Characterizing Large-scale Routing Anomalies: A Case Study of the

China Telecom Incident Rahul Hiran1, Niklas Carlsson1, Phillipa Gill2

1 Linköping University, Sweden 2University of Toronto, Canada

19th March2013

China Telecom incident

3/28/2013 2

China Telecom incident

• The incident occurred on 8th April 2010

• The congress report, 2010 in USA mentions the incident

• Questions about what was done with the data, attack or accident

• We characterize this incident using only publicly available data (e.g., Routeviews and iPlane)

China

Telecom

BGP (Border Gateway Protocol) refresher

ISP 1

Verizon Wireless

Level 3

AS 22394

66.174.0.0/16

22394 66.174.0.0/16

China

Telecom

BGP (Border Gateway Protocol) refresher

ISP 1

Verizon Wireless

Level 3

AS 22394

66.174.0.0/16

VZW, 22394 66.174.0.0/16

22394 66.174.0.0/16

China

Telecom

BGP (Border Gateway Protocol) refresher

ISP 1

Verizon Wireless

Level 3

Level3, VZW, 22394 66.174.0.0/16

AS 22394

66.174.0.0/16

VZW, 22394 66.174.0.0/16

22394 66.174.0.0/16

China

Telecom

BGP (Border Gateway Protocol) refresher

ISP 1

Verizon Wireless

Level 3

AS 22394 This prefix and 50K others were announced by China Telecom

66.174.0.0/16

22394 66.174.0.0/16

ChinaTel

66.174.0.0/16

ChinaTel path is shorter

?

China

Telecom

BGP (Border Gateway Protocol) refresher

ISP 1

Verizon Wireless

Level 3

AS 22394 This prefix and 50K others were announced by China Telecom

66.174.0.0/16

22394 66.174.0.0/16

ChinaTel

66.174.0.0/16

China

Telecom

BGP (Border Gateway Protocol) refresher

ISP 1

Verizon Wireless

Level 3

AS 22394 This prefix and 50K others were announced by China Telecom

66.174.0.0/16

22394 66.174.0.0/16

ChinaTel

66.174.161.0/24

ChinaTel prefix is more specific

?

China

Telecom

BGP (Border Gateway Protocol) refresher

ISP 1

Verizon Wireless

Level 3

AS 22394 This prefix and 50K others were announced by China Telecom

Traffic for some prefixes was possibly intercepted 66.174.0.0/16

22394 66.174.0.0/16

ChinaTel

66.174.161.0/24

BGP routing policies: Business relationships

• Heirarchical Internet structure

3/28/2013 11

$$

$$

Transit ISP Transit ISP

National ISP National ISP National ISP

Local ISP Local ISP Local ISP Local ISP

Local ISP

BGP routing policies: Business relationships

• Heirarchical Internet structure

• Different relationships – Customer-Provider

– Peer-Peer

3/28/2013 12

$$

$$

Transit ISP Transit ISP

National ISP National ISP National ISP

Local ISP Loal ISP Local ISP Local ISP

Local ISP

BGP routing policies: Business relationships

• Heirarchical Internet structure

• Different relationships – Customer-Provider

– Peer-Peer

3/28/2013 13

$$

$$

Transit ISP Transit ISP

National ISP National ISP National ISP

Local ISP Local ISP Local ISP Local ISP

Local ISP Customer route

BGP routing policies: Business relationships

• Heirarchical Internet structure

• Different relationships – Customer-Provider

– Peer-Peer

3/28/2013 14

$$

$$

Transit ISP Transit ISP

National ISP National ISP National ISP

Local ISP Local ISP Local ISP Local ISP

Local ISP Customer route

Peer route

BGP routing policies: Business relationships

• Heirarchical Internet structure

• Different relationships – Customer-Provider

– Peer-Peer

3/28/2013 15

$$

$$

Transit ISP Transit ISP

National ISP National ISP National ISP

Local ISP Local ISP Local ISP Local ISP

Local ISP Customer route

Provider route

Peer route

BGP routing policies: Business relationships

• Heirarchical Internet structure

• Different relationships

– Customer-Provider

– Peer-Peer

• Preference order – Customer route (high)

– Peer route

– Provider route (low)

3/28/2013 16

$$

$$

Transit ISP Transit ISP

National ISP National ISP National ISP

Local ISP Local ISP Local ISP Local ISP

Local ISP Customer route

Provider route

Peer route

Analysis outline

• Prefix hijack analysis

Country-based analysis

• Subprefix hijack analysis

• Interception analysis

Reasons for interception

3/28/2013 17

Country-based analysis

• Was any country targeted?

• Geographic distribution of prefixes

3/28/2013 18

Country-based analysis Distribution of hijacked prefixes do not deviate

from global distribution of prefixes

3/28/2013 19

Subprefix hijack analysis

• 21% (9,082) prefixes longer than existing prefixes at all six Routeviews monitors

• 95% of this prefixes belong to China Telecom • <1% (86) prefixes subprefix hijacked excluding the

top-3 ASes in table

3/28/2013 20

Subprefix hijack analysis

No evidence for intentional subprefix hijacking

3/28/2013 21

China Telecom, China Telecom DC, China Telecom DC 66.174.161.0/24

How did interception occur?

Two required routing decisions for traffic interception:

3/28/2013 22

China Telecom

AT&T

Level 3

Verizon Verizon wireless

China Telecom

data centre

Level3, Verizon, Verizon W 66.174.161.0/24

China Telecom, China Telecom DC, China Telecom DC 66.174.161.0/24

How did interception occur?

Two required routing decisions for traffic interception:

1. A neighbor routes to China Telecom for hijacked prefix

3/28/2013 23

China Telecom

AT&T

Level 3

Verizon Verizon wireless

China Telecom

data centre

Level3, Verizon, Verizon W 66.174.161.0/24

China Telecom, China Telecom DC, China Telecom DC 66.174.161.0/24

How did interception occur?

Two required routing decisions for traffic interception:

1. A neighbor routes to China Telecom for hijacked prefix

2. Another neighbor does not do so

3/28/2013 24

China Telecom

AT&T

Level 3

Verizon Verizon wireless

China Telecom

data centre

Level3, Verizon, Verizon W 66.174.161.0/24

China Telecom, China Telecom DC, China Telecom DC 66.174.161.0/24

How did interception occur?

Two required routing decisions for traffic interception:

1. A neighbor routes to China Telecom for hijacked prefix

2. Another neighbor does not do so

3/28/2013 25

China Telecom

AT&T

Level 3

Verizon Verizon wireless

China Telecom

data centre

Level3, Verizon, Verizon W 66.174.161.0/24

• Identification of interception instances

• Used traceroute data from iPlane project

Interception analysis

3/28/2013 26

1575

• Identification of interception instances

• Used traceroute data from iPlane project

Interception analysis

3/28/2013 27

357

Interception analysis Reasons for neighbors not choosing 4134

3/28/2013 28

Interception analysis: Reasons for neighbors not choosing 4134

• Routing policies and business relationships resulted in interception

• Accidental interception possible

3/28/2013 29

Conclusion and discussion

• Characterized the China Telecom incident – Accidental interception possible

– Sheds light on properties of announced prefixes

– Supports the conclusion that incident was a leak of random prefixes

– However, it does not rule out malicious intent

• Our study highlights – Challenges of diagnosing routing incidents

– Importance of public and rich available data

3/28/2013 30

Questions? Rahul Hiran

rahul.hiran@liu.se

Linköping University expanding reality