Pierluigi Paganini June 08, 2019

On June 6, for more than two hours China Telecom re-routed through its infrastructure a large chunk of European mobile traffic.

In November security researchers Chris C. Demchak and Yuval Shavitt published a paper that detailed how China Telecom has been misdirecting Internet traffic through China over the past years. The experts speculate that they were intentional BGP Hijacking attacks.

The term BGP hijacking is used to indicate the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables maintained using the Border Gateway Protocol (BGP).

Now a new case sees the involvement of China Telecom, on June 6, for more than two hours a large chunk of European mobile traffic was rerouted through the infrastructure of ISP.

China Telecom was a brand of the state-owned  China Telecommunications Corporation, but after marketization of the enterprise spin off the brand and operating companies as a separate group.

China Telecom is currently present in North American networks with 10 points-of-presence (PoPs) (eight in the United States and two in Canada), spanning major exchange points.

The last incident was caused by the propagation of routing announcements beyond the intended scope, so-called BGP route leak.

The BGP route leak involved the Swiss data center of the company Safe Host that accidentally leaked over 70,000 routes from its routing table to the Chinese ISP.

China Telecom did not discard the BGP leak, instead, it announced the Safe Host’s routes as its own routes, this means that all the traffic for many European mobile networks was re-routed through its network.

“Beginning at 09:43 UTC today (6 June 2019), Swiss data center colocation company Safe Host (AS21217) leaked over 70,000 routes to China Telecom (AS4134) in Frankfurt, Germany.” reads the analysis published by Oracle. “China Telecom then announced these routes on to the global internet redirecting large amounts of internet traffic destined for some of the largest European mobile networks through China Telecom’s network.”

Most impacted European networks included Swisscom (AS3303) of Switzerland, KPN (AS1130) of Holland, and Bouygues Telecom (AS5410) and Numericable-SFR (AS21502) of France.

The traffic was re-directed for over two hours and numerous leaked routes were more-specifics of routed prefixes, a circumstance that suggests the use of route optimizer technology.

Users of the affected mobile network experienced connection lagging and in some cases, they were not able to connect to some servers.

“Today’s incident shows that the internet has not yet eradicated the problem of BGP route leaks,” concludes Oracle.

“It also reveals that China Telecom, a major international carrier, has still implemented neither the basic routing safeguards necessary both to prevent propagation of routing leaks nor the processes and procedures necessary to detect and remediate them in a timely manner when they inevitably occur. Two hours is a long time for a routing leak of this magnitude to stay in circulation, degrading global communications.”

How to prevent such kind of attacks?

Security experts are pushing to adopt solutions to protect BGP, Cloudflare for example, sustains that Resource Public Key Infrastructure (RPKI) could secure BGP routing.

Pierluigi Paganini

(SecurityAffairs – BGP hijacking, China Telecom)

[adrotate banner=”5″]

[adrotate banner=”13″]