Notionally yes, though as with a lot of these hijackings it's really a question of how far it propagated/who is correctly filtering routes. This happens with Iran Tele from time to time, typically when they are trying to block something specific internally and let the route leak out (e.g. their Telegram block back in July).
The article mentions there are mitigations to this type of attack available. Does anyone know of how an individual user could (practically) reduce their exposure to this type of attack?
A typical mitigation at the ASN level is to have allowlists of exactly which prefixes your downstsream ASN is expected and allowed to announce. I don't recall the name of this technique, and it's somewhat widely deployed, but definitely far from widely enough to secure Internet routing.
Individual end users don't have much of a chance to avoid BGP hijacking. You could continuously run traceroutes to your destination network, but then that gives you not much guarantee that individual TCP connections will take the same route as those ICMP packets.
Encryption does not help BGP hijacks at all. You need to filter the accepted upstream routes. But filtering ultimatively defeats the purpose of BGP - route learning is no longer fully dynamic and need some manual approvals.
The IP you normally would have communicated with is among the hijacked IPs, then you have exposure. The data you send to such IP is ending up in the hijacker's hands. As an end user, your only defense is to use end-to-end authenticated encryption between you and your intended other end-point. The authenticated part is very critical in this case.
It's not neccessarily AS4812 / China Telecom announcing this themselves. Anyone could be announcing AS4812,192.208.19.0/24. For some degree of attribution, you need to go and figure out where the actual announcement is coming from.
The "beauty" of BGP :)
edit: It's also interesting to note that the bogus announcement is for /24, which is more specific than the original /23, so it takes precedence.
11039 The George Washington University
46887 Lightower Fiber Networks I, LLC
6939 Hurricane Electric LLC
4134 China Telecom Backbone
4134 China Telecom Backbone
4134 China Telecom Backbone
4812 China Telecom (Group)
Hurricane Electric has been known to not apply route filters to large peers, leading to hijacks like this. I suspect that was the case here, too. Although you are right, this path could have been spoofed by GWU or Lightower (or BGPMon!)
So? What is the significance of one single event? Looking at that site it is not that uncommon. Did this event catch your attention simply because it had the right keywords (US Dept of Energy and China)?
"Who is responding to such an event during the government shutdown?" was my first thought. Assuming nefarious intent, now would be an ideal time to stage an attack.
DoE is currently not affected by the partial shutdown. It's business as usual at the national laboratories and with other employees/contractors. The way it's funded means that there would have to be a prolonged shutdown before DoE would have to start shutting down, but I think even then security and safety essential personnel are exempt.
The plan includes pay for external contractors and security-essential functions, so yes I would assume so (though I don't know firsthand about them specifically). To the best of my knowledge, DoE will continue to run entirely as normal until carryover funding from previous allocations runs out. Couple months at least. After that it basically goes into hibernation, but I expect that communications and network security would be considered as essential and hence would remain funded even then.
ESnet is not affected by the shutdown. Also, ESnet does not transit all DoE traffic. ESnet is a purpose built science network and if you look in the AS-Set, this network is not transited by AS293 (ESnet).
So? What is the significance of one single event? Looking at that site it is not that uncommon. Did this event catch your attention simply because it had the right keywords (US Dept of Energy and China)?
For the same reason robbing a bank is a more significant event than robbing a 7-Eleven.
22 comments
[ 3.9 ms ] story [ 54.5 ms ] threadDoes it mean an Iranian telecom hijacked some of AT&T's traffic?
https://www.internetsociety.org/blog/2018/05/what-is-bgp-hij...
Individual end users don't have much of a chance to avoid BGP hijacking. You could continuously run traceroutes to your destination network, but then that gives you not much guarantee that individual TCP connections will take the same route as those ICMP packets.
The "beauty" of BGP :)
edit: It's also interesting to note that the bogus announcement is for /24, which is more specific than the original /23, so it takes precedence.
MIT hijacked someone's route? https://bgpstream.com/event/171889
An US ISP? https://bgpstream.com/event/171683
Another US ISP? https://bgpstream.com/event/170328
China Telecom could have been a victim too? https://bgpstream.com/event/155707
The list goes on...
(edited: formatting)
https://www.directives.doe.gov/directives-documents/100-seri...
[1] http://es.net/
For the same reason robbing a bank is a more significant event than robbing a 7-Eleven.