Slashdot Mirror
China's Great Firewall Infects Other Countries
angry tapir writes "A networking error has caused computers in Chile and the US to come under the control of the Great Firewall of China, redirecting Facebook, Twitter, and YouTube users to Chinese servers. Security experts are not sure exactly how this happened, but it appears that at least one ISP recently began fetching high-level DNS information, from what's known as a root DNS server, based in China. That server, operated out of China by Swedish service provider Netnod, returned DNS information intended for Chinese users, effectively spreading China's network censorship overseas."
Chinese official: "Whoops..." (with big grin on face).
The world's burning. Moped Jesus spotted on I50. Details at 11.
And their firewalls didn't detect the melamine in the imported DNS records? Pitiful.
Parasites? Oh, don't be a spoil sport! Oh... wait... never mind...
Fine Google you want to leave China. Where you going to go when we take over the whole internet.
The headlines now tell you absolutely nothing about the actual stories.
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
Misconfiguration of resolv.conf does not put China's firewall in your way. Add yourself to the tool belt.
In other news, WW3 started slowly with Google and Dell pulling out of China. Infowars continued to increase when China's root nameserver began to propagate its information out to the developing world, areas that had been increasingly reliant on Chinese funding since the post-cold-War US' international power began to wane..
(Firewall is subverted...)
Damn you cyber-Mongorians!
Bow-ties are cool.
Either they already fixed it or the article is wrong, because I'm in Chile and Facebook and Youtube seem fine to me
It's no secret in China that this square exists. It's just what happened there $%*+
NO CARRIER
The Tao of math: The numbers you can count are not the real numbers.
It's the other way around than what you're suggesting. Chinese didn't try do anything. ISP's elsewhere mistakenly configured their servers to use Chinese DNS servers.
They are keeping their shit for them. It's just that someone else is fetching it from them to elsewhere.
China wants to rule the world. (Or at least make sure they make money somehow everywhere.) I can see the Chinese - all using Red Flag Linux (or some pirated copy of Wintendo) - gathering together to control all DNS machines. This was a warning - mess with us and we take your DNS down.
The Kai's Semi-Updated Website Thingy
So if the entire world's DNS resolved to the Chinese firewall simultaneously would it DOS them to oblivion and end these shenanigans? I'd give up a day of using the internet to see that go down.
Get a web developer
I greatly prefer it to enslaving our children in unsustainable debt to make the a handful of industrialists even richer.
Youtube, Wikipedia and hell even Slashdot have had access problems this week. 6th form conspiracy theorist asks "Is 'something' is going on"?
US DNS servers magically start pulling DNS data from chinese servers? Uh huh. Completely an "accident".
moox. for a new generation.
Life is really easy when you let someone like Glen Beck do all your thinking for you, isn't it Michael?
Which, proves the point that perhaps China should not be allowed to have any DNS root servers.
I would say that if a DNS server does not return the same information as all other root servers in the world that it should not be allowed to be a root server.
Well Micky, who does your thinking? Sean Penn?
Is there a site somewhere which lists the companies willing to assist China (and other equally repressive countries)? I'm not in Sweden but if it turned out for example that a UK based company was helping them block access to Google or whatever then I'd take my business elsewhere.
I was wondering about that fortune cookie that said "All of your root servers are belonging to us."
"I'm not a quack, I'm a mad scientist! There's a difference." - Dr. Cockroach
So any wrongful destination now has a lot of passwords. Especially IMAP and POP and suchlike, not even a need to set up a misleading website, you can play totally innocent.
Prevention:
1) Don't have a root server in a country that wants to censor information
2) Implement free SSL certs so that it is no longer "normal" to just click through the SSL cert alert
3) DNSCurve, DNSSEC, whatever
4) Encrypt.
5) Even when using encryption always use auth schemes that cannot be replayed afterwards. Without certs I don't think you can stop MITM, but much too many people use only one password for a lot of different things, at least that one won't be in the sniffer's hands.
More?
ancient chinese secret, huh?
fak3r.com
Now will somebody tell them to keep their sh*t for them? Or are we too weak to talk frankly to Chinese authorities?
Well, I suppose it pays to talk real sweet to a country that pretty much owns us now.
American Third Position
Finally, a real choice!
It's funny, because the Reagan years spent more than compared to the GDP than Clinton or GWB but you I happen to like those kind of "facts". In the Clinton years spending v GDP went down quite a bit. The only time our debt has gone down since that giant "debt clock" thing was built was under Clinton.
Firewall burns you!
How much you want to bet that this was not deliberate on their part...this is part of the whole scheme of them cyberattacking all other countries and controlling the new cyberage.
Come on, are we really being that stupid? Of course it was a hacker attack. The chances of an IP address "accidentally" being pointed to a Chinese one is remote.
These Chinese hackers (and hackers in general) are getting more and more dangerous. If they hack the DNS servers, we're talking about a massive ability to steal passwords, since https is based on domain name and not IP address. If the DNS is configured to give incorrect DNS information, then we really could get hosed here.
Maybe offtopic, but how does DNCSEC affect DNS level censorship?
-- I was raised on the command line, bitch
China can have all the root servers they want - just don't configure your server to poll them.
The great firewall can work both ways. I experimented for a time with simply banning all asian netblocks at my firewall. If China refuses to play nice, everyone else can simply ignore them.
"Please describe the scientific nature of the 'whammy'" - Agent Scully
bullshi+. Bush, Reagan were huge debt creators. Now you blame Obama for the increase in debt when the bailout was designed by Bush in the first place, and also necessary to keep this economy from falling flat on its face by the greedy, uncontrolled and short-sighted bankers. The war? How expensive has that been? Besides, healthcare is national defense and will reduce abortions by providing effective birth control to women more often. Bug the f off.
A Good Troll is better than a Bad Human.
Heck, even Dell is pulling out.
So, because the Chinese persist in behaving badly it's time for internet war. Let's band together and shut 'em down. Close off internet to China and see how they like it - after all, the TLD's are controlled by the U.S. As to messaging etc. they can phone and fax.
Sorry for such a rant but there has got to be a consequence for the level and voracity of the issues and problems that emanate from China - especially when the government there is never responsible.
*** Don't be dull.***
the swedes, troll ... oh, sweet irony
"Hannibal's plans never work right. They just work." Amy/A-Team
The reference to firewall is just different in this case. In China it's called the "Golden Shield Project" outside of China it's called the "Great Firewall of China". If you miss configure your DNS to look at China's DNS then you are using their Golden Shield hence you are using The Great Firewall of China.
Yeah, let's make the handful of people who run the government have all the wealth and power. Somehow that's better, right?
bullshi+
Dude, if you're going to say it, just say it :)
Remember that quote? "The Net views censorship as damage and, sometimes, routes into it..."
Oh, yes, another one of those "Why can't we be more like Europe?!" moments...
In Soviet Washington the swamp drains you.
And China would raff at you.
Yeah, let's make the handful of people who run the government have all the wealth and power. Somehow that's better, right?
At least *some* people get rich.
Wait, that works in China too. Ah, it's just screwed everywhere.
May contain traces of nut.
Made from the freshest electrons.
Bullshiplus!
The revolution will be mocked
China can have all the root servers they want - just don't configure your server to poll them.
Actually China is demonstrably incapble of having any working root servers at all. A DNS server that returns incorrect information is not a "root" server, if by "root" you mean "authoritative source of DNS information that resolves domain names properly."
It's really too bad that China is incapable of hosting DNS root servers. Hopefully by the end of the 21st century China will be a little less backward and isolated from the rest of the world, which would benefit greatly from interaction with so many people from such diverse cultural and political backgrounds.
Blasphemy is a human right. Blasphemophobia kills.
I am secretly hoping this was a Bind error wishing everyone would switch to the far superior http://cr.yp.to/djbdns.html
This is pretty misleading. Total government spending went up pretty much lineraly at the same rate during both the Reagan and Clinton years.
http://www.usgovernmentspending.com/downchart_gs.php?year=1980_2000&view=1&expand=&units=b&fy=fy11&chart=F1-total&bar=0&stack=1&size=m&title=&state=US&color=c&local=s
In comparison to GDP, it did go down somewhat during the Clinton years:
http://www.usgovernmentspending.com/downchart_gs.php?year=1980_2000&view=1&expand=&units=p&fy=fy11&chart=F1-total&bar=0&stack=1&size=m&title=&state=US&color=c&local=s
But what really helped as far as the debt there was increased income tax rates and more money being made in the private sector.
Now, spending during Bush per GDP actually pretty much flatlined until 2006/2007. Does anyone know what happened then?
http://www.usgovernmentspending.com/downchart_gs.php?year=2000_2010&view=1&expand=&units=p&fy=fy11&chart=F1-total&bar=0&stack=1&size=m&title=&state=US&color=c&local=s
Your point that both Bush and Reagan were big spenders compared to what they claimed is true, but you can't deny that the current administration is making no effort to reduce the debt, and it is exploding way faster than any previous president with no end in sight, while we are losing the surpluses of Social Security and Medicare that we had in the past. We can debate the past all we want but no one is going to change sides. I personally think it is worth noting that most of the companies that created the tech boom of the 90s really started in the 80s, and that the tech boom and Bill Gates had more to do with the Economic boom and surpluses of the 90s than did Bill Clinton. You would probably disagree. But surely we can all agree that we are headed in the wrong direction. If spending does not drastically slow down soon, we will be past the point of no return to becoming an insolvent nation within this decade.
What gives with the media these days?
It's all too clear. Kinda like the cold war with Russia.
Except it's the Virtual War with China. Are yall ready for the next big pseudo war?
Arguably a war worth fighting, but at cost? Could this get ugly?
"Besides, healthcare is national defense and will reduce abortions"
What? I do not follow this logic or see what it has to do with government spending.
"Now you blame Obama for the increase in debt when the bailout was designed by Bush in the first place"
The bailout was necessary, but implementation was rushed, ineffective, and more expensive than it should have been. That it was caused in any way by Bush is almost laughable, but at the very least debatable. Economic policies and deregulation that got us to that point happened mostly in the 90s under the pretense of helping low-income families obtain mortgages. As soon as these were passed in the late 90s, the housing bubble began to build. http://mysite.verizon.net/vzeqrguz/housingbubble/
The fallout in 2008 was a result of this bubble finally bursting. It was worse than the tech bubble bursting in the late 90s because it affected securities that have always been considered safe by institutional investors.
The bailout is only part of the spending increases under Obama, which together dwarf the $1Trillion expense of the war. (Which Obama is continuing and actually spending more on.) The other huge part is the stimulus bill which was mostly ineffective (what do you expect from a package special interest pork disguised as a stimulus bill?) and our jobless rate is worst that what was predicted by the administration if the bill were never passed.
I get your frustration. Obama did not get us to this point and should not be given all the blame. But he sure seems to be doing a great job at making it worse.
God I wish both Republicans AND Democrats would shut up. Both parties accept huge bribes (campaign contributions) in exchange for votes. There is always a shameful deficit no matter who is in power (don't get started with Clinton and his raiding of Social Security to make the budget look balanced. No matter who is in charge, the army is out invading some new country: Somalia, Kosovo, Iraq, Panama, etc.
This dumb Democrat healthcare bill is just as big a coporate handout to the pharmaceutical and insurance companies as the Republican prescription drug plan.
So in summary: If you live on every word of Rush Limbaugh, Sean Hannity OR Jon Stewart, Keith Olberman, etc, you are all equally stupid.
It's actually more like we own each other.
I value politeness. If you extend it to me, I'll extend it to you.
I live and work in Chile, and know the network problems well here. Here is my take on it.
I seen that nic.cl had several of their DNS servers that where failing about three weeks ago (I just figured someone would figure it out and fix it, guess not ). Any .cl using nic.cl as their primary dns server ( what most .cl domains use by default rather than having their own), was having failures based on which of the dns servers at nic.cl they were using (I think two of them where failing).
Here is what I seen happening. I have a U.S. server, that hosts certain .cl web sites. They all use my own dns servers including backups dns servers spread around the world rather than Chile's dns server. I also have most ISP in China blocked at a firewall level for spam and security reasons (I have no use for talking to China in my biz). Other companies with .cl domains could not send mail to .cl domains on my server, because they where failing in the reverse lookup. That got me checking their DNS server, which happened to be nic.cl directly.
Now there is only about three ISPs in Chile. Yea, there are many by different names, but they all contract or are owned by three companies with the same hardware. Basically there is VTR cable company, Telefonica, and Telmex. Almost all others that I am aware of are the same company under a diffrent name, or they buy their upstream services from them. They all seem to share lines internationally.
The unnamed service provider in this case is most likly telmexchile.cl as they are the host for nic.cl ( a guess, based on other DNS problems I have seen over the years in Chile ).
DNS issues are very common in Chile with all the isps. About 2 months ago, telefonica mis-configured their dns servers and somewhere around 60% of all internet users, including mobile phone users (telefonica is known as movistar cell phone company) lost the ability to connect to much of the rest of the World. Telefonica is the upstream provider for many smaller ISP in Chile, and at times contracts through telmex also.
I have to run my own caching name servers for my offices in Chile, and never depend on the isp here for DNS servers because they are notorious for having caches that are more than 48 hours out of date, not to mention a lookup of domain can add as much as 5-10 seconds to a connection over just trying to get to the other side of the World to reach a foreign server. Especially for stuff that they do not have cached regularly. This has also personally led me to not trust the quality of what they are returning.
So, there is about 90% probability that the ISP in question is either telmex in Chile or Telefonica. The other is VTR cable, and as far as I know they had nothing to do with it because they don't normally do corporate type hosting. 98% of all internet is provided by those three sources according to a recent OECD report (not even sure what the other 2% is they are refering to in the report. Perhaps satellite).
So, the market inbreeding has turned Chile's internet in to a very unstable and fragil set of networks in the last few years, that is essentially unregulated. For instance, during the recent earthquake, even the web site for the national police in Chile got knocked offline for over a week along with most other goverment servers.
So I do not blaim this on China so much (beyond normal things), but on the poor quality of the network administrators and the even lower quality management at the ISP. Mostly I blame this on the former government, for not regulating the ISP and instead encouraging the monopolies that have developed. This was made evident to the country when all the cell phone networks in the country failed for days after the earthquake because they failed to do things like have battery backups for the cell phone towers. I expect some serious changes are on the way.
Living in Chile
The "misconfiguration" was apparently at the routing layer, caused by BGP. There are 13 DNS root servers, A-M. Several mirrors around the world actually share the same IP for a specific root server. Your DNS query to a root server IP is usually routed to the closest server with that IP, due to anycast routing. Apparently, a BGP misconfiguration caused an incorrect route to be advertised. Ars Technica apparently broke the story and has a very good description. They quote VeriSign spokesman Brad Williams:
Mauricio Vergara Ereche, a DNS Admin for Chile NIC, first noticed the problem. Queries to the I root server i.root-servers.net at IP 192.36.148.17 for www.facebook.com resolved to an actual IP address (in China) instead of redirecting to the .com DNS server as it should have. He posted this in his message to the dns-operations mailing list:
I imagine he means that "health care is saving the lives of future American citizens and is thus national defense." I don't agree with that sentiment, but that's what I got from it.
Now who should we blame?
China or Sweden?
Turn out the Swedes are operating the Great Firewall of China.
If the Chinese are to be blamed of censorship, the Swedes must be blamed of ENFORCING the censorship.
Muchas Gracias, Señor Edward Snowden !
War was beginning...
(Obligatory humor: Somebody set up us the BIND).
Hear, hear. We can argue the merits of the ramblings of the "different" ideologues all day, but true reform won't come until we elect representatives that actually have that as their goal and don't just pay lip service to it.
.... Chinese didn't try do anything. ISP's elsewhere mistakenly configured their servers to use Chinese DNS servers.
Not quite accurate. The Netnod server 'causing the problem' claims to have and be serving proper information, but the Chinese instance of that server is having it's data stream filtered by China (on the presumption that nobody outside of China is getting information from that server). The problem arose when a couple of high-volume servers (one, or more, in Chile and one, apparently in California) got their root query packets routed through China and ended up filtered the same way that internal-Chinese queries get filtered.
To solve that problem without having to wander through layers of Chinese technical and political bureaucracy, the easiest solution was for Netnod to simply 'turn off' routes to it's Chinese server until the relevant Chilean and Californian routers get less problematic setups.
The root of the problem (if you'll allow the pun) is that China is silently hacking data from legitimate root servers that go through their systems. Normally this only affects users inside of China but, in this case, part of 'The Great Firewall of China' leaked out into the rest of the world.
Free Software: Like love, it grows best when given away.
I daresay that it wasn't deregulation that got us into this mess, but rather the mandate that housing is a right. Our government let us down when they decided that it didn't need to make financial sense for a person to own a home, only that they needed to want it badly enough and they could get a loan.
The shocker is that we're doing the same thing to healthcare and my children will be paying for it.
SRSLY.
That's stupid. Just let them setup their own name servers that query the ACTUAL roots and modify the data anyway they please. You don't fuck with critical internet infrastructure like a root name server.
they can "raff" all they want without their root server -- which just got yanked. suck it china!
that's the best part -- all this wealth is in US debt. now if the US fails the Chinese lose trillions of dollars. The americans aren't dumb, they just sold the Chinese the greatest and most expensive insurance policy in history FOR THEMSELVES and the Chinese bought it :) pretty brilliant if you ask me.
All,
as this topic has drawn quite some interest I would like to reiterate some of our other public comments.At Netnod/Autonomica we are completely dedicated to serving the IANA root zone as we receive it. We do not intercept, interfere, rewrite or otherwise alter either queries, responses or the content of the zone itself. The events that occurred are still being investigated and as soon as we deemed we had collected enough data we withdraw the announcements from on of our anycast nodes that serve i.root-servers.net.
I can't guarantee that me or any of our staff monitors this thread, but we do try and communicate to the community as much as we can without adding further speculations.
Best regards,
- kurtis -
---
Kurt Erik Lindqvist, CEO
kurtis@netnod.se, Direct: +46-8-562 860 11, Switch: +46-8-562 860 00
Please note our new address:
Franzéngatan 5 | SE-112 51 Stockholm | Sweden
Partially. But I was also suggesting that a good healthcare and healthiinsurance infrastructure is a useful defense against bio-terrorism.
A Good Troll is better than a Bad Human.