On Thursday, June 6th (9:43 am UTC), Europe’s leading mobile providers received a shock when a large chunk of the traffic destined to reach them was misdirected or rerouted to another path by the network of a Chinese state-operated telecom firm, China Telecom. The misdirection of the traffic continued for two hours and even more in some cases.
According to the details shared by an Internet-monitoring service, the internet’s global routing system, which is called the Border Gateway Protocol (BGP), was clearly hijacked by the Chinese telecom firm. The BGP route leak affected various mainstream mobile carriers across Europe.
What happened was that on early Thursday morning, a Swiss web hosting service provider Safe Host leaked over 70,000 BGP routes to China Telecom after which the Chinese firm announced these routes as its own. Due to this, the traffic for many mobiles carries including those in France, the Netherlands, and Switzerland passed through China Telecom’s network to reach the desired destination.
Currently, it is unclear whether the leak was accidental or intentional. It is worth noting that some of the IP blocks affected in this incident were quite small but more specific than many of those included in legit announcements. This indicates that route optimizers were used to improve the network traffic, which might have caused Thursday’s route leak.
China Telecom also is known for propagating improper BGP announcements. For instance, in November 2018, an African ISP updated its BGP tables in order to improperly declare AS37282 as a legitimate path for reaching 212 IP prefixes of Google.
Furthermore, Chinese telecom not only accepted this route but also announced it at a global level. However, it turned out that the move made Google’s key services including the search engine unavailable to users at the same time affecting the functioning of Spotify and Google Cloud.
For your information, internet traffic passes through multiple networks around the world to reach the desired destinations. These networks are part of an already established route and autonomous systems like the ISPs have are responsible for exchanging the routing information using the BGP.
Leaking of BGP routes means the “propagation of routing announcement(s) beyond their intended scope,” according to the Internet Engineering Task Force (IETF). Resultantly, the traffic can pass through a path where spying or eavesdropping can be carried out by an outside source.
BGP route leaks continue to be a cause of concern primarily because it is the key protocol that helps the network in functioning and for informing the routers regarding the best route to a certain destination. Moreover, other routers all over the internet use this route information for their own functioning and if one of the routes breaks for some reason, the network can easily publish another route to maintain uninterrupted traffic flow.
However, since routers don’t authenticate these routes from a particular network, it is possible that a network owner can propagate the route of another network to reroute the traffic to an undesired destination. It could either be accidental or a pre-planned hijacking and the recent incident involving European ISPs seems to be intentional.
Oracle’s Internet Analysis division’s director Doug Madory explains that this incident reinforces the fragile architecture of the internet and how dangerous such leaks can be.
“Today’s incident shows that the Internet has not yet eradicated the problem of BGP route leaks. It also reveals that China Telecom, a major International carrier, has still implemented neither the basic routing safeguards necessary both to prevent the propagation of routing leaks nor the processes and procedures necessary to detect and remediate them in a timely manner when they inevitably occur,” said Madory.