Paul my comments were prompted by this discussion on reddit. The report authors haven't established that all the routing they described was a hijack, they just assume it because it was a longer route.
https://www.reddit.com/r/netsec/comments/9rlehd/chinese_telecom_performing_bgp_hijacking/ On Wed, 21 Nov 2018 at 18:55, Paul Brooks <[email protected]> wrote: > On 21/11/2018 5:42 PM, Grahame Lynch wrote: > > How much of this is "hijacking" and how much is just "least cost routing"? > It is really hard to tell. > > Its not 'least cost routing', BGP doesn't work like that, unless the > target networks really were customers of China Telecom, or > customers-of-a-customer. > China Telecom must have started advertising that those networks were > reachable, and then stopped advertising, for the traffic to be sent into > their network in the first place. > > This can happen by accident/incompetence/error, although that usually > results in the affected site being blackholed - thats what happened with > the Telstra BGP hijack of prefixes recently. In this 'diversion' case the > traffic is being rerouted and eventually finding its way back out of the > network and forwarded to the original destination - that is more difficult > to make happen by accident. > > Its arguably laziness on the part of the other networks that China Telecom > interconnects BGP with - peers, upstreams, and customers - although to be > fair the various proposals for validating BGP route advertising permissions > is not widely deployed and still being developed. > > Most ISPs filter BGP routing advertisements from customers, but very few > filter route advertisements from upstreams and peers. > Securing BGP is a hot topic in recent years, but is taking a long long > time to get critical mass. > > Everyone running BGP-4 should take a look at: > > - MANRS (Mutually Agreed Norms for Routing Security - > https://www.internetsociety.org/issues/manrs) > - RFC7454 = BCP-194 - BGP Operations and Security - > https://tools.ietf.org/html/rfc7454 > - NIST "Protecting the Integrity of Internet Routing: Border Gateway > Protocol (BGP) Route Origin Validation", > https://csrc.nist.gov/publications/detail/sp/1800-14/draft > > ...and plan to implement RPKI for all your routes. > > Paul. > > > On Wed, 21 Nov 2018 at 17:38, Christian Heinrich < > [email protected]> wrote: > >> Has anyone observed >> >> https://www.smh.com.au/technology/how-china-diverts-then-spies-on-australia-s-internet-traffic-20181120-p50h80.html >> or not? >> >> -- >> Regards, >> Christian Heinrich >> >> http://cmlh.id.au/contact >> _______________________________________________ >> AusNOG mailing list >> [email protected] >> http://lists.ausnog.net/mailman/listinfo/ausnog >> > > > _______________________________________________ > AusNOG mailing > [email protected]http://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > [email protected] > http://lists.ausnog.net/mailman/listinfo/ausnog >
_______________________________________________ AusNOG mailing list [email protected] http://lists.ausnog.net/mailman/listinfo/ausnog
