IE 11 is not supported. For an optimal experience visit our site on another browser.

China Web hijacking shows Net at risk

The cyber cold war between China and the U.S. just got a little chillier.  Twice this year, China demonstrated its ability to "substantially manipulate" the Internet, a congressional commission said in a report issued on Tuesday.  In one incident, traffic headed to 15 percent of the world's websites was redirected through Chinese servers for about 20 minutes.

The high-level hijacking included bits and bytes headed for the U.S. Senate, the Army, the Navy, the Marine Corps, the Air Force, the secretary of defense, NASA, and other government offices, along with commercial entities like Dell, Yahoo, Microsoft, and IBM, the report said.

Chinese officials disputed the findings. But several technology firms said they charted the hijacking in April.

In a prior incident in March, the Chinese censorship firewall was temporarily extended to block some U.S. users from visiting websites like Twitter and YouTube, the report said.

"Computer security researchers observed both incidents but were not able to say conclusively whether the actions were intentional," concluded the report, by the U.S.-China Economic And Security Review Commission. "Nonetheless, each incident demonstrates a capability that could possibly be used for malicious purposes."

The Internet, we are frequently reminded, is a shockingly fragile creation.  These incidents, both of which took advantage of well-known vulnerabilities, are  a wake-up call for U.S. authorities, who need to insist on security upgrades to protect U.S. interests, said Dmitri Alperovitch, a security researcher with McAfee. His firm supplied the U.S. government with a list of 53,000 websites that were hijacked for 18 minutes on April 8.

"This is a troubling development. It could be innocuous, and China is claiming it's  an accident, but this has a pretty wide-ranging set of implications," he said.  "That traffic could be eavesdropped upon."

The report comes near the end of a tumultuous year for China and the Internet. Beijing had a very public spat with Google early in the year, and the nation was ultimately accused of spying on Google employees. It was also accused of a sophisticated plot to use the Internet to spy on the Dalai Lama and other detractors.

The March incident involved a flaw in the way the Internet converts friendly website addresses -- like msnbc.com -- into their reference IP addresses – such as 128.206.11.1. The conversions occur through a system of networked computers called Domain Name Servers. A key tool in China's internal "Great Firewall" censorship tool is the rerouting of Web page requests through Domain Name Servers away from potentially subversive Web sites.  Requests for some Web sites are simply dropped; others are redirected to China-friendly sites.

But domain name conversion tables, when handled incorrectly, can spread themselves upstream on the Internet. In March, some domain servers around the world were "poisoned" with China's censored list, causing some users in Chile and the United State to be blocked from social networking sites for about a day.  The problem was readily fixed, and some researchers believe the cause might have been an honest mistake.

Bad 'route announcements'

But the April incident is far more mysterious, and consequently makes some security experts more nervous. It involved what are called "route announcements," which are made by telecom providers to the wider Internet.  Servers can advertise that they offer the best route for Internet traffic headed to specific destinations, and like obedient bits and bytes, the traffic automatically follows -- even if the advertisements are incorrect. That means an e-mail sent from Congress to the White House could be tricked into traveling through China, if a server were configured that way.

That's what happened in April, according to the report. A massive amount of Web traffic worked its way around the world through Chinese-controlled computers. According to McAfee’s Alperovitch, only workers at China Telecom know why. But the most disturbing thing about the April incident, he said, is that almost no one noticed.  China Telecom absorbed the traffic and redistributed it to its destinations without so much as an Internet blip. 

While it's possible an honest mistake was to blame, it's easy to conjure up other possibilities.

"That they are able to take in that much traffic without breaking a sweat, I find that almost unimaginable," Alperovitch said.  "The capacity built into their networks must be astonishing. ... Things worked miraculously." 

The report speculated that the mammoth data slurp might have been committed to obfuscate a more targeted Web attack.  And an entity in possession of that much data might eventually be able to decrypt encrypted Web traffic -- in addition to the fishing expedition that a government agency could enjoy by simply searching all that data for valuable secrets.

"The spokesman of China Telecom Corp. Ltd. denied any hijack of Internet traffic," Chinese officials said in statement e-mailed Tuesday to the Reuters news service.

This is not the first time route announcements led to World Wide Web trouble.  In 2008, Pakistani censorship efforts of YouTube went awry, leading to a temporary blackout of the video service.  In 2004, Turkish servers accidentally told the world that all Web traffic should travel through its borders; widespread outages followed.

But this the first time such a large traffic rerouting was conducted without noticeable impact on Web traffic.

"The methods used during these activities are generally more sophisticated than techniques used in previous exploitations," the report concluded.

The Cold War was full of menacing military exercises and accidental airspace violations. A cyber cold war will naturally produced similar incidents. If there is a grey area between honest mistakes and outright cyber attack, these incidents probably fall right in the middle – if not a pre-planned testing of the waters, then certainly a happy accident with valuable results to be studied by would-be cyber-attackers.  Don't expect a cyber cold war thawing any time soon.