Chinese traffic routing error in Russia

In September last year, the third largest Russian mobile operator, Vimpelcom, and China Telecom signed an agreement on the direct connection of international and long-distance communication networks and interconnection, the amount of this contract was $ 2.2 million. The goal of this deal for the Russian side was to reach the Far East.

Over the past year, the Chinese telecom operator has tried several times to play Ivan Susanin. Doug Madori writes about this in detail in the DynResearch company blog.
')
Translated from the language of ordinary people into the language of specialists, the deal concluded means that the two companies have agreed to share information on dynamic routing using the BGP protocol. And as it often happens in such situations, one of the parties may issue routing data from other providers, which will put its communication lines in the path of the traffic of the second company. Specifically with these two companies, this has happened more than a dozen times over the past year. This phenomenon happens, but is poorly described in the BGP literature.

In general, BGP peering is a frequent occurrence in the world of large network providers, and this action has several meanings. Specifically, in this case, it means routing in such a way that traffic is exchanged freely, without paying one of the parties. Without a transit provider, you can save a lot, even if you spend money on servicing these peer-to-peer schemes.

In any case, the routing information received by one of the providers from another under the peering agreement usually remains within the network of this operator. In the example below, provider A sends information about the routing of its customers' data to provider B, as a result of which traffic from provider B’s clients goes through the peering connection to provider A.’s clients. This is normal operation.



Something can go wrong in several different ways. Provider B can take routes from provider A and send them to other providers, as shown below. Thus, provider B puts itself in the path of external traffic destined for provider A.



If provider B provides a route received from providers to which it has a connection, to provider A, then the latter’s traffic will follow these paths through provider B, even if it usually does not have to go through provider B.



Unlike other major and well-known incidents, the situations described above can occur often, and their appearance does not cause such a surge of attention. The response grows and packet routes change, and this is harder to notice than the complete lack of a network, so these problems may remain unresolved for a long time. In any case, the traffic is not going where it should, which negatively affects network performance and information security.

So, over the past year, incorrect information about the routing from China Telecom has hit the VimpelCom network several times. This happened, for example, on August 5 of this year, when China Telecom (AS4134) briefly submitted to VimpelCom almost its entire BGP table (326,622 entries), which resulted in a sharp increase in the response for users of Russian providers. Still, only about 120 ms are needed for traveling from Russia to China. Routing even within Russia was carried out through China Telecom networks.



This was the result of the traceroute: the information began its journey in Virginia (USA), then it was sent to California via NTT networks, where it was transmitted to China Telecom. From there she went to Shanghai, and then to Frankfurt and only later to Russia, to Omsk.



For a more visual illustration of the abnormality of this situation, let’s take a look at the VimpelCom traceroute to Germany. Traffic goes from VimpelCom networks to Frankfurt, then enters China Telecom networks, which deliver it to Shanghai before returning Chello Broadband, which has a peering agreement with China Telecom in Los Angeles. Then Chello Broadband takes him to New York, from there to Frankfurt again, and only then to Germany. For half a second traffic at least once rounds the globe.



Even the internal Russian traffic, which usually goes to Moscow, went through the equipment of China Telecom. In the following example, traffic from Moscow is sent to Frankfurt, then China Telecom is processed there as well and only after it returns to Megafon networks. Thanks for the fact that not through Shanghai. (An illustration of this particular situation is shown on the map of Europe before the kata.)



Of course, when planning the network level of the organization of the Internet, its security was poorly thought out, and these peer-to-peer leaks can hardly be avoided. But this not only leads to performance problems, but also makes you very worried about security.

All this is somewhat amusing if we recall that several weeks ago it became officially known about the desire of the Russian government to have greater control over the security of the Russian Internet segment. Is it really impossible to deal with specific issues, because they constitute the security of our network segment?