Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Characterizing Large-scale Routing Anomalies: A Case Study of the
China Telecom Incident Rahul Hiran1, Niklas Carlsson1, Phillipa Gill2
1 Linköping University, Sweden 2University of Toronto, Canada
19th March2013
China Telecom incident
3/28/2013 2
China Telecom incident
• The incident occurred on 8th April 2010
• The congress report, 2010 in USA mentions the incident
• Questions about what was done with the data, attack or accident
• We characterize this incident using only publicly available data (e.g., Routeviews and iPlane)
China
Telecom
BGP (Border Gateway Protocol) refresher
ISP 1
Verizon Wireless
Level 3
AS 22394
66.174.0.0/16
22394 66.174.0.0/16
China
Telecom
BGP (Border Gateway Protocol) refresher
ISP 1
Verizon Wireless
Level 3
AS 22394
66.174.0.0/16
VZW, 22394 66.174.0.0/16
22394 66.174.0.0/16
China
Telecom
BGP (Border Gateway Protocol) refresher
ISP 1
Verizon Wireless
Level 3
Level3, VZW, 22394 66.174.0.0/16
AS 22394
66.174.0.0/16
VZW, 22394 66.174.0.0/16
22394 66.174.0.0/16
China
Telecom
BGP (Border Gateway Protocol) refresher
ISP 1
Verizon Wireless
Level 3
AS 22394 This prefix and 50K others were announced by China Telecom
66.174.0.0/16
22394 66.174.0.0/16
ChinaTel
66.174.0.0/16
ChinaTel path is shorter
?
China
Telecom
BGP (Border Gateway Protocol) refresher
ISP 1
Verizon Wireless
Level 3
AS 22394 This prefix and 50K others were announced by China Telecom
66.174.0.0/16
22394 66.174.0.0/16
ChinaTel
66.174.0.0/16
China
Telecom
BGP (Border Gateway Protocol) refresher
ISP 1
Verizon Wireless
Level 3
AS 22394 This prefix and 50K others were announced by China Telecom
66.174.0.0/16
22394 66.174.0.0/16
ChinaTel
66.174.161.0/24
ChinaTel prefix is more specific
?
China
Telecom
BGP (Border Gateway Protocol) refresher
ISP 1
Verizon Wireless
Level 3
AS 22394 This prefix and 50K others were announced by China Telecom
Traffic for some prefixes was possibly intercepted 66.174.0.0/16
22394 66.174.0.0/16
ChinaTel
66.174.161.0/24
BGP routing policies: Business relationships
• Heirarchical Internet structure
3/28/2013 11
$$
$$
Transit ISP Transit ISP
National ISP National ISP National ISP
Local ISP Local ISP Local ISP Local ISP
Local ISP
BGP routing policies: Business relationships
• Heirarchical Internet structure
• Different relationships – Customer-Provider
– Peer-Peer
3/28/2013 12
$$
$$
Transit ISP Transit ISP
National ISP National ISP National ISP
Local ISP Loal ISP Local ISP Local ISP
Local ISP
BGP routing policies: Business relationships
• Heirarchical Internet structure
• Different relationships – Customer-Provider
– Peer-Peer
3/28/2013 13
$$
$$
Transit ISP Transit ISP
National ISP National ISP National ISP
Local ISP Local ISP Local ISP Local ISP
Local ISP Customer route
BGP routing policies: Business relationships
• Heirarchical Internet structure
• Different relationships – Customer-Provider
– Peer-Peer
3/28/2013 14
$$
$$
Transit ISP Transit ISP
National ISP National ISP National ISP
Local ISP Local ISP Local ISP Local ISP
Local ISP Customer route
Peer route
BGP routing policies: Business relationships
• Heirarchical Internet structure
• Different relationships – Customer-Provider
– Peer-Peer
3/28/2013 15
$$
$$
Transit ISP Transit ISP
National ISP National ISP National ISP
Local ISP Local ISP Local ISP Local ISP
Local ISP Customer route
Provider route
Peer route
BGP routing policies: Business relationships
• Heirarchical Internet structure
• Different relationships
– Customer-Provider
– Peer-Peer
• Preference order – Customer route (high)
– Peer route
– Provider route (low)
3/28/2013 16
$$
$$
Transit ISP Transit ISP
National ISP National ISP National ISP
Local ISP Local ISP Local ISP Local ISP
Local ISP Customer route
Provider route
Peer route
Analysis outline
• Prefix hijack analysis
Country-based analysis
• Subprefix hijack analysis
• Interception analysis
Reasons for interception
3/28/2013 17
Country-based analysis
• Was any country targeted?
• Geographic distribution of prefixes
3/28/2013 18
Country-based analysis Distribution of hijacked prefixes do not deviate
from global distribution of prefixes
3/28/2013 19
Subprefix hijack analysis
• 21% (9,082) prefixes longer than existing prefixes at all six Routeviews monitors
• 95% of this prefixes belong to China Telecom • <1% (86) prefixes subprefix hijacked excluding the
top-3 ASes in table
3/28/2013 20
Subprefix hijack analysis
No evidence for intentional subprefix hijacking
3/28/2013 21
China Telecom, China Telecom DC, China Telecom DC 66.174.161.0/24
How did interception occur?
Two required routing decisions for traffic interception:
3/28/2013 22
China Telecom
AT&T
Level 3
Verizon Verizon wireless
China Telecom
data centre
Level3, Verizon, Verizon W 66.174.161.0/24
China Telecom, China Telecom DC, China Telecom DC 66.174.161.0/24
How did interception occur?
Two required routing decisions for traffic interception:
1. A neighbor routes to China Telecom for hijacked prefix
3/28/2013 23
China Telecom
AT&T
Level 3
Verizon Verizon wireless
China Telecom
data centre
Level3, Verizon, Verizon W 66.174.161.0/24
China Telecom, China Telecom DC, China Telecom DC 66.174.161.0/24
How did interception occur?
Two required routing decisions for traffic interception:
1. A neighbor routes to China Telecom for hijacked prefix
2. Another neighbor does not do so
3/28/2013 24
China Telecom
AT&T
Level 3
Verizon Verizon wireless
China Telecom
data centre
Level3, Verizon, Verizon W 66.174.161.0/24
China Telecom, China Telecom DC, China Telecom DC 66.174.161.0/24
How did interception occur?
Two required routing decisions for traffic interception:
1. A neighbor routes to China Telecom for hijacked prefix
2. Another neighbor does not do so
3/28/2013 25
China Telecom
AT&T
Level 3
Verizon Verizon wireless
China Telecom
data centre
Level3, Verizon, Verizon W 66.174.161.0/24
• Identification of interception instances
• Used traceroute data from iPlane project
Interception analysis
3/28/2013 26
1575
• Identification of interception instances
• Used traceroute data from iPlane project
Interception analysis
3/28/2013 27
357
Interception analysis Reasons for neighbors not choosing 4134
3/28/2013 28
Interception analysis: Reasons for neighbors not choosing 4134
• Routing policies and business relationships resulted in interception
• Accidental interception possible
3/28/2013 29
Conclusion and discussion
• Characterized the China Telecom incident – Accidental interception possible
– Sheds light on properties of announced prefixes
– Supports the conclusion that incident was a leak of random prefixes
– However, it does not rule out malicious intent
• Our study highlights – Challenges of diagnosing routing incidents
– Importance of public and rich available data
3/28/2013 30