China Unicom Hijacks the Internet...Again

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
55,532
Users attempting to access Google, Snapchat, Spotify, Nest, Google Cloud, and a myriad of other Alphabet hosted or related websites were met with unresponsive or slow connections. These intermittent availability issues were due to web traffic being rerouted through Russia, Nigeria, and China after a successful Border Gateway Protocol (BGP) Hijacking attack.

In very basic terms, BGP Hijacking occurs when an Autonomous System (the physical infrastructure used by an ISP) advertises to the traffic conductors of the internet highway that their own infrastructure will be a better pathway for packets to travel than everyone else's. In most cases this is an accidental configuration error that lasts seconds. In today's case it went on for over an hour.

You may be wondering what a nation state or government-controlled telecom could do with over an hour of redirected web traffic. Well wonder no more. Traffic sniffing, data manipulation, data exfiltration, disabling web based platforms and APIs are all possible. Keep in mind that we aren't setting any precedence here. In late October we referred to a report entitled "China is Hijacking the US Internet Backbone" which can be found here.

Google had this to say:

The issue with Google Cloud IP addresses being erroneously advertised by internet service providers other than Google has been resolved for all affected users as of 14:35 US/Pacific. Throughout the duration of this issue Google services were operating as expected and we believe the root cause of the issue was external to Google. We will conduct an internal investigation of this issue and make appropriate improvements to our systems to help prevent or minimize future recurrence.

Ironically, this is all possible because the internet was built with the understanding that the entities that conduct traffic on its super highways are trustworthy. If only it knew... Thanks to Joe Wood for the reporting!
 
Again with the BGP... Why are we using this protocol? Nobody should be able to state their metric instead of having it defined for them. "I am the shortest, fastest path between your computer and EVERYWHERE" is not something any router should ever be able to say.
 
Ironically, this is all possible because the internet was built with the understanding that the entities that conduct traffic on its super highways are trustworthy. If only it knew... Thanks to Joe Wood for the reporting!

this is why we can't have nice things :(
 
  • Like
Reactions: Madoc
like this
I believe this but funny how only one nation is allowed to be a hacker in some minds
 
  • Like
Reactions: N4CR
like this
As long as TLS is used, this shouldn't be a problem, right?

Not really. HTTP Pinning and Extended Validation is making headway on closing that window. Until it happens though.... If a Certificate Authority gets hijacked a threat actor could issue themselves a valid TLS cert by simply proving they own a given domain. BGP is a long, long way off from being secure.
 
I believe this but funny how only one nation is allowed to be a hacker in some minds
Because the burgers just have hardware and firmware backdoors in all our shit so it's less obvious.
 
Qc2jvlI.jpg
 
Perhaps putting that particular router point on a black list would be a good start. Convincing the XXAA folks that it was blatant piracy and lawsuits are in order would also be good.
 
Not really. HTTP Pinning and Extended Validation is making headway on closing that window. Until it happens though.... If a Certificate Authority gets hijacked a threat actor could issue themselves a valid TLS cert by simply proving they own a given domain. BGP is a long, long way off from being secure.

Its not just that either there could be new vulnerabilities or exploits we havent heard of yet that they are using. Or if you want another route: How many servers do you think are still vulnerable to heartbleed? I guarantee you its not zero. For example the Payment Card Industry (PCI) Security Standards Council which sets the rules for how merchants can accept credit cards did not require the vulnerability to be patched until July of this year[1]. Yes JULY 2018. Fucking crazy.

[1] https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls
 
I've already had one strike this month for a comment, not Gonna Touch this with a 10 foot pole. :)
 
:facepalm:

there are ways to prevent this: advertise more specific routes
And there are secure ways to confirm routes so you aren't just blindly accepting it (some ISPs institute strict prefix filters based on IRR records)


it happened in 2008 with Pakistan and Youtube
 
Restrain himself as a previous attempt to be funny in a similar thread resulted in a swift kick to the groin area :D
 
This quite possibly be a fishing expedition to compromise people.

If Russia/China receive a source IP and destination IP to something that is questionable, then that person could be blackmailed even if the encryption was hiding what they did.
 
so, when is the US kicking out the Chinese from their American POPs (prev article) or is legislation on foreign ownership in the works?
 
so, when is the US kicking out the Chinese from their American POPs (prev article) or is legislation on foreign ownership in the works?

Technically speaking after the 2007/2008 market crisis, China panicked and took a hard stance. The simple matter of fact is China doesn't have the safety nets we do if someone falls on hard times. And the 2007/2008 had a HUGE impact on China. A lot of people suffered as the government wasn't equipped to handle all the job losses.

To counteract this, China put in legislation that all companies have to get approval from the government before they start laying off large amounts of people. They basically claimed 51% ownership stake in the company during a financial crisis. It didn't matter if that company was owned by a foreign entity.
 
Technically speaking after the 2007/2008 market crisis, China panicked and took a hard stance. The simple matter of fact is China doesn't have the safety nets we do if someone falls on hard times. And the 2007/2008 had a HUGE impact on China. A lot of people suffered as the government wasn't equipped to handle all the job losses.

To counteract this, China put in legislation that all companies have to get approval from the government before they start laying off large amounts of people. They basically claimed 51% ownership stake in the company during a financial crisis. It didn't matter if that company was owned by a foreign entity.

i think you misunderstood. i meant the ownership of POPs by the Chinese on US soil which allowed this sort of "technical mistakes" from happening, as per the link in article and copied below
https://www.hardocp.com/news/2018/10/26/china_hijacking_us_internet_backbone/
 
I don't think that they would be doing this if TLS was an impediment to them.

You can still garner a large amount of data on someone even if it's encrypted. How long they visit an IP, how many hits to an IP, etc, etc...

Look at how many people panic when they receive an email that says, "We know what websites you have been visiting and will expose you." and then pay the blackmail. Dummies. If you expose classified information, even if it appears mundane you risk not only your life, but possibly hundreds of family lives. There's something bigger than your own welfare if you spill secrets. I don't care if they ask you for the janitors cleaning schedule. You take your secrets with you to the grave when you are charged with protecting information.

So it's another valid reason for VPNs to exist.
 
The solution to this is to have routing backbones check standardized route times and look for sudden decreases in traffic & ping times (I'm talking > 1%->2% improvement over historical averages) and then reject that server until admin can approve said changes.
 
Sweet. I thought OpenDNS was fucking with me while trying to watch Roadkill on the Tube last night.
 
Its not just that either there could be new vulnerabilities or exploits we havent heard of yet that they are using. Or if you want another route: How many servers do you think are still vulnerable to heartbleed? I guarantee you its not zero. For example the Payment Card Industry (PCI) Security Standards Council which sets the rules for how merchants can accept credit cards did not require the vulnerability to be patched until July of this year[1]. Yes JULY 2018. Fucking crazy.

[1] https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

This many are affected by Heartbleed as of 5 minutes ago. Yup. I hear you. I deal with this stuff errrrrry day.

tempsnip.png
 
Back
Top