Characterizing Large-Scale Routing Anomalies: A Case Study of the China Telecom Incident

  • Rahul Hiran
  • Niklas Carlsson
  • Phillipa Gill
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7799)


China Telecom’s hijack of approximately 50,000 IP prefixes in April 2010 highlights the potential for traffic interception on the Internet. Indeed, the sensitive nature of the hijacked prefixes, including US government agencies, garnered a great deal of attention and highlights the importance of being able to characterize such incidents after they occur. We use the China Telecom incident as a case study, to understand (1) what can be learned about large-scale routing anomalies using public data sets, and (2) what types of data should be collected to diagnose routing anomalies in the future. We develop a methodology for inferring which prefixes may be impacted by traffic interception using only control-plane data and validate our technique using data-plane traces. The key findings of our study of the China Telecom incident are: (1) The geographic distribution of announced prefixes is similar to the global distribution with a tendency towards prefixes registered in the Asia-Pacific region, (2) there is little evidence for subprefix hijacking which supports the hypothesis that this incident was likely a leak of existing routes, and (3) by preferring customer routes, providers inadvertently enabled interception of their customer’s traffic.


Measurement Routing Security Border Gateway Protocol 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ager, B., Chatzis, N., Feldmann, A., Sarrar, N., Uhlig, S., Willinger, W.: Anatomy of a large European IXP. In: Proc. of ACM SIGCOMM (2012)Google Scholar
  2. 2.
    ATLAS - Arbor Networks (2012),
  3. 3.
    Ballani, H., Francis, P., Zhang, X.: A study of prefix hijacking and interception in the Internet. In: Proc. of ACM SIGCOMM (2007)Google Scholar
  4. 4.
    BGPMon. China telecom hijack (2010),
  5. 5.
    Blumenthal, D., Brookes, P., Cleveland, R., Fiedler, J., Mulloy, P., Reinsch, W., Shea, D., Videnieks, P., Wessel, M., Wortzel, L.: Report to Congress of the US-China Economic and Security Review Commission (2010),
  6. 6.
    Brown, M.: Renesys blog: Pakistan hijacks YouTube,
  7. 7.
    Chi, Y., Oliveira, R., Zhang, L.: Cyclops: The Internet AS-level observatory. ACM SIGCOMM Computer Communication Review (2008)Google Scholar
  8. 8.
    Cowie, J.: Renesys blog: China’s 18-minute mystery,
  9. 9.
    Gao, L., Rexford, J.: Stable Internet routing without global coordination. Transactions on Networking (2001)Google Scholar
  10. 10.
    Gill, P., Schapira, M., Goldberg, S.: Modeling on quicksand: Dealing with the scarcity of ground truth in interdomain routing data. ACM SIGCOMM Computer Communication Review (2012)Google Scholar
  11. 11.
    Gregori, E., Improta, A., Lenzini, L., Rossi, L., Sani, L.: On the incompleteness of the AS-level graph: a novel methodology for BGP route collector placement. In: ACM Internet Measurement Conference (2012)Google Scholar
  12. 12.
    Hiran, R., Carlsson, N., Gill, P.: Characterizing large-scale routing anomalies: A case study of the China Telecom incident (2012),
  13. 13.
    Khare, V., Ju, Q., Zhang, B.: Concurrent prefix hijacks: Occurrence and impacts. In: ACM Internet Measurement Conference (2012)Google Scholar
  14. 14.
    Labovitz, C.: China hijacks 15% of Internet traffic (2010),
  15. 15.
    Madhyastha, H., Isdal, T., Piatek, M., Dixon, C., Anderson, T., Krishnamurthy, A., Venkataramani, A.: iPlane: An information plane for distributed services. In: Proc. of OSDI (2006)Google Scholar
  16. 16.
    Mao, Z., Rexford, J., Wang, J., Katz, R.H.: Towards an accurate AS-level traceroute tool. In: Proc. of ACM SIGCOMM (2003)Google Scholar
  17. 17.
  18. 18.
    Misel, S.: Wow, AS7007! Merit NANOG Archive (1997),
  19. 19.
    U. of Oregon. Route views project,
  20. 20.
    Oliveira, R., Pei, D., Willinger, W., Zhang, B., Zhang, L.: Quantifying the completeness of the observed internet AS-level structure. UCLA Computer Science Department - Techical Report TR-080026-2008 (September 2008)Google Scholar
  21. 21.
    Pilosov, A., Kapela, T.: Stealing the Internet: An Internet-scale man in the middle attack. Presentation at DefCon 16 (2008),

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Rahul Hiran
    • 1
  • Niklas Carlsson
    • 1
  • Phillipa Gill
    • 2
  1. 1.Linköping UniversitySweden
  2. 2.Citizen Lab, Munk School of Global AffairsUniversity of TorontoCanada

Personalised recommendations