Arbor Networks’ Craig Labovitz digs into the debate over Chinese manipulation of Internet routing. His analysis is the best I have seen so far on this issue. He cites original source material and also explains why the real issue appears to be very different than what is being said by those selling fear — cyberwar books (maybe even mugs now).

Here is his report: China Hijacks 15% of Internet Traffic!

While traffic may have exhibited a modest increase to the Chinese Internet provider (AS23724), I’d estimate diverted never topped a handful of Gbps. And in an Internet quickly approaching 80-100Tbps, 1-3 Gbps of traffic is far from 15% (it is much closer to 0.015%).

In fairness, I should note that I don’t know how Mr. Alperovitch obtained his 15% number (the article does not say) and a hijack of 40k routes out of a default-free table of ~340K is not far from fifteen percent. But of course, routes are different from traffic. I also add that both China denied the hijack and many Internet researchers suspect the incident was likely accidental.

The comments below his blog entry support Craig’s analysis with further evidence, page 252 of the congressional report:

For about 18 minutes on April 8, 2010, China Telecom advertised erroneous network traffic routes that instructed U.S. and other foreign Internet traffic to travel through Chinese servers.* Other servers around the world quickly adopted these paths, routing all traffic to about 15 percent of the Internet’s destinations through servers located in China.

Source 116 is a briefing that Dmitri Alperovitch gave to the Commission Staff on Aug 25 2010. Your assessment of ‘15% of routes’ vs. ‘15% of volume traffic’ is correct, and it looks like Dmitri was misinterpreted.

I also should mention, to be fair, that other blogs have done a good job summarizing the situation and ending with a different conclusion. Renesys, for example, gives a look at how hard it is to prove a negative — prove that China did not look at traffic they could see. They end up suggesting the April 8th traffic flows could have been a demonstration of Chinese “muscle-flexing” to demonstrate “trivially exploitable” Internet infrastructure:

the stage is set for traffic redirection. When you need to send Internet traffic to the defender (for example, to send him email or read his website), it’s passed towards the “closest” organization that asserted ownership. A large fraction of all the defender’s inbound traffic is potentially redirected straight into the waiting arms of the attacker. And until they withdraw their BGP route assertion, or their neighbors start filtering it out, there’s no way to stop it. It’s that simple.
In fact, it’s so simple, that it happens every year to somebody through sheer accidental misconfiguration. It’s been happening like this, periodically, at varying levels of severity, for over a decade. Sometimes it happens to just a network or two, as in Pakistan’s global hijacking of Youtube. Sometimes it happens to tens of thousands of prefixes, as someone briefly asserts ownership of huge swaths of the Internet. Sometimes it’s China, and sometimes it’s Con-Ed. We’ve seen it happen so many times, to so many people, that when it happened again in April, we didn’t even feel like investing the time to blog about it. [Emphasis added]

Ok, now we’re getting somewhere. So, did the April 8th event target the US Government?

No, almost certainly not.

Almost certainly might not good enough for some people. Here is the rub. Some say that China will do evil things period and they can not be trusted. Regardless of whether that is true or not there is no evidence in this instance that they did anything evil.

An October 28, 2010 Visa Alert released today says criminals are exploiting weak credentials. They attack the weak credentials in order to breach merchant accounts and issue thousands of dollars of credit to debit cards.

Although no merchandise is sold, credit for a sale transaction will be applied to a foreign debit card. The criminals also sometimes are clever enough to also issue a false sale transaction to balance the amount and obscure the breach.

Visa gives the following recommendations:

To prevent fraudulent credits from entering the payment card system, Visa recommends that acquirers and processors review their credit transaction monitoring rules. Issuers should monitor clients’ credit and debit card accounts for unusual credits without a matching debit transaction.

In addition, these precautions may also be taken:

• Protect online credentials and use strong authentication to access online accounts.
• Alert merchants to phishing, voice phishing (vishing) and other social engineering schemes that target merchant credentials.
• Monitor accounts for unusual credits (particularly those with no original offsetting debit, or with the credit going to a different payment card account).
• Identify exceptions to average sales in real time; decline (or hold for investigation) return transactions that exceed normal thresholds.
• Confirm that incoming transaction data matches existing merchant name, terminal ID, acquirer bank identification number (BIN), and source of communication.
• Match return and credit transactions to corresponding sales by account; decline or investigate mismatches.
• Conduct real-time velocity monitoring of return and credit transactions by account or by single merchant.
• Require merchants to report lost or stolen point-of-sale (POS) terminals; block all transactions from these terminals.
• Allow only trusted IP filtering connections to access online web portals.
• Immediately report suspected fraudulent credit schemes to the issuing bank that is receiving the credit; the issuing bank may agree to hold funds to prevent fraud loss and/or conduct velocity monitoring of return transactions by merchant location in real time.
• Report suspected fraudulent credit schemes to the appropriate law enforcement or regulatory agency and to Visa Fraud Control at USFraudControl@visa.com (from the Visa U.S. or Canada regions) or Visa Payment System Risk at LACRMAC@visa.com (from the Visa Latin America and Caribbean region).

Bruce has a post today titled Airplane Terrorism Twenty Years Ago. He calls a pilot’s article in Salon “Excellent”.

Nothing more, nothing less, just the word excellent and then an excerpt from the article.

Here’s a scenario:

Middle Eastern terrorists hijack a U.S. jetliner bound for Italy. A two-week drama ensues in which the plane’s occupants are split into groups and held hostage in secret locations in Lebanon and Syria.

While this drama is unfolding, another group of terrorists detonates a bomb in the luggage hold of a 747 over the North Atlantic, killing more than 300 people.

Not long afterward, terrorists kill 19 people and wound more than a hundred others in coordinated attacks at European airport ticket counters.

A few months later, a U.S. airliner is bombed over Greece, killing four passengers.

Five months after that, another U.S. airliner is stormed by heavily armed terrorists at the airport in Karachi, Pakistan, killing at least 20 people and wounding 150 more.

Things are quiet for a while, until two years later when a 747 bound for New York is blown up over Europe killing 270 passengers and crew.

Nine months from then, a French airliner en route to Paris is bombed over Africa, killing 170 people from 17 countries.

That’s a pretty macabre fantasy, no? A worst-case war-game scenario for the CIA? A script for the End Times? Except, of course, that everything above actually happened, in a four-year span between 1985 and 1989.

Here’s my comment on why I think the article is less than excellent. I see important differences from then versus now (post 9/11):

1. Need to stop use of a plane as a missile. Armoring the cockpit has solved this threat. If that fails, detection would lead to interceptor jets or other typical anti-aircraft measures, which removes the residual risk. Wost-case is casualties same as past attacks, instead of higher (critical infrastructure)
2. Need to find terrorists. This is harder than 1 because risk is left to the imagination. Anyone, anywhere, etc. could be in danger instead of those on a hijacked plane, or in the Olympics, or stationed at an embassy in Africa, or in the mid-East or Asia…or, well, any place other than “inside” the border. All the examples from the past are “outside” attacks.

Once solution to 2 that has been proposed is increased scanning and vigilance at airports. That really is better suited to solve 1, but even there it is not a good trade-off.

Take body scanners, for example. They are stupid because they are not making planes less likely to be used as a missile (1) or finding terrorists often enough (2) to justify their expense and inconvenience. However, they do bring a few good ideas into use and represent the beginning of technology that could help solve 2. Scanners that are less costly, less invasive and less hassle could make sense if they caught terrorists. That just puts them back into place as a tool for intelligence gathering.

That being said, the real solution to 2 is smarter, smoother and faster intelligence gathering, which actually has been working remarkably well and not just “inside” the borders.

Recent littoral combat operations in Somalia have been quiet yet effective, just like arrests of Somalis in Los Angeles (an extension of last year’s investigation in Minneapolis) that most people probably never heard about. The cases of fringe behavior, incidentally, have been uncovered by examining economics and welfare in cities, rather than looking at shoes in airports.

Investigators say the poverty, grim gang wars and overpacked public housing towers produced one of the largest militant operations in the United States since the Sept. 11 terrorist attacks.

The author misses these differentiation points.