China's Internet hijack: Attack or accident?

Security experts disagree on whether China Telecom's hijack of major Internet domains was an attack, but the incident has heightened awareness of the potential cyber threat

On April 8, China Telecom updated its routing information, advertising to the Internet that the best path to a large number of major domains led through its routers. Many major Internet routers -- no one's quite sure how many -- agreeably updated their routing information, sending requests addressed to,, and other major domains through the Chinese ISP.

This is nothing new. Accidental hijacks of routes happen quite often as a result of the unauthenticated nature of the border gateway protocol, which Internet routers use to communicate information on the best path to various destinations. The China Telecom incident was duly reported in technical circles and in the technology media at the time.

But this week the incident got a new look. At least one security firm, McAfee, has raised the issue with lawmakers on Capitol Hill. As a result, the incident was included in the annual report by the U.S.-China Economic and Security Review Commission, a nonpartisan congressional panel, and from there the news has gone viral.

The reason for all the hubbub? Normally such updates are an accident and lead to a self-inflicted denial-of-service attack against the Internet service provider that advertises the erroneous routing information. However, China Telecom rerouted the requests so that it was hard to tell that anything untoward had happened. That makes it look like an attack, according to Dmitri Alperovitch, vice president of threat research at security giant McAfee.

"It is kind of hard for you to break things in such a way that it still works, that traffic still flows through," Alperovitch said. "It is not impossible -- so it is possible that this was completely accidental as they said -- but that situation is very peculiar."

In a blog post, Alperovitch outlined the danger that such route hijacking could have. While China Telecom corrected the issue in 18 minutes, the impact lasted about an hour, leaving one in seven Internet domains leading to China. The estimates of how much traffic China Telecom may have seen are far less concrete. Alperov argues that, because the redirected domains were major ones, far more than 15 percent of traffic transited through China.

However, at least one security expert disagrees. Matt Jonkman, CEO of security startup Emerging Threats, argues that many router owners are used to these types of mistakes and flag odd routing updates. As a result, few routers would have actually forwarded their information on to China.

"BGP is a pretty smart protocol; every router can make a decision on its own," Jonkman said. "It was not 15 percent of Internet traffic, but 15 percent of IP space. So most likely it was not more than one percent of traffic."

People who were geographically close to the networks, such as U.S. citizens going to the website of a U.S. company, were unlikely to have had their data sent through China.

Clouding the issue is McAfee's business interest. The security giant is the company that hyped -- perhaps deservedly -- the Aurora attack on Google and other companies. Both the Aurora attack and the Stuxnet attack on process control systems has heightened awareness of potential tactics that could be used in a cyber conflict between state actors. Now the China Telecom BGP incident can be added to the list as well.

Jonkman disagrees that the incident should be viewed as an attack, while also arguing that the United States must still be better prepared to handle similar incidents in the future.

"Right now we don't really have a team that watches for these things or respond to them ... with the authority of the U.S.," Jonkman said. "The geeks of the world can spot these events locally, but we need a global response to handle future events."

Jonkman points out that the United States could easily hijack other nations' traffic. In fact, much of the world's traffic passes through U.S. routers and reportedly is mined for information by the NSA.

China has denied that the hijack was anything more than an accident.

This article, "China's Internet hijack: Attack or accident?," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.