On April 8, the networking hardware that routes traffic on the Internet got new marching orders: Requests for data from 15 percent of Internet addresses—including Dell.com, Yahoo.com, Microsoft.com, and U.S. government sites—were directed to go through China.
Incidents like this are known as Internet hijackings. Although they generally aren’t the result of malevolence, they can upend the usual efficiency of Internet routing so badly that sites get knocked offline. The April hijacking happened when a small Chinese Internet service provider updated its routing information, advertising that its network was the best way to get to various blocks of Internet addresses assigned to government agencies and companies worldwide. China’s state-owned ISP, China Telecom, duly propagated the updates using the lingua franca of Internet routers, the border gateway protocol (BGP).
Experts have debated whether the hijacking was an accident, as China Telecom claims. Most accept the explanation, given that a flaw in the structure of the Internet leads to such accidents from time to time, and makes them hard to stop. The essence of the flaw is that the method for router updates runs on the honor system.
“There is no central authority that says which updates are good and which are bad,” says Earl Zmijewski, vice president and general manager of Internet operations firm Renesys. “Right now, if you make a mistake, 30 seconds later, every router on the Internet is updated with it.”
The history of similar incidents stretches back more than a decade, including one episode in which Pakistan Telecom said its network was the best path to certain Web addresses owned by YouTube. The result: The ISP’s network was temporarily knocked off the Internet by all the traffic, and many people around the world could not reach YouTube.
The latest incident stands out partly because China Telecom was able to route its hijacked traffic to the correct destinations, fueling allegations that it may have captured the communications for analysis. The April incident was discovered at the time, but it got renewed attention this month in a report to Congress from the U.S.-China Economic and Security Review Commission.
Solving the problem of router updates and Internet hijackings is not easy. BGP was designed for one purpose: to make the Internet reliable, says Steve Santorelli, a director for an Internet security firm, Team Cymru Research NFP. “BGP was never designed with security in mind,” Santorelli says. “It was designed to efficiently communicate hundreds of thousands of routes between different network providers.”
ISPs can take basic steps to prevent their routers from adopting bad paths. Major Internet firms should block bad routes announced by their customers. For example, if a company claims its network is a valid route to portions of the Internet, the company’s Internet provider should catch the error and stop the update. China Telecom failed to do this. In addition, Internet infrastructure companies should filter out obviously invalid announcements, Santorelli says.
A more involved proposal calls for the creation of a system of encryption and authentication that would verify the legitimacy of routing announcements. Known as Secure BGP, the technology would digitally sign BGP updates to prevent forged announcements and include information about the range of IP addresses for which a router is responsible.
These additions would eliminate the threat of network hijackings, but not without a price. Adding encryption to infrastructure technologies requires heftier processors and more memory, requiring ISPs to purchase new routers. Without a mandate from a coalition of governments or industry—which is what happened to reform the security of the Internet’s DNS system—it’s unlikely Secure BGP will be adopted. And unless it’s adopted everywhere, Secure BGP will not offer any benefits, says Renesys’s Zmijewski.
“With Secure BGP, you have a chicken and egg problem,” he says. “No company wants to be the first to adopt it, because of the costs involved.”
A more reasonable solution that offers benefits even before widespread adoption is Pretty Good BGP, a proposal from researchers at the University of New Mexico and Princeton University. That plan essentially suggests that ISPs hold any router updates for 24 hours. Since most bad updates can be fixed well before that time, it could dramatically reduce the impact of any Internet hijacking. “The waiting period would eliminate a lot of mistakes, (and) Pretty Good BGP could be implemented today,” Zmijewski says.
But there would be a downside to this method as well. It could prevent routers from responding to announcements that are designed to route around sudden failures and changes to the Internet.