Did The Chinese Hijacked The Net In April

….. Well, unlikely.

The latest in a long (and recent) stream of “The Chinese are coming!” scare stories was initiated on Wednesday by McAfee. The fuse that McAfee lit was the 2010 Report to Congress of the US-China Economic and Security Commission.

Page 243 of the report (see page 251 of the PDF) includes a reference to an event from this past April, in which a routing error by a small Chinese ISP named IDC China was propagated by China’s state-owned China Telecommunications. As a result, tens of thousands of networks around the world, thousands of them in the US, were redirected to IDC China Telecommunication. Major providers were affected, including AT&T, Level3, Deutsche Telekom, Qwest Communications and Telefonica.

You may be reading about this for the first time, but it’s not news. In fact, the Commission cited as their source a contemporaneous New York Times reprint of an IDC story on the incident. Why didn’t the Homeland Security Alert Level go to Double-Secret Red at the time? Because stuff like this happens and the problem was fixed in 18 minutes.

But the report uses some unfortunate language:

    For a brief period in April 2010, a state-owned Chinese telecommunications firm “hijacked” massive volumes of Internet traffic.

(It was denied by the Chinese Gov)

Security firms always being happy to overstate a threat, McAfee pushed a hysterical analysis of it to the press which played up every theoretical possibility, however remote. The result was a series of hysterical articles like this one.

Did any of them discuss all the difficult work involved in getting the proposed attacks to work correctly? The notion, and it’s true, is that if you route someone away from their network you can spoof IP addresses with impunity, making it very difficult to detect. So let’s assume someone hijacks the network for jointchiefsofstaff.mil and suddenly appears to be them. First, if the traffic is encrypted it will be difficult, if at all possible, to do anything. Second, both the source IP address and source TCP port must be spoofed. Third, the TCP sequence numbers will have to match. The TTL will also have to match. In other words, you’d need to know a great deal about the internals of the network and the systems that run on it before you commenced the attack. What will probably happen is what happened in the April 2010 case: Large numbers of network connections broke, people noticed immediately, and the issue was fixed promptly.

Via PC Mag.com, for more click here