Connect with us

Hi, what are you looking for?


Network Security

China Telecom Constantly Misdirects Internet Traffic

Over the past years, China Telecom has been constantly misdirecting Internet traffic through China, researchers say. 

Over the past years, China Telecom has been constantly misdirecting Internet traffic through China, researchers say. 

The telecommunication company, one of the largest in China, has had a presence in North American networks for nearly two decades, and currently has 10 points-of-presence (PoPs) in the region (eight in the United States and two in Canada), spanning major exchange points. 

Courtesy of this presence, the company was able to hijack traffic through China several times in the past, Chris C. Demchak and Yuval Shavitt revealed in a recent paper (PDF). China Telecom’s PoPs in North America made the rerouting not only possible, but also unnoticeable for a long time, the researchers say.

Back in 2010, China Telecom hijacked 15% of the world’s Internet prefixes, which resulted in popular websites being rerouted through China for around 18 minutes. The incident impacted US government (‘‘.gov’’) and military (‘‘.mil’’) sites as well, the commission assigned to investigate the incident revealed (PDF). 

For the past several years, the Internet service provider (ISP) has been engaging in various forms of traffic hijacking, in some cases for days, weeks, and months, Demchak and Shavitt claim. 

“The patterns of traffic revealed in traceroute research suggest repetitive IP hijack attacks committed by China Telecom. While one may argue such attacks can always be explained by ‘normal’ BGP behavior, these in particular suggest malicious intent, precisely because of their unusual transit characteristics –namely the lengthened routes and the abnormal durations,” the researchers note. 

Doug Madory, Director of Internet Analysis at Oracle, confirms the paper’s findings that the ISP has been engaged in traffic hijacking for a long time, but says the purpose of the action remains unclear. Oracle has gained deep visibility into Web traffic after the acquisition of web traffic management firm Dyn in 2016. 

Advertisement. Scroll to continue reading.

“China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years. I know because I expended a great deal of effort to stop it in 2017,” Madory says. 

One of the observed incidents happened on December 9, 2015, when networks around the world who accepted the misconfigured routes inadvertently sent traffic to Verizon APAC through China Telecom. 

After being alerted on the issue “over the course of several months last year,” two of the largest carriers of the affected routes implemented filters to no longer accept Verizon routes from China Telecom, which “reduced the footprint of these routes by 90%,” Madory notes. 

Last year, he says, traffic was sent via mainland China even if it was supposed to travel only between peers in the United States. The issue repeated several times and resulted in a major US Internet infrastructure company deploying “filters on their peering sessions with China Telecom to block Verizon routes from being accepted.”

Referred to as BGP hijacking attacks (and also known as prefix or route hijacking), such incidents have become increasingly frequent over the past years, with a recent attack targeting payment processing companies in the US. According to Cloudflare, Resource Public Key Infrastructure (RPKI) could be the answer to securing BGP (Border Gateway Protocol) routing.

Related: Should You Be Worried About BGP Hijacking your HTTPS?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...