China's Great Firewall Infects Other Countries

angry tapir writes "A networking error has caused computers in Chile and the US to come under the control of the Great Firewall of China, redirecting Facebook, Twitter, and YouTube users to Chinese servers. Security experts are not sure exactly how this happened, but it appears that at least one ISP recently began fetching high-level DNS information, from what's known as a root DNS server, based in China. That server, operated out of China by Swedish service provider Netnod, returned DNS information intended for Chinese users, effectively spreading China's network censorship overseas."

Uh Huh

[MightyMartian]

Chinese official: "Whoops..." (with big grin on face).

Re:Uh Huh

who controls the root? hmm, we'll see who end up with a bigger whoops and a bigger grin

Re:Uh Huh

[Yvan256]

Question: Who controls the root?

Possible answers:
- the tree
- the tooth
- the administrator
- the problem

Re:Uh Huh

[Z00L00K]

Can't say that I'm surprised that it did happen.

Especially now when Google has decided to pull out. And China does have an urge to control any information that they don't like. Which would be the majority of the internet.

Re:Uh Huh

[sopssa]

Can't say that I'm surprised that it did happen.

Especially now when Google has decided to pull out. And China does have an urge to control any information that they don't like. Which would be the majority of the internet.

And still this has nothing to do with the Chinese government. It's the ISP's fault that erroneously configured their servers to use the Chinese root DNS server.

Re:Uh Huh

[e2d2]

Well in fairness it has a little bit to do with China. That whole censorship thing.

Re:Uh Huh

[vvaduva]

It has a lot to do with it...China is manipulating DNS for political reasons. I would say that's a problem...

Re:Uh Huh

[ircmaxell]

Well, that's assuming that the ISP actually made that configuration. There are a number of other possibilities (Such as someone hacked those servers, someone silently redirect queries from the actual root server to the China one, etc). Regardless of how the issue came about, the fact that China had those systems in place makes them at least partially responsible (not from a legal perspective, but from a philosophical one) for people not reaching their destination...

Re:Uh Huh

[sopssa]

ISP's in other countries are manipulating DNS too, but rather than for political reasons it's for child porn (there has been controversy when such lists are used for other purposes too) and copyright infringement (at least Italy blocks TPB, maybe others).

CHINA will set up a mirror server for Chinese netizens to visit Websites whose domain names end with .com or .net, Sina.com reported today.

Instead of being served by overseas domain servers for making visits, the new server will provide a domain name system or "DNS" function of its own, which will guarantee the security for netizens visiting from China and also raise the linking speed.

So it's a DNS for Chinese people. Why does ISP's in other countries use it? And since they do, it's no surprise their results get changed too.

Re:Uh Huh

I recall that all chinese ISPs are either directly state-run, or at least know that they'd better do as they are told.

Re:Uh Huh

[blane.bramble]

My bet is on either Money or Evil

Re:Uh Huh

[Mordok-DestroyerOfWo]

Don't be so square.

Re:Uh Huh

[Yvan256]

I knew I forgot one.

Re:Uh Huh

The ISP is thinking "that's weird, we just hired a chinese exchange student to help our sys admin...come to think of it, he's missing"

Re:Uh Huh

[quatin]

Regardless of how the issue came about, the fact that China had those systems in place makes them at least partially responsible (not from a legal perspective, but from a philosophical one) for people not reaching their destination...

So philosophically, the creator of every tool is responsible for it's end use? How far do you take this? Is Google responsible for finding links to illegal file sharing websites?

Re:Uh Huh

[ircmaxell]

I think it depends on intent. The scientists that built the nuclear bomb are responsible (On a high level, not necessarily a legal one) for its use, because destruction was the main purpose of the bomb. Google is not responsible (Again, on a very high level), because it was designed to search all websites. The fact that a subset do illegal things is irrelevant, because Google makes no attempt at classifying them as illegal vs non-illegal. China is responsible (Yet again, on a high level) for this because their system was designed from the very beginning to restrict what people saw. So by my logic (which I don't claim is valid, just the reasoning for my OP), the creator of every tools is responsible (on some level) for the intended use of the tool...

Re:Uh Huh

[quatin]

Google is not responsible (Again, on a very high level), because it was designed to search all websites. The fact that a subset do illegal things is irrelevant, because Google makes no attempt at classifying them as illegal vs non-illegal. China is responsible (Yet again, on a high level) for this because their system was designed from the very beginning to restrict what people saw.

So a product with an intended use that you find morally objectionable will cause the creator to be responsible for it? Are you really saying there is no moral use for nuclear bombs and internet filtering?

Re:Uh Huh

[ircmaxell]

Are you really saying there is no moral use for nuclear bombs and internet filtering?

What I'm saying is that I don't believe that either the means justify the end or the end justifies the means. Neither are justification for something that's in itself immoral (again IMHO). So you are correct. I am saying that there is no moral use for nuclear bombs and internet filtering. There are "more" moral uses for them (Using a the threat of a nuclear bomb is more moral than dropping it), but that doesn't make the use moral in and of itself...

Just my $0.02...

Re:Uh Huh

[maxume]

Google is better described as the provider of a search tool, they are more than the creator.

Re:Uh Huh

[Khyber]

"So it's a DNS for Chinese people. Why does ISP's in other countries use it?"

Because they're just as controlling. Duh.

Re:Uh Huh

[Idiomatick]

Yeah, China accidentally...... had swedish DNS and US/Chile ISPs accidentally route through Chinese servers? Pretty sure the Chinese government can't control stupidity, unless you are suggesting that they have mind control abilities.

Re:Uh Huh

[Idiomatick]

Ya think that'd have been in the article then huh...

Re:Uh Huh

[ffreeloader]

Ummmm.... It's my understanding from historical Chinese government interaction with their businesses that it tells Chinese businesses what to do, how to interact with the rest of the world. It's not like their government isn't a totalitarian government.

IMO, it's self-defeating behavior to deny obvious possibilities.

Re:Uh Huh

That's incorrect. The Chinese I-root server uses "anycast", so it has the same IP address as the other I-root instances dotted around the world. This is a routing related issue, it's not about DNS software configuration.

Re:Uh Huh

[theo_doe]

I am saying that there is no moral use for nuclear bombs

How about placing a nuclear bomb on an asteroid heading for earth in order to shift its orbit?

Re:Uh Huh

So you're saying that because some governments try to limit the spread of child porn, the PRC has the right to deceive the people of China into thinking there was no "Tank Man" or that democracy is evil?

Nonsense. What they are doing will be remembered as a great injustice. It will be a cautionary tale for all societies with a chance to determine their own destiny. They will say, "We will not let it happen again."

No amount of cheap wealth will hide what is happening. No one sympathizes. They are known as the perpetrators of a great and ongoing crime against humanity.

Do not defend it. Rid yourself of it.

Re:Uh Huh

[ubermiester]

So you're saying that because some governments try to limit the spread of child porn, the PRC has the right to deceive the people of China into thinking there was no "Tank Man" or that democracy is evil?

Nonsense. What they are doing will be remembered as a great injustice. It will be a cautionary tale for all societies with a chance to determine their own destiny. They will say, "We will not let it happen again."

No amount of cheap wealth will hide what is happening. No one sympathizes. They are known as the perpetrators of a great and ongoing crime against humanity.

Do not defend it. Rid yourself of it.

Re:Uh Huh

[shentino]

And however this happened, it's plausible that now China looks like it's throwing a tizzy at getting stood up to on censorship by Google.

Re:Uh Huh

[Hurricane78]

Chilean official: "Whoops..." (with big grin on face).

There, fixed that for ya.

Re:Uh Huh

[jon3k]

i.root-servers.net (the root in China) is in the default root.hints file for BIND. Querying the Chinese root is the default configuration. Root servers are omnipotent deities you should always be able to trust them. If you can't trust one then some adjustment needs to be made. In this case removing the root from a location in which data could be intercepted and modified by a hostile government.

Re:Uh Huh

[Kalriath]

i.root-servers.net is not "the root in China". A single Anycast node of i.root-servers.net is in China. It would probably be a good idea to research such statements before making them.

Re:Uh Huh

semantics you know what i mean and your post changes nothing you're just being annoying -- fuck off

Re:Uh Huh

[quatin]

There are "more" moral uses for them (Using a the threat of a nuclear bomb is more moral than dropping it), but that doesn't make the use moral in and of itself...

Well you can't have your cake and eat it too. There would be no "mutual nuclear destruction" theory without nuclear bombs. There would be no firewalls without internet filtering. Both of these ideas were created with good intentions to start.

Re:Uh Huh

Looks to me like the voice of propaganda is speaking.. China tossed Googleout because Google was spying on Chinesse.. just as it thinks it has the right to do in the US.

Re:Uh Huh

[Kalriath]

It's not semantics fuckwit. It changes the fundamental meaning of the post. Original statement said "querying the Chinese root is the default configuration" when in fact that behaviour is only the default if you are in China. Otherwise, querying i.root-servers.net in Los Angeles or Sydney or Auckland or London is the default.

So fuck off yourself.

Re:Uh Huh

[RockDoctor]

Well in fairness it has a little bit to do with China. That whole censorship thing.

Well, in fairness, it is their country and their rules. They've got as much right to enforce their laws in their country as, for example, an American state has to judicially murder it's own citizens. You may like Chinese censorship laws as much as I like American judicial murder policies, but our likes and dislikes don't change our (non-existent) right to interfere in the internal policies of a country.

Or is the US planning to invade China in the near future in protest against the Chinese censorship policies?

The Swedes

Why am I not surprised?

Re:The Swedes

[zeromorph]

the swedes, troll ... oh, sweet irony

Pfft.

[fuzzyfuzzyfungus]

And their firewalls didn't detect the melamine in the imported DNS records? Pitiful.

Re:Pfft.

[einhverfr]

Also, the internet routes around censorship? Ooops....

Re:Pfft.

[_Sprocket_]

Also, the internet routes around censorship? Ooops....

Seems we were wrong. Apparently, the Internet detects censorship and routes it around.

Re:Pfft.

[TheRaven64]

Not really surprising, because the root DNS servers are not yet all signed with DNSSEC and Verisign is dragging its heels when it comes to implementing DNSSEC in the .com domain. Apparently there isn't much real-world use for DNSSEC. Nice to have a concrete counter-example - thanks China.

Re:Pfft.

[Khyber]

"And their firewalls didn't detect the melamine in the imported DNS records? Pitiful."

I was going to recommend lead but I forgot this isn't the 80s-90s any longer.

Lead would've made a better explanation for the slower speeds and 'cancerous' degradation that's been showing up on The Internet Traffic Report (currently at 62% as of this posting) with lead being heavier and all that fun chemistry stuff. ;)

Re:Pfft.

[slater86]

I thought that was only in soviet russia

Re:Pfft.

[Hurricane78]

Apparently there isn't much money in DNSSEC.

Fixed. No need to thank me. :)

Now...

[courteaudotbiz]

Now will somebody tell them to keep their sh*t for them? Or are we too weak to talk frankly to Chinese authorities?

Re:Now...

[sopssa]

It's the other way around than what you're suggesting. Chinese didn't try do anything. ISP's elsewhere mistakenly configured their servers to use Chinese DNS servers.

They are keeping their shit for them. It's just that someone else is fetching it from them to elsewhere.

Re:Now...

[JWW]

Which, proves the point that perhaps China should not be allowed to have any DNS root servers.

I would say that if a DNS server does not return the same information as all other root servers in the world that it should not be allowed to be a root server.

Re:Now...

[Threni]

Is there a site somewhere which lists the companies willing to assist China (and other equally repressive countries)? I'm not in Sweden but if it turned out for example that a UK based company was helping them block access to Google or whatever then I'd take my business elsewhere.

Re:Now...

Chinese didn't try do anything. ISP's elsewhere mistakenly configured their servers to use Chinese DNS servers.

I'd like to know what ISP you use, where their employees are magically invincible to bribery or other acts of subterfuge.

Re:Now...

[Third+Position]

Now will somebody tell them to keep their sh*t for them? Or are we too weak to talk frankly to Chinese authorities?

Well, I suppose it pays to talk real sweet to a country that pretty much owns us now.

Re:Now...

[origin29]

China can have all the root servers they want - just don't configure your server to poll them.

Re:Now...

[mandelbr0t]

The great firewall can work both ways. I experimented for a time with simply banning all asian netblocks at my firewall. If China refuses to play nice, everyone else can simply ignore them.

Re:Now...

And China would raff at you.

Re:Now...

[radtea]

China can have all the root servers they want - just don't configure your server to poll them.

Actually China is demonstrably incapble of having any working root servers at all. A DNS server that returns incorrect information is not a "root" server, if by "root" you mean "authoritative source of DNS information that resolves domain names properly."

It's really too bad that China is incapable of hosting DNS root servers. Hopefully by the end of the 21st century China will be a little less backward and isolated from the rest of the world, which would benefit greatly from interaction with so many people from such diverse cultural and political backgrounds.

Re:Now...

[Diagoras]

It's actually more like we own each other.

Re:Now...

[Stephen+Samuel]

.... Chinese didn't try do anything. ISP's elsewhere mistakenly configured their servers to use Chinese DNS servers.

Not quite accurate. The Netnod server 'causing the problem' claims to have and be serving proper information, but the Chinese instance of that server is having it's data stream filtered by China (on the presumption that nobody outside of China is getting information from that server). The problem arose when a couple of high-volume servers (one, or more, in Chile and one, apparently in California) got their root query packets routed through China and ended up filtered the same way that internal-Chinese queries get filtered.

To solve that problem without having to wander through layers of Chinese technical and political bureaucracy, the easiest solution was for Netnod to simply 'turn off' routes to it's Chinese server until the relevant Chilean and Californian routers get less problematic setups.

The root of the problem (if you'll allow the pun) is that China is silently hacking data from legitimate root servers that go through their systems. Normally this only affects users inside of China but, in this case, part of 'The Great Firewall of China' leaked out into the rest of the world.

Re:Now...

[jon3k]

That's stupid. Just let them setup their own name servers that query the ACTUAL roots and modify the data anyway they please. You don't fuck with critical internet infrastructure like a root name server.

Re:Now...

[jon3k]

they can "raff" all they want without their root server -- which just got yanked. suck it china!

Re:Now...

[jon3k]

that's the best part -- all this wealth is in US debt. now if the US fails the Chinese lose trillions of dollars. The americans aren't dumb, they just sold the Chinese the greatest and most expensive insurance policy in history FOR THEMSELVES and the Chinese bought it :) pretty brilliant if you ask me.

I am not a fan of the USA gov't

[Ralph+Spoilsport]

or any other bunch of capitalist parasites. But I should like to take this moment to say to the people reading this who are monitoring this site for the Chinese Government, these few simple words:

Kindly go fuck yourself.

Re:I am not a fan of the USA gov't

[GPLDAN]

Parasites? Oh, don't be a spoil sport! Oh... wait... never mind...

Re:I am not a fan of the USA gov't

[Archangel+Michael]

US Government isn't capitalist. With Obama and GWB and Clinton taking over larger and larger parts of the economy, I dare say it is officially socialistic. Capitalism is dead, and we're enslaving our children in unsustainable debt.

But hey, if you like that kind of "compassionate governance" great. I happen to not like it much.

Re:I am not a fan of the USA gov't

I greatly prefer it to enslaving our children in unsustainable debt to make the a handful of industrialists even richer.

Re:I am not a fan of the USA gov't

[MickyTheIdiot]

Life is really easy when you let someone like Glen Beck do all your thinking for you, isn't it Michael?

Re:I am not a fan of the USA gov't

Well Micky, who does your thinking? Sean Penn?

Re:I am not a fan of the USA gov't

Does Fox know your not watching them? Kindly leave as we'll never get the smell of stupid out of the Slashdot couch...

Re:I am not a fan of the USA gov't

It's funny, because the Reagan years spent more than compared to the GDP than Clinton or GWB but you I happen to like those kind of "facts". In the Clinton years spending v GDP went down quite a bit. The only time our debt has gone down since that giant "debt clock" thing was built was under Clinton.

Re:I am not a fan of the USA gov't

[buswolley]

bullshi+. Bush, Reagan were huge debt creators. Now you blame Obama for the increase in debt when the bailout was designed by Bush in the first place, and also necessary to keep this economy from falling flat on its face by the greedy, uncontrolled and short-sighted bankers. The war? How expensive has that been? Besides, healthcare is national defense and will reduce abortions by providing effective birth control to women more often. Bug the f off.

Re:I am not a fan of the USA gov't

[The+End+Of+Days]

Yeah, let's make the handful of people who run the government have all the wealth and power. Somehow that's better, right?

Re:I am not a fan of the USA gov't

[cromar]

bullshi+

Dude, if you're going to say it, just say it :)

Re:I am not a fan of the USA gov't

[ScentCone]

The only time our debt has gone down since that giant "debt clock" thing was built was under Clinton

Yup. And lucky Clinton got to benefit from the coasting period following the Regean economic growth, and he got have a nice big vacation from the Cold War and its current counterparts. This had nothing to do with Clinton, and everything to do with what he was handed by circumstance. By the time Clinton was done, we were well on our way to a recession, a ruinous housing/tech bubble, and Islamists that he was hoping would just go away were ramping up to 9/11, even though Clinton gave them a very stern lecture about attacking the WTC the first time, blowing up US embassies, and damaging the USS Cole with casualties to her crew, etc.

Re:I am not a fan of the USA gov't

[Fred_A]

Yeah, let's make the handful of people who run the government have all the wealth and power. Somehow that's better, right?

At least *some* people get rich.
Wait, that works in China too. Ah, it's just screwed everywhere.

Re:I am not a fan of the USA gov't

[Alex+Zepeda]

Bullshiplus!

Re:I am not a fan of the USA gov't

[bigmattana]

This is pretty misleading. Total government spending went up pretty much lineraly at the same rate during both the Reagan and Clinton years.
http://www.usgovernmentspending.com/downchart_gs.php?year=1980_2000&view=1&expand=&units=b&fy=fy11&chart=F1-total&bar=0&stack=1&size=m&title=&state=US&color=c&local=s
In comparison to GDP, it did go down somewhat during the Clinton years:
http://www.usgovernmentspending.com/downchart_gs.php?year=1980_2000&view=1&expand=&units=p&fy=fy11&chart=F1-total&bar=0&stack=1&size=m&title=&state=US&color=c&local=s
But what really helped as far as the debt there was increased income tax rates and more money being made in the private sector.
Now, spending during Bush per GDP actually pretty much flatlined until 2006/2007. Does anyone know what happened then?
http://www.usgovernmentspending.com/downchart_gs.php?year=2000_2010&view=1&expand=&units=p&fy=fy11&chart=F1-total&bar=0&stack=1&size=m&title=&state=US&color=c&local=s

Your point that both Bush and Reagan were big spenders compared to what they claimed is true, but you can't deny that the current administration is making no effort to reduce the debt, and it is exploding way faster than any previous president with no end in sight, while we are losing the surpluses of Social Security and Medicare that we had in the past. We can debate the past all we want but no one is going to change sides. I personally think it is worth noting that most of the companies that created the tech boom of the 90s really started in the 80s, and that the tech boom and Bill Gates had more to do with the Economic boom and surpluses of the 90s than did Bill Clinton. You would probably disagree. But surely we can all agree that we are headed in the wrong direction. If spending does not drastically slow down soon, we will be past the point of no return to becoming an insolvent nation within this decade.

Re:I am not a fan of the USA gov't

[bigmattana]

"Besides, healthcare is national defense and will reduce abortions"
What? I do not follow this logic or see what it has to do with government spending.

"Now you blame Obama for the increase in debt when the bailout was designed by Bush in the first place"
The bailout was necessary, but implementation was rushed, ineffective, and more expensive than it should have been. That it was caused in any way by Bush is almost laughable, but at the very least debatable. Economic policies and deregulation that got us to that point happened mostly in the 90s under the pretense of helping low-income families obtain mortgages. As soon as these were passed in the late 90s, the housing bubble began to build. http://mysite.verizon.net/vzeqrguz/housingbubble/
The fallout in 2008 was a result of this bubble finally bursting. It was worse than the tech bubble bursting in the late 90s because it affected securities that have always been considered safe by institutional investors.

The bailout is only part of the spending increases under Obama, which together dwarf the $1Trillion expense of the war. (Which Obama is continuing and actually spending more on.) The other huge part is the stimulus bill which was mostly ineffective (what do you expect from a package special interest pork disguised as a stimulus bill?) and our jobless rate is worst that what was predicted by the administration if the bill were never passed.


I get your frustration. Obama did not get us to this point and should not be given all the blame. But he sure seems to be doing a great job at making it worse.

Re:I am not a fan of the USA gov't

[clampolo]

God I wish both Republicans AND Democrats would shut up. Both parties accept huge bribes (campaign contributions) in exchange for votes. There is always a shameful deficit no matter who is in power (don't get started with Clinton and his raiding of Social Security to make the budget look balanced. No matter who is in charge, the army is out invading some new country: Somalia, Kosovo, Iraq, Panama, etc.

This dumb Democrat healthcare bill is just as big a coporate handout to the pharmaceutical and insurance companies as the Republican prescription drug plan.

So in summary: If you live on every word of Rush Limbaugh, Sean Hannity OR Jon Stewart, Keith Olberman, etc, you are all equally stupid.

Re:I am not a fan of the USA gov't

[blackraven14250]

I imagine he means that "health care is saving the lives of future American citizens and is thus national defense." I don't agree with that sentiment, but that's what I got from it.

Re:I am not a fan of the USA gov't

[cromar]

Hear, hear. We can argue the merits of the ramblings of the "different" ideologues all day, but true reform won't come until we elect representatives that actually have that as their goal and don't just pay lip service to it.

Re:I am not a fan of the USA gov't

[DeadChobi]

I daresay that it wasn't deregulation that got us into this mess, but rather the mandate that housing is a right. Our government let us down when they decided that it didn't need to make financial sense for a person to own a home, only that they needed to want it badly enough and they could get a loan.

The shocker is that we're doing the same thing to healthcare and my children will be paying for it.

Re:I am not a fan of the USA gov't

[buswolley]

Partially. But I was also suggesting that a good healthcare and healthiinsurance infrastructure is a useful defense against bio-terrorism.

Tiannamen Square

If you are reading this, you are not affected.

Re:Tiannamen Square

[maxwell+demon]

It's no secret in China that this square exists. It's just what happened there $%*+
NO CARRIER

China Fights Back

[jamesyouwish]

Fine Google you want to leave China. Where you going to go when we take over the whole internet.

Re:China Fights Back

Maybe this is why Google is installing its own backbones.

Re:China Fights Back

[TheRaven64]

Hmm, maybe they could install one in the US government while they're at it?

Nice headline

[oldhack]

The headlines now tell you absolutely nothing about the actual stories.

Re:Nice headline

[Jurily]

Have they ever?

Re:Nice headline

[blair1q]

Funny, yours didn't say a thing about Nice.

Re:Nice headline

[Dumnezeu]

Yes, the headlines used to be a lot closer to reality.

DNSCurve will own.

This is why we need DNSCurve implemented on the wide scale. Badly.

Re:DNSCurve will own.

Phew it was only DNS.. For a moment I got worried and thought this was a BGP advertisement issue. In terms of DNSSec or DNSCurve saving people from this sort of thing I'm highly speculative. DNSSec brilliantly utilizes trust anchors the size of the planet. I epicly fail to see how that arrangement is supposed to instill confidence in end-users of any nation. One need only point out the crap that has been going on with SSL certificates over the past several years and multipy by a few orders of magnitude. I don't think its unreasonable to assume someone who may not be acting in your best interests is going to have access to keys necessary to forge whatever the hell they want. DNSCurve is much more sane than DNSSec but it provides zero protection against misconfigured downline servers (Using the wrong roots) and its also useless against active MITM. DNSCurve however effectivly solves all of the reasonable DNS integrity issues and allows the network to work without going on DNSSecs fools errand of trying to make the DNS system trust-worthy. I mean whats the point? It just needs to not be any *less* secure than the transport which DNSCurve does quite well. The Internet just needs to route packets NOT determine truth from bullshit.

Misleading

[ClownPenis]

Misconfiguration of resolv.conf does not put China's firewall in your way. Add yourself to the tool belt.

Re:Misleading

It's more than that. According to the post at https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005266.html someone is actively spoofing DNS replies to DNS request packets bound for entire class A and B net ranges.

Re:Misleading

[ClownPenis]

It's more than that. According to the post at https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005266.html someone is actively spoofing DNS replies to DNS request packets bound for entire class A and B net ranges.

The only way someone is going to "actively spoofing DNS replies" is via a sophisticated MITM attack. The problem here, is that some idiot forgot to keep his "root.hints" file current on his DHCP published name server. A "firewall" has always been understood as a bastion host and/or a packet filter. Breaking DNS doesn't break routing. The inverse may not be true, but routing doesn't depend on DNS.

Re:Misleading

Did you even read the link? I just tried the exercise myself with tshark, send the mgcxxx.com request and watch several replies come back trying to race each other, with the fake ones usually winning. There are even replies coming back when querying other IP addresses in that range, IPs that are not running a DNS server.

Re:Misleading

[jon3k]

So when I put my ISPs name server in my resolv.conf and they (using the default bind configuration) query the i.root-server.net which is then filtered by the Chinese firewall - that's MY fault?

ooooooooooookie dokie.

Re:Misleading

[jon3k]

You're using firewall in the literal sense. The "Great Firewall of China'" isn't a firewall in the truest sense - it's just a cute play on the name. It has a number of components one of which is modifying DNS responses. And yes, they were using a "sophisticated MiTM" attack which involved modifying clear text DNS requests coming from the i.root-server.net root name server. It probably took two or three teenagers several hours to concoct this diabolical system.

Re:Misleading

[Kalriath]

How is this insightful? It's wrong! Noone misconfigured their DNS resolvers, the problem is that for some reason a couple of major routing nodes latched on to the incorrect node for i.root-servers.net (each DNS root is not a single server, it's a bunch of geographically separate servers with the same IP doing Anycast announcements) and connected downstream servers began using the node in China to perform resolution.

WW3

[watanabe]

In other news, WW3 started slowly with Google and Dell pulling out of China. Infowars continued to increase when China's root nameserver began to propagate its information out to the developing world, areas that had been increasingly reliant on Chinese funding since the post-cold-War US' international power began to wane..

Re:WW3

[Jazz-Masta]

In other news, Skynet, err The Great Firewall of China, became self-aware at 8:14am EDT March 26, 2010

Re:WW3

[unknownroad]

A South Korean corvette was just sunk too. Maybe this IS the beginning of the end.

Maintaining the Great Firewall

[Tetsujin]

(Firewall is subverted...)
Damn you cyber-Mongorians!

Re:Maintaining the Great Firewall

[newdsfornerds]

Cyber-Mongoloids? Cyber Mongolians?
WAT

Re:Maintaining the Great Firewall

[badkarmadayaccount]

http://i17.photobucket.com/albums/b87/hurt911gen/wat.jpg?t=1248974475

Re:Maintaining the Great Firewall

[Tetsujin]

http://i17.photobucket.com/albums/b87/hurt911gen/wat.jpg?t=1248974475

404'd!

Umm... no

[ailnlv]

Either they already fixed it or the article is wrong, because I'm in Chile and Facebook and Youtube seem fine to me

Re:Umm... no

[EldestPort]

Probably only some Chilean requests would have gone through that particular DNS server.

Re:Umm... no

[Jazz-Masta]

Are you sure you didn't end up at Redbook and CommUTube?

I think this is a shot across teh bow

[filesiteguy]

China wants to rule the world. (Or at least make sure they make money somehow everywhere.) I can see the Chinese - all using Red Flag Linux (or some pirated copy of Wintendo) - gathering together to control all DNS machines. This was a warning - mess with us and we take your DNS down.

Re:I think this is a shot across teh bow

Your rampant racism not withstanding, that was an idiotic post.

China cannot 'take our DNS down'. In worst case scenario, the world would just disconnect from China if that were to happen.

Re:I think this is a shot across teh bow

[oldspewey]

What if every single router in the world is manufactured in China? Are you sure you know what's in that firmware?

Re:I think this is a shot across teh bow

[ObsessiveMathsFreak]

Your rampant racism not withstanding, that was an idiotic post.

He wasn't being racist. He was being alarmist, or possibly McCarthyist. His is the same mentality that leads to films like "Red Dawn", not "The Birth of a Nation".

Re:I think this is a shot across teh bow

[Jazz-Masta]

What if every single router in the world is manufactured in China? Are you sure you know what's in that firmware?

Yes, lead, melamine, and poorly documented programming.

Re:I think this is a shot across teh bow

Don't forget the sulfer.

Re:I think this is a shot across teh bow

Where was race mentioned?

this gives me an idea....

[datapharmer]

So if the entire world's DNS resolved to the Chinese firewall simultaneously would it DOS them to oblivion and end these shenanigans? I'd give up a day of using the internet to see that go down.

Re:this gives me an idea....

[Jazz-Masta]

So if the entire world's DNS resolved to the Chinese firewall simultaneously would it DOS them to oblivion and end these shenanigans? I'd give up a day of using the internet to see that go down.

Why don't we just slashdot it?

Re:this gives me an idea....

[anarche]

i'm in for that!

Re:this gives me an idea....

[blackraven14250]

The scale of "THE WORLD WILL NOT TAKE YOUR CRAP ANYMORE" works better than "american geeks will attempt to dos your server"

Re:this gives me an idea....

[Hurricane78]

The problem with your logic is, that if we stopped, it would work again.
And if we wouldn’t stop, nobody would have Internet. Not us, and not the Chinese people.

I think a botnet, DOSing them, makes more sense, and is already done.

Re:this gives me an idea....

[jon3k]

You just have to shut access to the Internet in China down for several hours a day every few days randomly. To use a car analogy - imagine if you had this car. It worked usually but randomly it stopped working for long periods of time. Eventually, even though it works SOMETIMES, it's not reliable enough to use or trust, so you just stop using it entirely.

Big names having problems

[fremsley471]

Youtube, Wikipedia and hell even Slashdot have had access problems this week. 6th form conspiracy theorist asks "Is 'something' is going on"?

Re:Big names having problems

[buswolley]

yeah i could load up Foxnews easy, but Huffingtonpost was not accessible. Tea Bag Terrorists at it again

Completely unintentional

[Hadlock]

US DNS servers magically start pulling DNS data from chinese servers? Uh huh. Completely an "accident".

Re:Completely unintentional

[rahunzi]

US DNS servers magically start pulling DNS data from chinese servers? Uh huh. Completely an "accident".

of course it's a hack - and tactically brilliant! - I am thinking, one ad on a page can be the port

redirecting Facebook, Twitter, and YouTube users

... and nothing of value was lost

Huh

[MrTripps]

I was wondering about that fortune cookie that said "All of your root servers are belonging to us."

Problems like this should be prevented

[Lorens]

So any wrongful destination now has a lot of passwords. Especially IMAP and POP and suchlike, not even a need to set up a misleading website, you can play totally innocent.

Prevention:

1) Don't have a root server in a country that wants to censor information

2) Implement free SSL certs so that it is no longer "normal" to just click through the SSL cert alert

3) DNSCurve, DNSSEC, whatever

4) Encrypt.

5) Even when using encryption always use auth schemes that cannot be replayed afterwards. Without certs I don't think you can stop MITM, but much too many people use only one password for a lot of different things, at least that one won't be in the sniffer's hands.

More?

Re:Problems like this should be prevented

The Chinese usually point to IP's belonging to the US DOD. At least what I've see so far here in Shenzhen..

Re:Problems like this should be prevented

But problems of other types should be allowed?

thank you Captain Obvious

Re:Problems like this should be prevented

[CannonballHead]

6) Invade. ;)

Re:Problems like this should be prevented

[Lorens]

Well, no, since I specifically asked if there were any "More?". I'm sincerely interested in knowing if I overlooked something in my list. Name calling was not called for.

What good are my fifteen daily modpoints when it doesn't stop one from being insulted by anonymous cowards . . .

Re:Problems like this should be prevented

[Lorens]

1b) Don't allow unfiltered BGP updates from countries or companies you don't want running a DNS root server.

Re:Problems like this should be prevented

Now that is a partial answer.

Without at least that, BGP allows China to redirect US traffic to Chinese sites which is very bad. Think defense computers going to Chinese servers when they wanted to go to US servers.

Problem is that it is not 100% (filters never are).

ancient chinese secret, huh?

[fak3r]

ancient chinese secret, huh?

The Net interprets censorship as damage and routes

"The Net interprets censorship as damage and routes around it"

- John Gilmore

in China....

[idji]

Firewall burns you!

yeah i bet!!!

[hesaigo999ca]

How much you want to bet that this was not deliberate on their part...this is part of the whole scheme of them cyberattacking all other countries and controlling the new cyberage.

hacker attack

[CPE1704TKS]

Come on, are we really being that stupid? Of course it was a hacker attack. The chances of an IP address "accidentally" being pointed to a Chinese one is remote.

These Chinese hackers (and hackers in general) are getting more and more dangerous. If they hack the DNS servers, we're talking about a massive ability to steal passwords, since https is based on domain name and not IP address. If the DNS is configured to give incorrect DNS information, then we really could get hosed here.

Re:hacker attack

si si senjor legalize it

Re:hacker attack

[Spad]

It's not so much a matter of things being "pointed" anywhere, more a side-effect of anycasting the root DNS servers so that if your current routing happens to put root servers in China as closer than any others, you'll get your results returned from them.

Of course, one could argue that countries shouldn't be allowed to mess with root DNS servers that they host and have them return invalid addresses for valid domains, but that's besides the point here.

Re:hacker attack

I tend to agree, as I very much doubt that the Chinese DNS server in question would accept requests from any IP address. Certainly the Chinese Firewall would know at the least what address ranges should be valid and acceptable to avoid server overload from such a misconfiguration. That being said I don't know a large amount about how that works, but from what I've seen there isn't much to know.

Re:hacker attack

[linhux]

If they hack the DNS servers, we're talking about a massive ability to steal passwords, since https is based on domain name and not IP address.

SSL uses domain names for verification, but it does not rely on them for authentication. If you hijack an SSL-enabled website, you would also need to steel their private key.

Re:hacker attack

[jon3k]

haha what? wow take off the tin foil hate dude. the chinese intercept dns requests. it's part of the great firewall of china. i.root-servers.net is one of the root servers and some ISP DNS servers in other countries query it (oh probably i dont know, 1 out of 13 times, give or take?). see where this is going? affecting anything outside of china was completely inadvertent, not that they care.

Re:hacker attack

[ekhben]

Or have a trusted CA operator sign over your private key.

Not that there's a Chinese CA operator in the trusted key set or an... er.

Don't mind me, I'm just rabble rousing. I do not believe that CNNIC is any less trustworthy than VeriSign. Or maybe more accurately, I do not expect that VeriSign is any more trustworthy than CNNIC :-) Oops, rabble rousing again.

Use 2FA for online banking, neither HTTPS nor DNS is safe.

OT

[fulldecent]

Maybe offtopic, but how does DNCSEC affect DNS level censorship?

Re:OT

Don't consider me perfectly reliable, but... it should prevent returning an incorrect result, but not returning no result. So the censors can still arrange for a site to be unfindable by DNS - but they can't redirect the query to a 'You arn't allowed to see this' message. It'll just give the user an error page.

Re:OT

[ekhben]

In principle, DNSSEC prevents this form of attack because you cannot form a chain of trust through a hijacked answer.

In practice, no-one checks the result for a signature failure, because it's Hard to know what the right thing is to do, and it's Pointless until the roots are signed.

The issue I have...

[XB-70]

is that all the problems with China seem to be one way. We don't hear of Chinese complaining about melamine in products from Western countries. It always seems to be about hacking, cheating, deception, malfaisance, obfuscation, corruption and blackmail.

Heck, even Dell is pulling out.

So, because the Chinese persist in behaving badly it's time for internet war. Let's band together and shut 'em down. Close off internet to China and see how they like it - after all, the TLD's are controlled by the U.S. As to messaging etc. they can phone and fax.

Sorry for such a rant but there has got to be a consequence for the level and voracity of the issues and problems that emanate from China - especially when the government there is never responsible.

Re:The issue I have...

[schizix]

ahh yes good ol' sanctions, they've been *proven* to work time and time again...

Re:The issue I have...

[jizziknight]

Except that the Chinese government would be perfectly happy to be cut off from the rest of the Internet. If we cut them off, they can just blame it on the US and claim they've done nothing to censor anything. You'd be giving them exactly what they wanted.

Re:The issue I have...

[ObsessiveMathsFreak]

We don't hear of Chinese complaining about melamine in products from Western countries.

Yeah; They just complain about trivial things like labour exploitation, poor wages, health and safety lapses, pollution, and foreign support for censorship technologies and the communist regime. It's not like the West has done anything wrong here!!!

Re:The issue I have...

...Close off internet to China and see how they like it - after all, the TLD's are controlled by the U.S.

... please hand in your geek badge

Re:The issue I have...

[rsborg]

You'd be giving them exactly what they wanted.

Which is what? An economic collapse? A justification for war?

The Chinese government is just like any other government (they have more control over their populace). Chinese in general are really fond of business opportunities, which get harmed by this action.

Re:The issue I have...

[RoboRay]

No, the Chinese government does not desire to simply cut off all access to the outside world. If they wanted to do that, they could do it themselves, today.

They want access, and more, they need access, as it is essential to them growing their economy.

What they actually want is total control over that access. And now they are releasing yet another poison out into the rest of the world. Shutting them down would be a very good thing. Payback is a bitch.

Re:The issue I have...

[RoboRay]

Ask Neville Chamberlain how a policy of doing nothing works out.

Re:The issue I have...

[labotux]

Don't be so brainwashed, will you ? the american media complaining about China doesn't mean Chinese media doesn't about US.

Re:The issue I have...

China is the largest country in the world. It stands to reason that more problems would emanate from there than anywhere else.

Not Really Misleading

[medv4380]

The reference to firewall is just different in this case. In China it's called the "Golden Shield Project" outside of China it's called the "Great Firewall of China". If you miss configure your DNS to look at China's DNS then you are using their Golden Shield hence you are using The Great Firewall of China.

Net views censorship as damage

[mi]

Remember that quote? "The Net views censorship as damage and, sometimes, routes into it..."

That server, operated out of China by Swedish service provider Netnod

Oh, yes, another one of those "Why can't we be more like Europe?!" moments...

Re:Net views censorship as damage

[FliesLikeABrick]

As far as I know, NetNod was not operating this i-root instance that was returning the censored answers.

I was following along with this on the dns-operations mailing list. This pertained to i-root in Asia, and various i-root node operators said "this is not our box". It was a rogue root server (whether installed by the Chinese government or an ISP guided by the government's hand) (as far as netnod/i-root is concerned) announcing the anycast block used by i-root. In doing so they basically advertised themselves as a root node for i-root and it doesn't seem like this was Netnod-affiliated at all. The summary (I didn't re-read the article to see if that said the same) implies that netnod was running this intentionally and serving up Chinese-censored results for affected sites. All this would take is a person with the ability to have their upstreams accept BGP announcements for the anycast block for i-root and run the server. Then any requests to i-root that are topologically "close" will start using this node.

Before anyone continually says that an ISP must have intentionally configured their servers to use this root, they should read up on IP anycasting and read the thread on the dns-operations mailing list instead of these 2nd/3rd/4th-hand summaries that are beginning to skew the facts.

https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005260.html

Re:Net views censorship as damage

Somehow you and I don't appear to have been reading the same mailing list.

Re-read the e-mails from Kurtis@Netnod and the local operator more carefully...

what a firewall.

In Soviet Russia, Firewall misconfigures you!

djbdns

[derby604]

I am secretly hoping this was a Bind error wishing everyone would switch to the far superior http://cr.yp.to/djbdns.html

Re:Three words: Border Gateway Protocol

Yes they can, the same way that Pakistan's ISP took down access to Youtube for everyone in the world. Perhaps you should read up on the Border Gateway Protocol (BGP) before making such a stupid statement.

China China China

[cekander]

What gives with the media these days?
It's all too clear. Kinda like the cold war with Russia.
Except it's the Virtual War with China. Are yall ready for the next big pseudo war?
Arguably a war worth fighting, but at cost? Could this get ugly?

sure

The timing of this incident makes me guess it is no coincidence. Begun the clone-wars has. Now, we should maybe not have put a single tsar in charge of US cyber-security. He's in the background pulling the strings. It's the same problem as in Star Wars. The cyber-star has aspirations on being an emperor in the new empire that will rise in the ashes of the old republic of Internet.

View from inside Chile

[cenc]

I live and work in Chile, and know the network problems well here. Here is my take on it.

I seen that nic.cl had several of their DNS servers that where failing about three weeks ago (I just figured someone would figure it out and fix it, guess not ). Any .cl using nic.cl as their primary dns server ( what most .cl domains use by default rather than having their own), was having failures based on which of the dns servers at nic.cl they were using (I think two of them where failing).

Here is what I seen happening. I have a U.S. server, that hosts certain .cl web sites. They all use my own dns servers including backups dns servers spread around the world rather than Chile's dns server. I also have most ISP in China blocked at a firewall level for spam and security reasons (I have no use for talking to China in my biz). Other companies with .cl domains could not send mail to .cl domains on my server, because they where failing in the reverse lookup. That got me checking their DNS server, which happened to be nic.cl directly.

Now there is only about three ISPs in Chile. Yea, there are many by different names, but they all contract or are owned by three companies with the same hardware. Basically there is VTR cable company, Telefonica, and Telmex. Almost all others that I am aware of are the same company under a diffrent name, or they buy their upstream services from them. They all seem to share lines internationally.

The unnamed service provider in this case is most likly telmexchile.cl as they are the host for nic.cl ( a guess, based on other DNS problems I have seen over the years in Chile ).

DNS issues are very common in Chile with all the isps. About 2 months ago, telefonica mis-configured their dns servers and somewhere around 60% of all internet users, including mobile phone users (telefonica is known as movistar cell phone company) lost the ability to connect to much of the rest of the World. Telefonica is the upstream provider for many smaller ISP in Chile, and at times contracts through telmex also.

I have to run my own caching name servers for my offices in Chile, and never depend on the isp here for DNS servers because they are notorious for having caches that are more than 48 hours out of date, not to mention a lookup of domain can add as much as 5-10 seconds to a connection over just trying to get to the other side of the World to reach a foreign server. Especially for stuff that they do not have cached regularly. This has also personally led me to not trust the quality of what they are returning.

So, there is about 90% probability that the ISP in question is either telmex in Chile or Telefonica. The other is VTR cable, and as far as I know they had nothing to do with it because they don't normally do corporate type hosting. 98% of all internet is provided by those three sources according to a recent OECD report (not even sure what the other 2% is they are refering to in the report. Perhaps satellite).

So, the market inbreeding has turned Chile's internet in to a very unstable and fragil set of networks in the last few years, that is essentially unregulated. For instance, during the recent earthquake, even the web site for the national police in Chile got knocked offline for over a week along with most other goverment servers.

So I do not blaim this on China so much (beyond normal things), but on the poor quality of the network administrators and the even lower quality management at the ISP. Mostly I blame this on the former government, for not regulating the ISP and instead encouraging the monopolies that have developed. This was made evident to the country when all the cell phone networks in the country failed for days after the earthquake because they failed to do things like have battery backups for the cell phone towers. I expect some serious changes are on the way.

Can you say BGP and anycast?

[one2go]

The "misconfiguration" was apparently at the routing layer, caused by BGP. There are 13 DNS root servers, A-M. Several mirrors around the world actually share the same IP for a specific root server. Your DNS query to a root server IP is usually routed to the closest server with that IP, due to anycast routing. Apparently, a BGP misconfiguration caused an incorrect route to be advertised. Ars Technica apparently broke the story and has a very good description. They quote VeriSign spokesman Brad Williams:

"In our regular network checks, we recently noticed that routes were being announced outside of China for our anycast server there," Williams said in a statement. "As this was an aberration, we notified our technical partner in China and helped them resolve the issue. Our network checks show that the issue is now resolved."

Mauricio Vergara Ereche, a DNS Admin for Chile NIC, first noticed the problem. Queries to the I root server i.root-servers.net at IP 192.36.148.17 for www.facebook.com resolved to an actual IP address (in China) instead of redirecting to the .com DNS server as it should have. He posted this in his message to the dns-operations mailing list:

This is an example of what are wee seeing:

$ dig @i.root-servers.net www.facebook.com A

; DiG 9.6.1-P3 @i.root-servers.net www.facebook.com A

; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 7448
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.facebook.com. IN A

;; ANSWER SECTION:

www.facebook.com. 86400 IN A 8.7.198.45

;; Query time: 444 msec
;; SERVER: 192.36.148.17#53(192.36.148.17)
;; WHEN: Wed Mar 24 14:21:54 2010
;; MSG SIZE rcvd: 66

Great Firewall of Sweden?

[Taco+Cowboy]

Now who should we blame?

China or Sweden?

Turn out the Swedes are operating the Great Firewall of China.

If the Chinese are to be blamed of censorship, the Swedes must be blamed of ENFORCING the censorship.

In A.D. 2010...

[kelanden]

War was beginning...

(Obligatory humor: Somebody set up us the BIND).

Chinese Firewall spreading

This is what we get for not nuking the bastards when they crossed the Yalu River during the Korean War. Should have fixed it then...

So China can reroute US traffic to China?

>> we notified our technical partner in China and helped them resolve the issue.
>> Our network checks show that the issue is now resolved."

So this routing issue originated and had to be corrected in China???

So some low security DOD computer in the US goes to say dodsite1.gov and China can make it actually go to a Chinese controlled web site if they want to???

WHAT???

Netnod's comments

[klindqvist]

All,

as this topic has drawn quite some interest I would like to reiterate some of our other public comments.At Netnod/Autonomica we are completely dedicated to serving the IANA root zone as we receive it. We do not intercept, interfere, rewrite or otherwise alter either queries, responses or the content of the zone itself. The events that occurred are still being investigated and as soon as we deemed we had collected enough data we withdraw the announcements from on of our anycast nodes that serve i.root-servers.net.

I can't guarantee that me or any of our staff monitors this thread, but we do try and communicate to the community as much as we can without adding further speculations.

Best regards,

- kurtis -

---
Kurt Erik Lindqvist, CEO
kurtis@netnod.se, Direct: +46-8-562 860 11, Switch: +46-8-562 860 00
Please note our new address:
Franzéngatan 5 | SE-112 51 Stockholm | Sweden