Add to collection(s) Add to saved
  1. No category

Characterizing Large-scale Routing Anomalies: A Case Study of the China Telecom Incident

advertisement 
Characterizing Large-scale Routing
Anomalies: A Case Study of the
China Telecom Incident
Rahul Hiran1, Niklas Carlsson1, Phillipa Gill2
1 Linköping
University, Sweden
2University of Toronto, Canada
19th March2013
China Telecom incident
3/28/2013
2
China Telecom incident
• The incident occurred on 8th April 2010
• The congress report, 2010 in USA mentions
the incident
• Questions about what was done with the
data, attack or accident
• We characterize this incident using only
publicly available data (e.g., Routeviews and
iPlane)
BGP (Border Gateway Protocol) refresher
ISP 1
Level 3
China
Telecom
22394
Verizon
Wireless
66.174.0.0/16
AS 22394
66.174.0.0/16
BGP (Border Gateway Protocol) refresher
ISP 1
VZW, 22394
66.174.0.0/16
Level 3
China
Telecom
22394
Verizon
Wireless
66.174.0.0/16
AS 22394
66.174.0.0/16
BGP (Border Gateway Protocol) refresher
Level3, VZW, 22394
66.174.0.0/16
ISP 1
VZW, 22394
66.174.0.0/16
Level 3
China
Telecom
22394
Verizon
Wireless
66.174.0.0/16
AS 22394
66.174.0.0/16
BGP (Border Gateway Protocol) refresher
ChinaTel
66.174.0.0/16
ISP 1
Level 3
China
Telecom
22394
Verizon
Wireless
66.174.0.0/16
This prefix and 50K others were announced by
China Telecom
AS 22394
66.174.0.0/16
BGP (Border Gateway Protocol) refresher
ChinaTel path is shorter
ChinaTel
66.174.0.0/16
?
ISP 1
Level 3
China
Telecom
22394
Verizon
Wireless
66.174.0.0/16
This prefix and 50K others were announced by
China Telecom
AS 22394
66.174.0.0/16
BGP (Border Gateway Protocol) refresher
ChinaTel prefix is more specific
ChinaTel
66.174.161.0/24
?
ISP 1
Level 3
China
Telecom
22394
Verizon
Wireless
66.174.0.0/16
This prefix and 50K others were announced by
China Telecom
AS 22394
66.174.0.0/16
BGP (Border Gateway Protocol) refresher
ChinaTel
66.174.161.0/24
ISP 1
Level 3
China
Telecom
22394
Verizon
Wireless
66.174.0.0/16
This prefix and 50K others were announced by
China Telecom
Traffic for some prefixes was possibly intercepted
AS 22394
66.174.0.0/16
BGP routing policies: Business
relationships
• Heirarchical Internet
structure
$$
$$
Transit ISP
National ISP
Local ISP
Local ISP
Transit ISP
National ISP
Local ISP
National ISP
Local ISP
Local ISP
3/28/2013
11
BGP routing policies: Business
relationships
• Heirarchical Internet
structure
• Different
relationships
$$
$$
Transit ISP
National ISP
Transit ISP
National ISP
National ISP
– Customer-Provider
– Peer-Peer
Local ISP
Loal ISP
Local ISP
Local ISP
Local ISP
3/28/2013
12
BGP routing policies: Business
relationships
• Heirarchical Internet
structure
• Different
relationships
$$
$$
Transit ISP
National ISP
Transit ISP
National ISP
National ISP
– Customer-Provider
– Peer-Peer
Local ISP
Local ISP
Local ISP
Local ISP
Customer route
Local ISP
3/28/2013
13
BGP routing policies: Business
relationships
• Heirarchical Internet
structure
• Different
relationships
$$
$$
Transit ISP
National ISP
Transit ISP
National ISP
National ISP
– Customer-Provider
– Peer-Peer
Local ISP
Local ISP
Local ISP
Local ISP
Peer route
Customer route
Local ISP
3/28/2013
14
BGP routing policies: Business
relationships
• Heirarchical Internet
structure
• Different
relationships
Provider route
$$
$$
Transit ISP
National ISP
Transit ISP
National ISP
National ISP
– Customer-Provider
– Peer-Peer
Local ISP
Local ISP
Local ISP
Local ISP
Peer route
Customer route
Local ISP
3/28/2013
15
BGP routing policies: Business
relationships
• Heirarchical Internet
structure
• Different
relationships
Provider route
$$
$$
Transit ISP
National ISP
Transit ISP
National ISP
– Customer-Provider
– Peer-Peer
• Preference order
– Customer route (high)
– Peer route
– Provider route (low)
3/28/2013
Local ISP
Local ISP
Local ISP
National ISP
Local ISP
Peer route
Customer route
Local ISP
16
Analysis outline
• Prefix hijack analysis
Country-based analysis
• Subprefix hijack analysis
• Interception analysis
Reasons for interception
3/28/2013
17
Country-based analysis
• Was any country targeted?
• Geographic distribution of prefixes
3/28/2013
18
Country-based analysis
Distribution of hijacked prefixes do not deviate
from global distribution of prefixes
3/28/2013
19
Subprefix hijack analysis
• 21% (9,082) prefixes longer than existing prefixes
at all six Routeviews monitors
• 95% of this prefixes belong to China Telecom
• <1% (86) prefixes subprefix hijacked excluding the
top-3 ASes in table
3/28/2013
20
Subprefix hijack analysis
No evidence for intentional subprefix hijacking
3/28/2013
21
How did interception occur?
Two required routing decisions for traffic interception:
China Telecom, China Telecom DC,
China Telecom DC
66.174.161.0/24
China
Telecom
China
Telecom
data centre
3/28/2013
Level3, Verizon, Verizon W
66.174.161.0/24
AT&T
Level 3
Verizon
Verizon
wireless
22
How did interception occur?
Two required routing decisions for traffic interception:
1. A neighbor routes to China Telecom for hijacked
prefix
China Telecom, China Telecom DC,
China Telecom DC
66.174.161.0/24
China
Telecom
China
Telecom
data centre
3/28/2013
Level3, Verizon, Verizon W
66.174.161.0/24
AT&T
Level 3
Verizon
Verizon
wireless
23
How did interception occur?
Two required routing decisions for traffic interception:
1. A neighbor routes to China Telecom for hijacked
prefix
2. Another neighbor does not do so
China Telecom, China Telecom DC,
China Telecom DC
66.174.161.0/24
China
Telecom
China
Telecom
data centre
3/28/2013
Level3, Verizon, Verizon W
66.174.161.0/24
AT&T
Level 3
Verizon
Verizon
wireless
24
How did interception occur?
Two required routing decisions for traffic interception:
1. A neighbor routes to China Telecom for hijacked
prefix
2. Another neighbor does not do so
China Telecom, China Telecom DC,
China Telecom DC
66.174.161.0/24
China
Telecom
China
Telecom
data centre
3/28/2013
Level3, Verizon, Verizon W
66.174.161.0/24
AT&T
Level 3
Verizon
Verizon
wireless
25
Interception analysis
• Identification of interception instances
• Used traceroute data from iPlane project
1575
3/28/2013
26
Interception analysis
• Identification of interception instances
• Used traceroute data from iPlane project
357
3/28/2013
27
Interception analysis
Reasons for neighbors not choosing 4134
3/28/2013
28
Interception analysis:
Reasons for neighbors not choosing 4134
• Routing policies and business relationships
resulted in interception
• Accidental interception possible
3/28/2013
29
Conclusion and discussion
• Characterized the China Telecom incident
– Accidental interception possible
– Sheds light on properties of announced prefixes
– Supports the conclusion that incident was a leak
of random prefixes
– However, it does not rule out malicious intent
• Our study highlights
– Challenges of diagnosing routing incidents
– Importance of public and rich available data
3/28/2013
30
Linköping University
expanding reality
Questions?
Rahul Hiran
rahul.hiran@liu.se
Related documents
ISP CODE - Internshala blog
ISP CODE - Internshala blog
National Honor Society Individual Service Project (ISP) Form Project Evaluation
National Honor Society Individual Service Project (ISP) Form Project Evaluation
Area Studies and Centers for International Affairs
Area Studies and Centers for International Affairs
CET2615C Midterm Exam
CET2615C Midterm Exam
Introduction to Oregon ISP (.ppt)
Introduction to Oregon ISP (.ppt)
Download
advertisement