This is starting to be picked up by mainstream media, but was was first
reported here (I believe):
<http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=249>
"Cyber Experts Have Proof That China Has Hijacked U.S.-Based Internet Traffic"
"For 18 minutes in April, China.s state-controlled telecommunications company
hijacked 15 percent of the world.s Internet traffic, including data from U.S.
military, civilian organizations and those of other U.S. allies."
This article, which quotes Dmitri Alperovitch of McAfee, is full of false
data as far as I can tell. I assert that much less than 15%, probably on
the order of 1% to 2% (much less in the US) was actually diverted. The
correct statement is that 15% of the world's network prefixes were "hijacked",
but the impact was minimal in the US.
My concern is that this "report" will be presented to the US Congress without
being refuted by experts in the know.
My request is that someone with some gravitas please issue a press release
setting the facts straight on this matter. I have been in contact with Dan
Goodin at The Register but I'm just a lowly grunt with a small network.
This is starting to be picked up by mainstream media, but was was first
reported here (I believe):
<http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=249>
"Cyber Experts Have Proof That China Has Hijacked U.S.-Based Internet
Traffic"
"For 18 minutes in April, China.s state-controlled telecommunications
company
hijacked 15 percent of the world.s Internet traffic, including data
from
U.S.
military, civilian organizations and those of other U.S. allies."
This article, which quotes Dmitri Alperovitch of McAfee, is full of
false
data as far as I can tell. I assert that much less than 15%, probably
on
the order of 1% to 2% (much less in the US) was actually diverted. The
correct statement is that 15% of the world's network prefixes were
"hijacked",
but the impact was minimal in the US.
My concern is that this "report" will be presented to the US Congress
without
being refuted by experts in the know.
My request is that someone with some gravitas please issue a press
release
setting the facts straight on this matter. I have been in contact with
Dan
Goodin at The Register but I'm just a lowly grunt with a small network.
Also worth pointing out that if this was a normal prefix hijack without
them actually delivering the packets to the intended recipient (unlikely
the case), then there would be very little TCP data seen. A few packets on
existing connections before they time out, and SYNs on new connection
attempts. Unless they were able to push the traffic back to another ISP
which didn't see their originated routes, things would break more likely
than be "routed via" the hijacking AS.
Ryan
Anyone want to give me a quote for an AmericaFree.TV report ? Off-list, please.
Regards
Marshall
This article, which quotes Dmitri Alperovitch of McAfee, is full of
false data as far as I can tell. I assert that much less than 15%,
probably on the order of 1% to 2% (much less in the US) was actually
diverted. The correct statement is that 15% of the world's network
prefixes were "hijacked", but the impact was minimal in the US.
In my experience, it is not uncommon for folks in the security industry
who talk to the press to be quoted claiming something that turns out to
be careless exaggeration at best. The February 2007 DNS DDoS attacks
were a good example where that happened and I'm familiar with. The
media likes a good story.
My concern is that this "report" will be presented to the US Congress
without being refuted by experts in the know.
Call me an optimist, but I find it unlikely that a trade magazine will
carry more weight than simply drawing further attention to the matter,
which would presumably result in more rigorous analysis if warranted.
John
At the very least you might want to review:
http://www.renesys.com/blog/2010/11/chinas-18-minute-mystery.shtml
Renesys provides one data point but there are others that clearly show traffic routed *through* China (meaning they did indeed originate/hijack, and then pass data on to the original destination).
Just because there are people in the know (or with gravitas) that don't post on nanog doesn't mean it didn't happen.
-b
At the very least you might want to review:
http://www.renesys.com/blog/2010/11/chinas-18-minute-mystery.shtml
Renesys provides one data point but there are others that clearly show
traffic routed *through* China (meaning they did indeed
originate/hijack, and then pass data on to the original destination).
as usual i see no traffic measurements in the renesys note. i see
inference of traffic based on some control plane measurements. and, has
been shown, such inferences are highly suspect.
randy
Dear Randy;
At the very least you might want to review:
http://www.renesys.com/blog/2010/11/chinas-18-minute-mystery.shtml
Renesys provides one data point but there are others that clearly show
traffic routed *through* China (meaning they did indeed
originate/hijack, and then pass data on to the original destination).
as usual i see no traffic measurements in the renesys note. i see
inference of traffic based on some control plane measurements. and, has
been shown, such inferences are highly suspect.
Doesn't this traceroute (from the above) seem fairly convincing of transit ? (Not of the _amount_ of transit, just of its _existence_ ?)
...here's one of the typical traceroutes we saw during the incident, between the London Internet Exchange and a host in the USA, passing through China Telecom. This trace was collected at 16:03 UTC, about 13 minutes into the event. Total time in transit is 525ms (this trace typically takes no more than 110ms under normal conditions).
1. <our host> 0.785ms # London
2. 195.66.248.229 1.752ms # London
3. 195.66.225.54 1.371ms # London
4. 202.97.52.101 399.707ms # China Telecom
5. 202.97.60.6 408.006ms # China Telecom
6. 202.97.53.121 432.204ms # China Telecom
7. 4.71.114.101 323.690ms # Level3
8. 4.68.18.254 357.566ms # Level3
9. 4.69.134.221 481.273ms # Level3
10. 4.69.132.14 506.159ms # Level3
11. 4.69.132.78 463.024ms # Level3
12. 4.71.170.78 449.416ms # Level3
13. 66.174.98.66 456.970ms # Verizon
14. 66.174.105.24 459.652ms # Verizon
[.. four more Verizon hops ..]
19. 69.83.32.3 508.757ms # Verizon
20. <last hop> 516.006ms # Verizon
And doesn't the graph in Craig Labovitz's blog seem consistent with a modest (not overwhelming, or even unusual)
amount of excess traffic during the event ?
http://asert.arbornetworks.com/2010/11/china-hijacks-15-of-internet-traffic/
So, putting this, and everything else, together, wouldn't it be reasonable to conclude, that
- some traffic was diverted but
- nowhere near 15% of the Internet, by orders of magnitude ?
Regards
Marshall
it's fairly clear though that you won't get traffic information
without looking at the interconnects between the offending parties,
eh? I think the Arbor notes about this try to address this from a
traffic perspective, though they have anonymized stats at best.
<conspiracy-hat>also, you won't get the traffic stats from the
offending parties</conspiracy-hat>
-chris
it's fairly clear though that you won't get traffic information
without looking at the interconnects between the offending parties
yep
<conspiracy-hat>also, you won't get the traffic stats from the
offending parties</conspiracy-hat>
and how much traffic data does google publish?
or iij or ntt? oops! cho, fukuda, esaki, & kato [0] did show real
traffic data from japan's largest isps.
no accusations meant. just trying to keep the discussion near sea
level.
randy
sometimes I love to pull your chain... 
I agree though that folks
won't publish this data (in general) directly, for whatever reason.
Also, right '15% of traffic' really should have been '15% of routes*'
-chris
(*) routes as seen in one set of perspectives... not valid in
tennessee, wyoming, parts of Alabama, Albania, Germany, The
ex-UK-protectorates or...
Agreed, I should have been more clear. I wasn't implying that much traffic either, but rather "15% of global prefixes."
I was more focused on, "Seems clear enough that traffic *transited* China ASNs, as opposed to being blackholed as we seen in many hijacks.
Further, in hopes of generating discussion... I've seen a lot of comments along the lines of "this was likely an accident, misconfiguration, or fat-finger..."
I'm having a really hard time figuring how, if traffic not only diverted to China but *transited* China, this could be any kind of mistake. I'm not able to get my fingers or thumbs to randomly (seemingly) select approximately 15% of all prefixes, originate those, modify filters so I can do so, and also somehow divert it to another router that doesn't have the hijacked prefixes I'm announcing but rather forwards the source traffic on to it's intended destination.
I can't seem to work all of that out into any kind of "accident."
Anyone?
-b
"What filters?" "We don't need any stinkin' filters"
Sometimes disasters such as an accidental hijacking might be the
result of multiple different mistakes or errors that occured at
different times; separated by months or years, it can include design
mistakes that were present all along, and the earlier mistakes might
never have been detected, until they catalyzed later mistakes.
A device missing filters, a missing config entry to actually apply
any filters, or a big hole in a filter set are some possibilities,
where an operator would not need to make the same typo twice at a
later date.
The redirection of packets to the eventual proper destination is not
necessarily indicating anything intentional; perhaps packets reached
a Chinese router that did not have the error, or that had the right
filter set active.
So far, I saw nothing reported of sufficient detail to infer with high
confidence either that it was by accident or that hijacking was not an
accident; it seems, you can proceed using either assumption, without
arriving at probable inconsistency or logical contradiction. "We
don't know for sure if the hijacking was accidental or not" seems a
valid answer.
Hanlon's razor?
sometimes I love to pull your chain... 
I agree though that folks
won't publish this data (in general) directly, for whatever reason.
Also, right '15% of traffic' really should have been '15% of routes*'
Agreed, I should have been more clear. I wasn't implying that much traffic
either, but rather "15% of global prefixes."
I was more focused on, "Seems clear enough that traffic *transited* China
ASNs, as opposed to being blackholed as we seen in many hijacks.
Further, in hopes of generating discussion... I've seen a lot of comments
along the lines of "this was likely an accident, misconfiguration, or
fat-finger..."
I'm having a really hard time figuring how, if traffic not only diverted
to China but *transited* China, this could be any kind of mistake. I'm not
able to get my fingers or thumbs to randomly (seemingly) select
approximately 15% of all prefixes, originate those, modify filters so I can
do so, and also somehow divert it to another router that doesn't have the
hijacked prefixes I'm announcing but rather forwards the source traffic on
to it's intended destination.