGP maintains a table of available IP networks and finds the most efficient routes for internet traffic. Service providers can announce BGP routes, which are then shared between other service providers. All affected traffic was re-routed by China Telecom for 18 minutes, but the after-effects were extended due to caching.
"The impact was longer than 18 minutes," said Alperovitch. "Later, China Telecom withdrew [the routing], but there was a delay. Some destinations were still being routed through China as much as an hour later."
Alperovitch said it is not possible to determine whether the traffic was re-routed accidentally or whether it was deliberately changed and intercepted.
"China said, when approached, that it was accidental, but there's usually downtime associated with a mistake, and a noticeable system overload," said Alperovitch. "This was a huge amount of traffic, and a huge amount of bandwidth."
However, there was no latency in delivering the traffic, which is unusual for a re-routing error, Alperovitch said.
Encryption via public key cryptography, which is commonly used, would not have been effective to shield re-routed internet traffic. Sensitive military and intelligence communications may use other forms of encryption, but services such as internet banking and virtual private network (VPN) traffic would have been visible.
"The issue is that browsers and operating systems trust multiple root certificate authorities, which gives an attacker the opportunity to use a man-in-the-middle attack against encryption," Alperovitch said. "If you have root certificate authority, you can sit in the middle of traffic and monitor it."
On Wednesday, the US-China Economic and Security Review Commission issued a report to Congress, which said US data traffic had been hijacked by China in April. In addition, US users had been censored by China in March, according to the commission's report (PDF).
"In early 2010, two incidents demonstrated that China has the ability to substantially manipulate data flows on the internet," said the report. "First, for several days in March, China's internet controls censored US internet users. Second, in April, a Chinese internet service provider briefly hijacked a large volume of internet traffic."
In March, one of the internet's root servers was hijacked by China, said Alperovitch. The DNS, which handles internet addressing, runs on 13 distributed root name servers. In late March, China hijacked the i.root server, which is distributed around the world, and redirected all of the traffic for that server through Beijing. Certain names, like Facebook, would not resolve properly on that server, said Alperovitch, limiting affected services.