Characterizing Large-scale Routing Anomalies: A Case Study of the China Telecom Incident Rahul Hiran 1 , Niklas Carlsson 1 , Phillipa Gill 2 1 Linköping University, Sweden 2 University of Toronto, Canada 19 th March2013
China Telecom incident 3/28/2013 2
China Telecom incident • The incident occurred on 8 th April 2010 • The congress report, 2010 in USA mentions the incident • Questions about what was done with the data, attack or accident • We characterize this incident using only publicly available data (e.g., Routeviews and iPlane)
BGP (Border Gateway Protocol) refresher ISP 1 Level 3 Verizon China Wireless 22394 Telecom 66.174.0.0/16 AS 22394 66.174.0.0/16
BGP (Border Gateway Protocol) refresher ISP 1 VZW, 22394 66.174.0.0/16 Level 3 Verizon China Wireless 22394 Telecom 66.174.0.0/16 AS 22394 66.174.0.0/16
BGP (Border Gateway Protocol) refresher Level3, VZW, 22394 66.174.0.0/16 ISP 1 VZW, 22394 66.174.0.0/16 Level 3 Verizon China Wireless 22394 Telecom 66.174.0.0/16 AS 22394 66.174.0.0/16
BGP (Border Gateway Protocol) refresher ChinaTel 66.174.0.0/ 16 ISP 1 Level 3 Verizon China Wireless 22394 Telecom 66.174.0.0/16 This prefix and 50K others were announced by AS 22394 China Telecom 66.174.0.0/16
BGP (Border Gateway Protocol) refresher ChinaTel path is shorter ? ChinaTel 66.174.0.0/ 16 ISP 1 Level 3 Verizon China Wireless 22394 Telecom 66.174.0.0/16 This prefix and 50K others were announced by AS 22394 China Telecom 66.174.0.0/16
BGP (Border Gateway Protocol) refresher ChinaTel prefix is more specific ? ChinaTel 66.174.161.0/ 24 ISP 1 Level 3 Verizon China Wireless 22394 Telecom 66.174.0.0/16 This prefix and 50K others were announced by AS 22394 China Telecom 66.174.0.0/16
BGP (Border Gateway Protocol) refresher ChinaTel 66.174.161.0/ 24 ISP 1 Level 3 Verizon China Wireless 22394 Telecom 66.174.0.0/16 This prefix and 50K others were announced by AS 22394 China Telecom Traffic for some prefixes was possibly intercepted 66.174.0.0/16
BGP routing policies: Business relationships • Heirarchical Internet $$ Transit ISP Transit ISP structure $$ National ISP National ISP National ISP Local ISP Local ISP Local ISP Local ISP Local ISP 3/28/2013 11
BGP routing policies: Business relationships • Heirarchical Internet $$ Transit ISP Transit ISP structure • Different $$ relationships National ISP National ISP National ISP – Customer-Provider – Peer-Peer Local ISP Local ISP Local ISP Loal ISP Local ISP 3/28/2013 12
BGP routing policies: Business relationships • Heirarchical Internet $$ Transit ISP Transit ISP structure • Different $$ relationships National ISP National ISP National ISP – Customer-Provider – Peer-Peer Local ISP Local ISP Local ISP Local ISP Customer route Local ISP 3/28/2013 13
BGP routing policies: Business relationships • Heirarchical Internet $$ Transit ISP Transit ISP structure • Different $$ relationships National ISP National ISP National ISP – Customer-Provider – Peer-Peer Local ISP Local ISP Local ISP Local ISP Peer route Customer route Local ISP 3/28/2013 14
BGP routing policies: Business relationships • Heirarchical Internet Provider route $$ Transit ISP Transit ISP structure • Different $$ relationships National ISP National ISP National ISP – Customer-Provider – Peer-Peer Local ISP Local ISP Local ISP Local ISP Peer route Customer route Local ISP 3/28/2013 15
BGP routing policies: Business relationships • Heirarchical Internet Provider route $$ Transit ISP Transit ISP structure • Different $$ relationships National ISP National ISP National ISP – Customer-Provider – Peer-Peer Local ISP Local ISP • Preference order Local ISP Local ISP – Customer route (high) Peer route Customer route – Peer route Local ISP – Provider route (low) 3/28/2013 16
Analysis outline • Prefix hijack analysis Country-based analysis • Subprefix hijack analysis • Interception analysis Reasons for interception 3/28/2013 17
Country-based analysis • Was any country targeted? • Geographic distribution of prefixes 3/28/2013 18
Country-based analysis Distribution of hijacked prefixes do not deviate from global distribution of prefixes 3/28/2013 19
Subprefix hijack analysis • 21% (9,082) prefixes longer than existing prefixes at all six Routeviews monitors • 95% of this prefixes belong to China Telecom • <1% (86) prefixes subprefix hijacked excluding the top-3 ASes in table 3/28/2013 20
Subprefix hijack analysis No evidence for intentional subprefix hijacking 3/28/2013 21
How did interception occur? Two required routing decisions for traffic interception: China Telecom, China Telecom DC, Level3, Verizon, Verizon W China Telecom DC 66.174.161.0/24 66.174.161.0/24 AT&T China Level 3 Telecom China Telecom Verizon Verizon data centre wireless 3/28/2013 22
How did interception occur? Two required routing decisions for traffic interception: 1. A neighbor routes to China Telecom for hijacked prefix China Telecom, China Telecom DC, Level3, Verizon, Verizon W China Telecom DC 66.174.161.0/24 66.174.161.0/24 AT&T China Level 3 Telecom China Telecom Verizon Verizon data centre wireless 3/28/2013 23
How did interception occur? Two required routing decisions for traffic interception: 1. A neighbor routes to China Telecom for hijacked prefix 2. Another neighbor does not do so China Telecom, China Telecom DC, Level3, Verizon, Verizon W China Telecom DC 66.174.161.0/24 66.174.161.0/24 AT&T China Level 3 Telecom China Telecom Verizon Verizon data centre wireless 3/28/2013 24
How did interception occur? Two required routing decisions for traffic interception: 1. A neighbor routes to China Telecom for hijacked prefix 2. Another neighbor does not do so China Telecom, China Telecom DC, Level3, Verizon, Verizon W China Telecom DC 66.174.161.0/24 66.174.161.0/24 AT&T China Level 3 Telecom China Telecom Verizon Verizon data centre wireless 3/28/2013 25
Interception analysis • Identification of interception instances • Used traceroute data from iPlane project 1575 3/28/2013 26
Interception analysis • Identification of interception instances • Used traceroute data from iPlane project 357 3/28/2013 27
Interception analysis Reasons for neighbors not choosing 4134 3/28/2013 28
Interception analysis: Reasons for neighbors not choosing 4134 • Routing policies and business relationships resulted in interception • Accidental interception possible 3/28/2013 29
Conclusion and discussion • Characterized the China Telecom incident – Accidental interception possible – Sheds light on properties of announced prefixes – Supports the conclusion that incident was a leak of random prefixes – However, it does not rule out malicious intent • Our study highlights – Challenges of diagnosing routing incidents – Importance of public and rich available data 3/28/2013 30
Linköping University expanding reality Questions? Rahul Hiran rahul.hiran@liu.se
Recommend
More recommend