X

Web traffic redirected to China still a mystery

Two instances where Web traffic was "hijacked" to servers in China have Internet watchers still scratching their heads.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
See full bio
Elinor Mills
4 min read
Rodney Joffe, senior technologist at Neustar
Rodney Joffe, senior technologist at Neustar Mike Morgan Photography

Six months after Web traffic involving popular U.S. sites and e-mail from computers around the globe was re-directed to Chinese servers unnecessarily, Internet watchers are trying to figure out why it happened and how to prevent future mishaps.

In at least two instances since mid-March, large amounts of traffic on the Internet have been routed to China in circumstances still shrouded in mystery, Rodney Joffe, senior technologist at DNS (Domain Name System) registry Neustar, told CNET in an interview this week.

The first situation happened on March 24, when workers at network operation centers in various parts of the world noticed that traffic to popular sites like Facebook, Twitter, YouTube, and about 20 or 30 others was being redirected to servers in China as a result of traffic interception via one of the main DNS root servers. This had the result of giving Web surfers in western countries a glimpse of what Chinese Internet users see when they try to access sites that are blocked--error messages indicating that the sites don't exist or censored Chinese-language versions of the sites. It's unknown how long the situation lasted, according to Joffe.

The next month, something similar happened on April 8. In this case, 37,000 routes, or paths to groups of Internet Protocol addresses--representing about 10 percent of the total routes--were diverted through networks in China for 17 minutes, Joffe said.

Operators of those servers would have had the capability to read, delete, or edit unencrypted e-mail and other communications passing through those servers during that time, he said. The Secure Sockets Layer (SSL), used by e-commerce sites to encrypt traffic over the Internet, has been compromised so even supposedly protected traffic could have been exposed, according to Joffe.

"There was a group of us who knew the routes were being hijacked on that day, but I promise you the bulk of the world had no idea."
--Rodney Joffe, senior technologist at DNS registry Neustar

The situation was enabled because traffic flows on the Internet are not centralized, but self-guided, with network information centers, carriers, and other infrastructure players "announcing" that they have available paths to specific destinations. Traffic relies on those announcements to find the shortest path to a Web site.

"If you want to examine the content of DNS traffic you have to be in the path of the traffic," said Joffe. "What China did was effectively allow itself to be in the path of an enormous amount of traffic that they could then, theoretically, have examined and modified if they so chose."

Joffe would not name the companies whose traffic was diverted through China, but said it was a "large number of well-known organizations," including many departments of the U.S. government and almost every Fortune 500 in the U.S. Traffic originating near or in the Asia Pacific region had a higher chance of going through China.

He said he could not explain exactly what happened or why. "I have no visibility into what China did," Joffe said.

And he said he believes there were more instances of Web traffic being diverted to China, or "hijacked," around that time, but wouldn't elaborate. "I believe it happened more than twice," Joffe said. "I can't comment on how many times because the information is not generally public."

Google related?
Asked if he thinks the incidents are related to the attacks on Google and other tech firms late last year that Google said originated in China and which involved attempts to compromise Gmail accounts of human rights advocates, Joffe said yes.

"I think there's the possibility that they were related to each other," he said. "The timing was very interesting."

The redirects were a result of a fundamental weakness in the Border Gateway Protocol. That protocol that is used to make routing decisions on the Internet. And the situation isn't likely to be resolved any time soon, he said.

"Working groups are now trying to fix things and make it so routes can't be hijacked, but we are years away from that," Joffe said. "This is a problem I don't see being solved, from a protocol point of view, for a long, long time."

Bert Hubert, founder of Dutch-based software provider PowerDNS.com, said glitches and minor misdirects in Web traffic are an everyday occurrence and he suspects that what happened in China was an accident. "China has made a number of mistakes like these lately, but France Telecom famously did the same thing 10 years ago," he wrote in an e-mail.

Xiaodong Lee, chief technology officer at the China Internet Network Information Center, did not respond to an e-mail seeking comment.

Even though there is no easy technical solution to prevent such Web traffic mishaps, Web site administrators should at least be warned when it does happen, Joffe suggested. If they know something funny is happening to the traffic, organizations can do things to protect Internet users by displaying a message that the Web site is temporarily unavailable so people won't be doing transactions or creating communications that could be compromised, he said.

"There was a group of us who knew the routes were being hijacked on that day, but I promise you the bulk of the world had no idea," he said.