China Internet ‘hijack’ overblown, says researcher

The claimed ‘hijack’ of Internet traffic by China Telecom has been hugely exaggerated in scale and intent, a traffic analysis by Internet security company Arbor Networks has concluded. 

A blog by Arbor chief scientist Craig Labovitz picks apart the speculative claim, attributed to McAfee’s VP of threat research, Dmitri Alperovitch (subsequently clarified here), that the unusual routing diversion through China Telecom at 4am GMT on 8 April 2010 could have amounted to as much as 15 percent of Internet traffic. 

According to Labovitz, this appears to have been calculated by comparing the 40,000 affected BGP routes to the 340,000 in the routing table as a whole, a calculation originally cited by the industry BGPmon website. 
Using numbers culled from the Arbor Atlas traffic monitoring system of 80 global ISPs, however, traffic on that day barely increased beyond normal patterns at most it amounted to only a few gigabits per second out of an Internet total between 80 and 100 terabits per second.

A redirection of a major portion of Internet traffic would have been expected to have either boosted or surpressed traffic volumes, depending on the scale of increase in traffic to China Telecom or the decrease in volume to other ISPs. Neither appeared to happen on any scale.

It’s a crude calculation but it does pour more cold water in the headline-grabbing suggestion that China Telecom suddenly routed 15 percent of the entire Internet and all that entails in the minds of Congressional report writers.

“We need to fix Internet infrastructure security, but we also need to be precise in our analysis of the problems,” comments Labovitz.

A BGPmon note at the time of the April ‘hijack’ played down the likelihood that the 8 April event was anything other than “fat fingers” on the part of a China Telecom engineer, whilst expressing concern that it happened at all.

“Given the large number of prefixes and short interval I don’t believe this is an intentional hijack,” said the BGPmon researcher in an analysis.

Scale, of course, is not the only consideration when looking at interference with the Internet’s routing infrastructure. Labovitz’s colleague Danny McPherson, company CSO, was cited by the Congressional report as speculating that if the event was deliberate it could have been a way to obscure a targeted attack or probe. As ever, even informed experts disagree on where emphasis should be placed.