China's Hacking of the Border Gateway Protocol

This is a long -- and somewhat technical -- paper by Chris C. Demchak and Yuval Shavitt about China's repeated hacking of the Internet Border Gateway Protocol (BGP): "China's Maxim ­ Leave No Access Point Unexploited: The Hidden Story of China Telecom's BGP Hijacking."

BGP hacking is how large intelligence agencies manipulate Internet routing to make certain traffic easier to intercept. The NSA calls it "network shaping" or "traffic shaping." Here's a document from the Snowden archives outlining how the technique works with Yemen.

EDITED TO ADD (10/27): BoingBoing post.

Posted on October 24, 2018 at 6:00 AM • 31 Comments

Comments

meOctober 24, 2018 6:51 AM

why don't we replace it?
it is old and unauthenticaded protocol.

patching is not possible i think, it would be a compatibility nightmare, as patching http to add security is impossible; in fact https works on a differnt port.

if we have done it for http i think it's possible also for bgp.

the nsa way to avoid legal problems by forcing traffic to leave end reenter usa it's no sense. and shouldn't be legal, like the whole mass surveillance

meOctober 24, 2018 6:53 AM

If i remember correctly china hijacked bgp to inject javascript in every unprotected page (http) to ddos github because they were hosting programs that allows china people to bypass their censorship

meOctober 24, 2018 7:09 AM

from the article:
Today China has ten POPs in North America (eight in the US and two in anada) while the US has none in China. That imbalance in access allows for malicious behavior by China through China Telecom at a time and place of its choosing, while denying the same to the US and its allies.

To me it seems biased; it looks like us can do nothing while china can do what they want.
It might be true that us has no pop in china, but this doesn't stop us from spying the whole world.
if you take a look at Snowden documents they show that us has surveillance facilities in almost every part of the world and that they hijack traffic too (thanks @Bruce for posting that link).

to me it seems unfair to cite only china while othe states are doing the same or worst.

echoOctober 24, 2018 7:46 AM

@Bruce

I posted some links in the squid thread for new articles which discuss the quantum internet.

The part relevant to this topic is the difference between the European proposal and the Chinese proposal. The European proposal is secure from end to end. The Chinese system will be secure only from "trusted" signal booster to "trusted" signal booster. The signal booster is obviously a point where China can monitor traffic.

meOctober 24, 2018 7:54 AM

There some interesting documentary about mass surveillance, bgp hijacking, facebook and cambridge analytica (made one year before everyone started talking about it).
they were broadcasted on italian public television.
unluckily they are in italian only i think.
but if there is another italian reader interested i can share them, or anyone who can understand italian.

someone add some comments, i feel like i'm the only one posting comments and it doesn't seems polite.

PhaeteOctober 24, 2018 8:51 AM

I wouldn't call it hacking, BGP is used without hacks.
Hijacking is it more commonly called.

It will only change if the money lost by the companies due to BGP hijacks gains critical mass over the money needed to spend to change it.

It reminds me most of those old gangster movies where they blocked off the road with a sign "Roadwork ahead, Use other route" and continued to rob a bank around the corner.

Krebs also has some nice articles about BGP, but his referrals to himself in third person might get to you after some time.

asdfOctober 24, 2018 9:17 AM

@me Thanks for the reminder, the GitHub story (and how GitHub fought back at the time) was interesting and worth rereading.

4ndr34October 24, 2018 12:14 PM

@me

Are you telling me that RAI has broadcasted a documentary about mass surveillance, bgp hijacking, facebook and cambridge analytica, made 1 year before everyone started talking about it?

I really missed it...

InjectorOctober 24, 2018 1:25 PM

If I were to inject surreptitious hardware elements into a hardware design, I would also want to disguise any network traffic that my spying created. I would arrange a BGP hack to obscure the final destination to make the traffic look benign. I'm sure I'm the first person ever to think of this...

NomanOctober 24, 2018 1:44 PM

The truth is, alternatives to BGP have existed for nearly 20 years. I, for example, worked on a team builing an SBGP prototype nearly 20 years ago. It's not a lack of technology. It's a lack of will.

ROAOctober 24, 2018 2:35 PM

There are protocol extensions that you can use with BGP which make this harder (RPKI) but actual uptake has been very very slow.

WeatherOctober 24, 2018 3:32 PM

Haven't worked on large networks, but as a computer user couldn't you still control what path the packets take overruling bgp, it doesn't need to go the route with the lowest metric.

ROAOctober 24, 2018 4:34 PM

@Weather you can use source routing IP options to do that, but:
1. you need to know what path you actually want to take. This is a hard problem, and will require significant resources on endpoint devices
2. The routers between you and your destination need to look at that header, which will take the packets off their fast hardware-switched path, and onto a slow path which uses software to make decisions

These two issues mean that your proposed solution won't work on the modern internet.

IanOctober 24, 2018 11:20 PM

Source routing is useless because even if you got past the problems with fast/slow path and that many routers drop packets with source routing options entirely, you can only specify a dozen or so hops before you run out of space in the IPv4 header.

WeatherOctober 24, 2018 11:23 PM

I think its up to five router's deep that negbour update has effect, not wanted to talk about hacking the router and control the legit updates,
If a update packet arrives out of sync from the default 30 mins and it doesn't set the metric to a cut cable reject the packet.
There is fake the IP address that one link is closer, lowers the metric, oonce it gets to the router it finds it needs to travel further but too late,
The other that modifiers the metric is cable bandwidth, ruling out router software update and no hardware tap on the line a nebgour discovery packet should pass down the chain,
In the country were I live there's a uni that is four network hops to the undersea cable control of the console port should allow updating,

Starting to cross a line :(

WeatherOctober 24, 2018 11:50 PM

That is strict source, and that is 10,176,192 of the ISP as well, but loose gets allowed( if you miss one hop with strict it gets dropped) and the router's have a bit more say were it goes, if I point west the routers aren't going to say east if it is close

meOctober 25, 2018 2:18 AM

@4ndr34
There was an episode of the documentary program petrolio, on RAI1 that talked about mass surveillance, how they clone fiber optic data and incidentally it talked also about bgp hijacking.
i don't remember the title of the episode or the date, but i have that info at home, plus i have recorded it if you want.

there was an episode of Report on RAI3 that talked about online advertising, tracking, cookies, cambridge analytica, you can find it here:
http://www.report.rai.it/dl/Report/puntata/ContentItem-0de6de4e-6351-4aad-ab94-96b1672402ac.html
it's dated 22/05/2017 which is about one year before the scandal became mainstream (i still don't get why everybody knew about it but it went mainstream only one year later).
In that episode they say that cambridge analytica said "trump won elections because of us".

there is also a service on the program "le iene" called "e se ti spiassero dal tuo cellulare" where they show that with malware on mobile phone it's possible to know literally everything about a person.
it has been made after hacking team got hacked, in fact they are mentioned in the service, snowden and nsa is mentioned too.
https://www.iene.mediaset.it/video/viviani-e-se-ti-spiassero-dal-tuo-cellulare-_68914.shtml

meOctober 25, 2018 2:23 AM

@Injector
UK doesn't even need to hijack bgp, most of the internet traffic pass through them, in fact they have tempora wich is a "clone the whole internet" thing.
they tap the optic fiber and they clone all the data passing through it.
at the snowden time they had hdd space only for three days of data.
the bruce posted report talks about "oh my god china took 10% of internet for some hour" while i remember a slide from snowden that said that us/uk were able to intercept 75% of the internet due to the fact that many internet servicies are in the us and both have strategic geographic place on the backbone.
just duckduckgo or google image "global fiber optic map"
you will see that everything pass through uk

meOctober 25, 2018 2:31 AM

@4ndr34
cc: @Bruce

I have found it!
Petrolio - La spia invisibile - 29/12/2014
https://www.raiplay.it/video/2014/12/Speciale-Petrolio-del-29122014-affd5fd3-bced-4521-958d-11fcc2d22a09.html

Bruce schneier is in the episode too!

ITA:
"...Qual è il futuro della rete? Qual è il limite tra libertà e illegalità? Internet delle cose sarà il passo definitivo per creare il GRANDE FRATELLO che saprà tutto di noi? Rispondono alle domande Sir Tim Berners-Lee, inventore di internet, Bruce Schneier, esperto internazionale di Sicurezza..."

ENG:
"...What is the future of the network? What is the limit between freedom and illegality? Internet of things will be the definitive step to create the BIG BROTHER who will know all about us? Sir Tim Berners-Lee, internet inventor, Bruce Schneier, international security expert, answers the questions..."

echoOctober 25, 2018 2:45 AM

@me

you will see that everything pass through uk

Yes, this is why London is entertained as a global hub of corruption according to what has been said on some documentaries. The belief being that if London is a magnet for shady characters and leaders in exile this gives the UK leverage with espionage and influence.

This wouldn't be so bad if UK government had an economic policy and treated public policy human rights and services seriously but the UK hasn't for some decades now.

OtterOctober 25, 2018 5:43 AM

UK does have an economic policy. They don't want it to become widely known.

If they treated public policy human rights and services seriously, London would not be a global hub of corruption, a magnet for shady characters, and so forth. The cousins would not chuck them under the chin and say good girl nearly so often.

Petre Peter October 25, 2018 9:07 AM

Remember! Technology and law have to work together or neither can work. This is the most important lesson of Snowden's documents.

GenieOctober 25, 2018 2:09 PM

BGP hacking is how large intelligence agencies manipulate Internet routing to make certain traffic easier to intercept.

This http://bgp.us/ looks like a very nice website that explains it all. The Internet was from its inception a project of the U.S. military, and is still managed by a host of "three-letter agencies." Encrypt your stuff if you don't want it "intercepted."

The NSA calls it "network shaping" or "traffic shaping."

That is the political opposition to "network neutrality" supported by EFF et alia. Problem is that when you prioritize some traffic over other, people encrypt their traffic and send it over the prioritized channels, which defeats the purpose of "shaping" or bandwidth limiting.

A commercial "T1" or "E1" line or the like has no more nominal channel capacity than a residential consumer DSL line, but it isn't supposed to be "oversubscribed." The politics all come down to the "consumer" level, because even fairly sizable businesses are treated as "consumers" by the whole Cisco / AT&T / telco cartel.

TJBOctober 30, 2018 3:27 PM

I thought only a border router could send out BGP updates, and therefore an entity with an ASN ( and a border router) was required to hijack BGP. What exactly is a PoP (Point of Presence) and how is China Telecom able to run BGP Hijacks with a PoP ?

TJBOctober 30, 2018 4:19 PM

@EvilKiru: Thanks, but it does not answer my question. China Telecom is not an ISP in the US, nor an AS in this geography. Why is it allowed to maintain multiple PoP's here and how are those PoP BGP enabled ?

TimothyNovember 15, 2018 11:53 AM

The Chief Engineer of the NCCoE Harry Perper recently tweeted:

"Rob #NCCoE and @NISTcyber recently published a document describing an approach and proof of concept to secure BGP routing updates. Check out the SIDR project @ http://nccoe.nist.gov"

I believe that document is the recently released draft practice guide "NIST SP 1800-14, Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation." Here is an overview of the guidance package from NCCoE. And here are some highlights from the complete guide:

1.1 Challenge

[…] Protocols have been defined that are designed to provide protection against many of the routing attacks mentioned above. The technique that is the subject of this Practice Guide, RPKI-based ROV {RPKI: Resource Public Key Infrastructure, ROV: Route Origin Validation}, enables operators to verify that the AS that has originated a BGP route advertisement is in fact authorized to do so. Use of RPKI-based ROV can provide protection against accidental and some malicious route hijacks. A second protocol, BGPsec, allows network operators to verify the validity of the entire routing path across the internet (referred to as path validation). The use of RPKI-based ROV in conjunction with BGPsec can provide protection against malicious route hijacks as well as other routing attacks. Unfortunately, the adoption of both ROV and BGPsec is still very limited. In the case of BGPsec, while the specification of the BGPsec-based path validation is complete [RFC 8205], [RFC 8 207], [RFC 8210 ], and open-source implementations [NIST BGP-SRx] [Parsons BGPsec] are available, there is still a lack of commercial implementations available from router vendors.

BGPsec also has several other obstacles impeding its deployment, as compared with ROV, such as the fact that support for it will be resource-intensive because it increases the size and number of routing messages that are sent, and each message will require a cryptographic verification of at least one, and most likely multiple, digital signatures. Digital signature verification will be processing-intensive and may require hardware upgrades and/or software optimizations [NANOG69] [V_Sriram]. It also adds a level of complexity with respect to the acquisition and management of public keys for BGP routers, as well as the X.509 certificates used in sharing those keys. […]

1.2 Solution

This Practice Guide (NIST SP 1800-14) describes how to use available security protocols, products, and tools to provide RPKI-based ROV. This Practice Guide focuses on a proof-of-concept implementation of the IETF security protocols and the NIST implementation guidance needed to protect ISPs and ASes against widespread and localized route hijacking attacks. Although it would have been preferable to protect against additional types of routing attacks by also focusing on the more comprehensive solution of BGP path validation in conjunction with ROV, the lack of commercial vendor implementation support for BGPsec makes providing a BGP path validation solution impractical at this time. Hence, this Practice Guide is focusing only on providing ROV. […]

I wonder if there is a total cost, schedule, and success rate anticipated for these protocol implementations. The audience for the guidance is listed as those involved with the safety and security of business IT networks. Will it be the responsibility of each private/public entity to install and/or implement the updated security products and protocols?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.