Point-of-Presence (PoP) data centers are responsible for re-routing traffic between all the smaller networks that make up the larger internet. These smaller networks have their own block of IP addresses and can constitute friendly neighborhood ISPs as well as big tier-1 ISPs like Verizon. Bank Networks, university networks, and networks of big tech companies like Google also fall under the umbrella of being tagged as the so-called “smaller” networks. The Border Gateway Protocol (BGP), created in the early 80’s, helps to monitor traffic between these networks – and its archaic security controls have the propensity of being hijacked. While most BJP hijacks occur due to configuration mistakes and are resolved in minutes or hours, sometimes the hijacking tends to send legitimate traffic through malicious servers.
An academic paper published by researchers from the US Naval War College and Tel Aviv University has deemed China’s third-largest telco and internet service provider (ISP), China Telecom, to be one of the internet’s most determined BGP hijackers. It had a presence inside North American networks since the early 2000s when it created its first point-of-presence (PoP). After China entered into a pact with the United States in September 2015 to cease all government-back cyber operations aimed at intellectual property theft, the Chinese government started abusing BGP hijacks through China Telecom. The researchers said, “Since the agreement only covered military activities, Chinese corporate state champions could be tasked with taking up the slack.” And they did, with the help of China Telecom.
In order to identify the hijacking route, the researchers built a “route tracing system” that monitored the BGP announcements and distinguished patterns suggesting accidental or deliberate hijacking. Using the system, the researchers were able to identify ten PoPs – eight in the U.S. and two in Canada – set up by China Telecom to conduct BGP hijacking. The researchers said, “Using these numerous PoPs, China Telecom has already relatively seamlessly hijacked the domestic US and cross-US traffic and redirected it to China over days, weeks, and months.”
The researchers also list several long-lived BGP hijacks that have detoured traffic between nations through the Chinese mainland. One such hijack occurred in October 2016 and managed to detour traffic from several locations in the U.S. intended for a large Anglo-American bank headquarters in Milan, Italy through China. In another incident, routes from Canada to Korean government sites were hijacked by China Telecom and routed through China for six months from February 2016.
As China’s internet network is largely closed off and isolated from the rest of the internet, it was crucial to set up PoPs in North America. Without setting up such nodes, it would have been impossible for China to carry out the BGP hijacks of international traffic because very little goes through its mainland nodes. In fact, there are only three nodes located in Beijing, Shanghai, and Hong Kong that connects the Chinese internet to the global internet.
“The imbalance in access allows for malicious behavior by China through China Telecom at a time and place of its choosing, while denying the same to the US and its allies,” the researchers noted. They also stated, “The prevalence of and demonstrated the ease with which one can simply redirect and copy data by controlling key transit nodes buried in a nation’s infrastructure requires an urgent policy response.”