Internal Internet traffic routed outside the Russia by a Chinese operator

Pierluigi Paganini November 12, 2014

Russian Internet Traffic redirected by a Chinese operator due to routing errors caused by a weakness in the Border gateway protocol (BGP).

The Russian Internet traffic in several circumstances has been re-routed outside the country, the incidents seem to be caused by routing errors made by China Telecom.

The news has been published by the Internet monitoring service Dyn in a blog post, which also reports that domestic traffic was re-routed  apparently due to a networking fault caused by a weakness in the Border gateway protocol (BGP).

At the origin of the problem there is a BGP peering agreement signed between the Russian mobile provider Vimpelcom and the China Telecom in order to reduce the operating cost for transit operators, this means that a portion of the domestic traffic may be carried over network managed by a foreign operator.

“Peering relationships between ISPs are quite common. By exchanging traffic directly without using a transit provider, each ISP saves on transit costs — although as transit prices fall the overhead of maintaining these peering relationships becomes less attractive. Regardless, from a routing standpoint, routes exchanged between two peering ISPs typically stay within the customer cone of each ISP.” Doug Madory, Director of Internet Analysis at Dyn explained.

Below there are the animations that show normal and anomalous behaviors for BGP peering agreement.

Internet traffic re-routed normal

Internet traffic re-routed Leak 1

Internet traffic re-routed Leak 2

 

 

Security experts fear these kind of incidents, traffic hijacking on a large scale could also be used for surveillance or censorship purposes by governments that could inspect the amount of data re-routed through their servers to steals sensitive information and compromise the security of communications.

 “Unlike other routing leak scenarios, such as Indosat originating the entire global routing table or VolumeDrive leaking nearly the entire BGP table from one transit provider to another, the leaks described above occur with much greater frequency and with little fanfare. In fact, typically the parties involved are unaware of the glitch and, as a result, these more limited problems can persist much longer than the larger catastrophic incidents.” Doug Madory said.

“During [one] incident, over 7000 routes from Vimpelcom’s customer cone were globally announced by China Telecom,” explained Doug Madory. “The August 5 event was one of the times that China Telecom briefly announced nearly a full BGP table [of] 326,622 routes to Vimpelcom, placing itself in the path of outbound traffic from Vimpelcom to the outside world — including Russian routes.”

In the following image the internal Russian traffic is routed outside the country instead to be directly routed over the internal network.

Internet traffic re-routed

The post includes an example of a traceroute from Moscow to Yaroslavl, the traffic is routed by Vimpelcom through Frankfurt, handed over to China Telecom’s routers in Frankfurt and then redirected back into Russia via Megafon.

“The traceroute (below) shows Vimpelcom taking traffic to Frankfurt, handing it over to China Telecom which takes it to Shanghai before handing it over to Chello Broadband, which peers with China Telecom in Los Angeles. Chello then takes it from New York to Frankfurt again and then into the German countryside.”

trace from Moscow, Russia to Yaroslavl, Russia at 13:13 Aug 05, 2014
1  *
2  194.154.89.125  (Vimpelcom, Moscow, RU)             0.542ms
3  79.104.235.74   mx01.Frankfurt.gldn.net            37.006ms
4  118.85.204.57   beeline-gw4.china-telecom.net      39.505ms
5  213.248.84.185  ffm-b10-link.telia.net             41.481ms
6  62.115.137.180  ffm-bb2-link.telia.net             42.227ms
7  80.91.251.159   s-bb4-link.telia.net               42.894ms
8  213.155.133.105 s-b2-link.telia.net                41.528ms
9  80.239.128.234  megafon-ic-151430-s-b2.c.telia.net 42.707ms
10 *
11 78.25.73.42     (MegaFon, Volga,RU)                49.992ms
12 213.187.127.98  ysu1-ccr1036-1.yar.ru              50.301ms
13 213.187.117.230 (NETIS Telecom, Yaroslavl’, RU)    54.769ms

If this routing arrangement is intended to provide Vimpelcom low-latency access to the Far East, it isn’t working that well,” Madory said.

Madory suggests monitoring traffic routes over the Internet and filtering incoming routes, the measures are indispensable to avoid traffic redirection for malicious activities and loss of performance.

It’s curious to note that the Russian Government has recently announced the improvement of the security of the country infrastructures in the cyberspace.

In a speech to the Russian National Security Council, Putin announced a the Government effort in building a backup system to keep websites in the Russian domains online in a national emergency.

“we need to greatly improve the security of domestic communications networks and information resources.”  Putin said.

but evidently there is still a lot of work to do to secure the Russian Internet traffic and the communications over IP.

Pierluigi Paganini

(Security Affairs –  Internet traffic redirection, security)



you might also like

leave a comment