For two and a half years internet traffic originating in Los Angeles was misdirected through the Chinese mainland before arriving at its destination in Washington DC, wrote Doug Madory, Director of Internet Analysis for Oracle’s Dyn Global Business Unit, in a blog post last week. Madory’s illustration of what happened is reproduced above.
The routing of internet traffic is subject to the Border Gateway Protocol (BGP), as implemented through the autonomous systems (AS) managed by network operators. Madory’s analysis concluded that the bizarre routing of US domestic traffic through mainland China occurred because AS4134, an autonomous system on the China Telecom backbone, incorrectly handled routing announcements for AS703, an autonomous system belonging to Verizon. This caused other international carriers – including Tata, Telia and Vodafone – to send traffic meant for Verizon’s AS703 through China Telecom’s AS4134 in mainland China.
The impact of the misdirection was mitigated by some networks, as explained by Madory:
Over the course of several months last year, I alerted Verizon and other Tier 1 carriers of the situation and, ultimately, Telia and GTT (the biggest carriers of these routes) put filters in place to ensure they would no longer accept Verizon routes from China Telecom. That action reduced the footprint of these routes by 90% but couldn’t prevent them from reaching those who were peering directly with China Telecom.
No claims have been made about whether the misdirection was accidental or deliberate. However, routing the traffic through China has obvious implications for security. Madory is a supporter of a proposed IETF standard that would use public key cryptography to create signatures that link a BGP route announcement with the correct originating AS. The objective of this standard would be to prevent BGP hijacking and the route ‘leaks’ which occur when routing announcements are propagated which violate the policies of one of the automated systems in the relevant path. The lead author of the draft for RPKI-based AS path verification is Alexander Azimov of QRator Labs.