On April 8, the networking hardware that routes traffic on the Internet got new marching orders: Requests for data from 15 percent of Internet addresses—including Dell.com, Yahoo.com, Microsoft.com, and U.S. government sites—were directed to go through China.
Incidents like this are known as Internet hijackings. Although they generally aren’t the result of malevolence, they can upend the usual efficiency of Internet routing so badly that sites get knocked offline. The April hijacking happened when a small Chinese Internet service provider updated its routing information, advertising that its network was the best way to get to various blocks of Internet addresses assigned to government agencies and companies worldwide. China’s state-owned ISP, China Telecom, duly propagated the updates using the lingua franca of Internet routers, the border gateway protocol (BGP).
Experts have debated whether the hijacking was an accident, as China Telecom claims. Most accept the explanation, given that a flaw in the structure of the Internet leads to such accidents from time to time, and makes them hard to stop. The essence of the flaw is that the method for router updates runs on the honor system.
“There is no central authority that says which updates are good and which are bad,” says Earl Zmijewski, vice president and general manager of Internet operations firm Renesys. “Right now, if you make a mistake, 30 seconds later, every router on the Internet is updated with it.”
The history of similar incidents stretches back more than a decade, including one episode in which Pakistan Telecom said its network was the best path to certain Web addresses owned by YouTube. The result: The ISP’s network was temporarily knocked off the Internet by all the traffic, and many people around the world could not reach YouTube.
The latest incident stands out partly because China Telecom was able to route its hijacked traffic to the correct destinations, fueling allegations that it may have captured the communications for analysis. The April incident was discovered at the time, but it got renewed attention this month in a report to Congress from the U.S.-China Economic and Security Review Commission.
Solving the problem of router updates and Internet hijackings is not easy. BGP was designed for one purpose: to make the Internet reliable, says Steve Santorelli, a director for an Internet security firm, Team Cymru Research NFP. “BGP was never designed with security in mind,” Santorelli says. “It was designed to efficiently communicate hundreds of thousands of routes between different network providers.”
Smaller design teams can now prototype and deploy faster.