China Telecom debacle exposes Internet's biggest vulnerability

Shortcomings in Border Gateway Protocol enabled sensitive data to be rerouted to China, yet no changes will likely be made

Last April 8, for 18 minutes, a significant portion of Internet traffic, including that of U.S. government and military sites, was misrouted to China. Early estimates indicated 15 percent of all traffic was sent in the wrong direction, but that figure was misreported from the source document; rather, traffic from 15 percent of Internet sites was affected, which doesn't correlate to 15 percent of all Net traffic. (Craig Libovitz of Arbor Networks and BGPMon.net both have good summary analyses of what happened.)

Whether it was 15 or only 1 percent of all traffic that was misrouted, the incident lays bare a huge Internet security vulnerability in BGP (Border Gateway Protocol), a routing protocol used by ISPs to direct backbone traffic around the Internet. BGP routing tables are used in a nearly fully meshed network among all ISPs in the world. It's not hyperbole to say this is the way the Internet works.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

I used to think Dan Kaminsky's DNS flaw discoveries represented the No. 1 Internet security vulnerability of all time, but this BGP vulnerability essentially tops those. BGP is lower down in the OSI networking model, which means it has a greater chance to be used for evil.

Over the past two decades, we've seen a handful of major BGP routing snafus, most of which were attributed to human mistakes that were corrected when found. But as with previous threats involving China, no one knows if this rerouting was intentional or if the Chinese government was involved. Also, you have to think that if a government player was involved, the attack would be less obvious and more focused. Then again, the Stuxnet worm (which is highly likely to be city-state sponsored) quickly kills that argument as definitive.

We'd like to think that all the important and confidential information rerouted to China for those 18 minutes was protected in VPNs and secure tunnels. Unfortunately, confidential and important data is often sent out unprotected, and many VPNs and private tunnels aren't as secure as assumed. The most common VPN protocol (SSL/TLS) isn't. If the routing mistake wasn't accidental, there's a good chance the aggressors got access to a lot of information that people would rather they not.

1 2 Page
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies