Slashdot Mirror

← Back to Stories (view on slashdot.org)

For 18 Minutes, 15% of the Internet Routed Through China

Posted by CmdrTaco on from the i-bet-it's-nice-to-visit dept.

olsmeister writes "For 18 minutes this past April, 15% of the world's internet traffic was routed through servers in China. This includes traffic from both .gov and .mil US TLDs." The crazy thing is that this happened months ago, and nobody noticed. Hope you're encrypting your super-secret stuff.

15 of 247 comments (clear)

  1. Nobody Noticed ... Except Everyone (Even Slashdot) by eldavojohn · · Score: 5, Informative

    The crazy thing is that this happened months ago, and nobody noticed.

    Odd, Slashdot reported the day afterward: Chinese ISP Hijacks the Internet (Again).

    --
    My work here is dung.
  2. Re:Nobody Noticed ... Except Everyone (Even Slashd by interkin3tic · · Score: 4, Informative

    That summary and article didn't report the .mil or .gov traffic.

    I guess we just assumed it was only youtube videos or pokes on facebook.

  3. Invalid Certificates by Bios_Hakr · · Score: 3, Informative

    From National Defense Magazine: http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=249#

    "If China telecom intercepts that [encrypted message] and they are sitting on the middle of that, they can send you their public key with their public certificate and you will not know any better," he said. The holder of this certificate has the capability to decrypt encrypted communication links, whether it's web traffic, emails or instant messaging, Alperovitch said. "It is a flaw in the way the Internet operates," said Yoris Evers, director of worldwide public relations at McAfee.

    What makes this really annoying is that a lot of .mil sites use self-signed certificates. When doing mil-2-mil browsing, you just get used to clicking whatever to get into the site. So, I can easily see how China could do a MITM without alarming any of the end users.

    --
    I'd rather you do it wrong, than for me to have to do it at all.
    1. Re:Invalid Certificates by Anonymous Coward · · Score: 1, Informative

      Actually they're not self-signed. They have their own root certificate that you have to install to use the non-public-intended .gov and .mil servers.

      I do tech support for my father who is in the military. Guess who got to install the root cert.

    2. Re:Invalid Certificates by Anonymous Coward · · Score: 1, Informative

      Mil sites definitely are not using self signed certs. In fact the IA folks would probably crucify you and your so called noncompliant servers. Users must install the appropriate root and intermediate certificates on their workstations obtained from trusted sources. If you are doing mil2mil browsing and getting those errors I would chalk that up to user error.

    3. Re:Invalid Certificates by volcan0 · · Score: 3, Informative

      http://www.dtic.mil/dtic/announcements/dodrootcertificates.html 'nough said

    4. Re:Invalid Certificates by Mr+44 · · Score: 2, Informative

      Hint: that issuer ain't Verisign. I don't know whether that's the official DoD cert or if that's one created by that particular organization, but I do know that it doesn't ship with any popular browser by default

      No, its not verisign. And of course they aren't self-signed, thats retarded. The US military has the largest PKI deployment in the world, they know a thing or two about certs. The DOD has their own root certificates which don't ship by default with commercial browser, since they aren't relevant for normal use (and theoretically, they would allow the DOD to MITM your SSL connections).

      If you want, you can download and install them: http://dodpki.c3pki.chamb.disa.mil/rootca.html

  4. Re:Nobody Noticed ... Except Everyone (Even Slashd by Sepodati · · Score: 4, Informative

    They hijacked prefixes, not data. At least not directly. If you sent a packet during that time, it may have been routed to China. I doubt they stood up a big infrastructure to close TCP sessions with all of that incoming traffic and actually capture anything. Perhaps for a very targetted attack they could have, but then there'd be better ways than this to do it, I imagine.

  5. Re:As designed by Anonymous Coward · · Score: 2, Informative

    Well, it depends. The protocol is made to be elastic, and therefore sensitive to network topography changes. Lines might become congested or go down, which means the shortest path might indeed be through a rather round-about course. Routing all this data to China would be quite an extreme example, though. Either a lot of failure would have to occur at the same time, or they would have to broadcast false numbers to give themselves a better routing metric.

  6. And for documentation about the NSA closets by thesandbender · · Score: 4, Informative

    http://www.eff.org/nsa/

  7. this is why I go with the station wagon by antifoidulus · · Score: 2, Informative

    If you manage to end up in China when driving a station wagon full of tapes from North Carolina to DC you REALLY are doing it wrong.

    --
    Monstar L
  8. Re:There goes the neighborhood... by Amouth · · Score: 3, Informative

    with BGP if I advertise my self as a route to a subnet others around me will try to send me that traffic IF they trust me.

    now with a small company like mine.. my telco doesn't accept any routes other than my own subnets so instead i would just black hole my self.

    now take a large telco or backbone provider .. say Level 3.. if they started advertising a route to my subnets then everyone who is closer to them then me (basically everyone) they will send L3 the traffic..

    this type of attack/what ever you want to call it - only works if you are a big enough player for your neighbors to believe what you are advertising.

    with my L3 example.. not every telco (or any really) would review that route change.. as for all they know i got a leased line from L3 or set up a peering agreement..

    the cardinal sin of BGP is to advertise a route that isn't yours. but that is all it is.. and advertisement.

    --
    '...if only "Jumping to a Conclusion" was an event in the Olympics.'
  9. Re:Nobody Noticed ... Except Everyone (Even Slashd by Anonymous Coward · · Score: 5, Informative

    Sorry to be AC.

    as an IP engineer at a major backbone provider, I can safely comment on the hyperbole of this incident.

    China Telcom -4134- would have to either send very/more specific routes and get max prefixes blown out, or send very general routes and loose to smaller routes.

    yes, for a little while any "tier 1" player, or major government player, can convince another provider to send routes to an inappropriate AS, the game soon ends. anyone who isn't running at the very least a max prefix is a cluetard and needs their peering revoked anyway. From my 20%, 4134 is always a hair's breath away from getting a smackdown.

    tldr; they can't really steal the whole internet, but we need to watch out for smaller route hyjacking.

  10. Re:Stop the trolling by madprof · · Score: 4, Informative

    Since when has a low UID meant anything? Or, indeed, positive karma?
    They're trolling, pure and simple. And quite well given you took the bait!

  11. Re:There goes the neighborhood... by response3 · · Score: 2, Informative

    This has been an open topic for some time....but the problem is that in order to implement it, you'd have to eventually upgrade the OS of every BGP router in the world. From the IP Journal,

    http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_6-3/securing_bgp_s-bgp.html
    "Status:

    As of early 2003, an implementation of S-BGP has been developed and demonstrated on small numbers of workstations representing small numbers of ASes. We also developed software for a simple repository, and for NOC tools that support secure upload and download of certificates, CRLs, and AAs to and from repositories, and for certificate management for NOC personnel and routers. This suite of software, plus CA software from another Defense Advanced Research Projects Agency (DARPA) program, provide all of the elements needed to represent a full S-BGP system. All of this software is available in open source form. Summary

    S-BGP represents a comprehensive approach to addressing a wide range of security concerns associated with BGP. It detects and rejects unauthorized UPDATE messages, irrespective of the means by which they arise; for example, misconfiguration, active wiretapping, compromise of routers or management systems, etc. S-BGP is not perfect; it has a few residual vulnerabilities, but these pale in comparison to the security features S-BGP provides, and removal of these vulnerabilities would require more fundamental changes to BGP semantics.

    The S-BGP design is based on a top-down security analysis, starting with the semantics of BGP and factoring in the wide range of attacks that have or could be launched against the existing infrastructure."