Slashdot Mirror
For 18 Minutes, 15% of the Internet Routed Through China
olsmeister writes "For 18 minutes this past April, 15% of the world's internet traffic was routed through servers in China. This includes traffic from both .gov and .mil US TLDs." The crazy thing is that this happened months ago, and nobody noticed. Hope you're encrypting your super-secret stuff.
The crazy thing is that this happened months ago, and nobody noticed.
Odd, Slashdot reported the day afterward: Chinese ISP Hijacks the Internet (Again).
My work here is dung.
All my emails started showing up with fortunes and free eggrolls.
SJW: Someone who has run out of real oppression, and has to fake it.
I had just finished torrenting a 10gig 1080p mkv and 18 minutes later I was hungry for more downloads.
Isn't that what the Internet was designed to do; route as need to get bits to their destination?
UNIX/Linux Consulting
when that 18mins is over and all their stuff goes through American servers
did you forget to take your meds?
There are plenty of reasons to use encryption but the Chinese government just isn't one of them for me. If I view something they don't like, what exactly are they going to do? I suppose they could block my access but it's not like I would get thrown in a Chinese prison.
I have a lot more to worry about from identity thieves, scams and heck, my own government.
The Anti-Blog
That summary and article didn't report the .mil or .gov traffic.
I guess we just assumed it was only youtube videos or pokes on facebook.
You think the /. editors RTFA?
From National Defense Magazine: http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=249#
"If China telecom intercepts that [encrypted message] and they are sitting on the middle of that, they can send you their public key with their public certificate and you will not know any better," he said. The holder of this certificate has the capability to decrypt encrypted communication links, whether it's web traffic, emails or instant messaging, Alperovitch said. "It is a flaw in the way the Internet operates," said Yoris Evers, director of worldwide public relations at McAfee.
What makes this really annoying is that a lot of .mil sites use self-signed certificates. When doing mil-2-mil browsing, you just get used to clicking whatever to get into the site. So, I can easily see how China could do a MITM without alarming any of the end users.
I'd rather you do it wrong, than for me to have to do it at all.
It remains unclear whether the redirection was intentional, the report says, but it demonstrates that it is possible for malicious actors to seize control of the Internet and redirect traffic.
On April 8, according to Web security specialists, a small Chinese Internet service provider published a set of instructions under the Border Gateway Protocol, that directed Web traffic from about 37,000 networks to route itself via computer servers in China.
The list was republished by China Telecom and briefly propagated itself across the global Web, which works on a trust system, with each server updating its routing instructions based on data provided by others in the network.
What the hell is a 'trust system' anyway? Is that part of the Border Gateway Protocol?
Maybe someone needs to take a closer look at this 'trust system.'
He who knows best knows how little he knows. - Thomas Jefferson
Chinese Headlines claim for a period of nearly 21,018,240 minutes...nearly 100% of Internet traffic has been routed through the United States....wonder if they're worried about the balance of power?
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
If you only encrypt sensitive data it attaches a huge neon light to it.
Well, maybe not 100% but it's established that the bulk of US traffic is trunked off to closets in AT&T (and other) switch rooms. This is going to include any communications going to points outside the US and (more importantly) any traffic that happens to be routed through the US while going between two points outside the US.
They hijacked prefixes, not data. At least not directly. If you sent a packet during that time, it may have been routed to China. I doubt they stood up a big infrastructure to close TCP sessions with all of that incoming traffic and actually capture anything. Perhaps for a very targetted attack they could have, but then there'd be better ways than this to do it, I imagine.
This is why I only anonymize and encrypt nonsensitive data, like MySpace traffic, dating sites, etc. You want my shopping wish list on Amazon?! CRACK MY ENCRYPTION, NSA!!! But that stuff about overthrowing the government is wide open. Throws 'em way off.
Liberal? Conservative? Compare perspectives at Left-Right
Or it is.
It is just that the USA has forgotten the Internet basics. It has also forgotten major past incidents like that case from 10 years back when one small ISP in Florida directed most of the Internet traffic through itself and fell over.
USA internet has very little redundancy. Most of the peering is private, in very few locations and the routes announced by ISPs to each other are not filtered based on declared ISP announcement policy. As the few remaining ISPs are so big the announcement lists have grown to a size where filtering them poses a technical difficulty. In addition to that because the ISPs are big they trust each others change control that routes for blocks which are "somebody's elses will not be announced". Bad Idea (TM). And that is why this was possible in the first place.
Compared to that in Europe most of the peering is public and nearly all ISPs heavily filter the route announcements coming from other peers. A Chinese ISP which would announce blocks it does not own would simply be ignored. It is of course possible for the ISP in question to add the policy to its official export list, post it to RIPE, get it propagated to other ISPs and then announce the routes, but that will take time and will have a big chance to be noticed. It will also be clear that there is "no mistake" there so the ISP in question will really get kicked off the internet for this one.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
you know i just had that conversation with my general manager.
except it was about shredding documents - they couldn't imagine someone going though a bag of strip shredded paper trying to find something.
my comment was - it takes effort and a reason.. important info that shouldn't be public is a good reason.. and if you only shred important things it makes the effort all that much easier..
needless to say we will be investing in a large capacity cross cut shredder - with hopes to put all our outgoing paper through it.
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
There are two problems here:
1) Can China redirect traffic through its network by advertising that it has the lowest cost routing path? (Apparently, yes.) This is a wormhole attack, and is well documented in research literature.
2) Can China record or alter any traffic that passes through its network? If the data is sufficiently well encrypted, it can not read that data, although it can record the cyphertext. The fact that China can issue a certificate does not mean that it can read *your* data. It only means that encrypted data sent to Chinese servers can be read by the holder(s) of the encryption keys used by those servers.
If you are sending data over the net, and want to protect it, be sure that it is encrypted. If you don't care, be aware that anyone might be able to monitor it, even governments of other countries. If you don't trust the Chinese root CA to certify the identity of servers that you go to, don't accept their CA's certificate as an authority for that purpose.
http://www.eff.org/nsa/
If you manage to end up in China when driving a station wagon full of tapes from North Carolina to DC you REALLY are doing it wrong.
Monstar L
It's an API that lets you randomly write to memory addresses on their servers.
How can I believe you when you tell me what I don't want to hear?
Isn't that why they have the whole meta-moderate in the firehose thing?
----- The internet has given everyone the ability to have their voice heard equally as loud.. even if they shouldn't be
2) Can China record or alter any traffic that passes through its network? If the data is sufficiently well encrypted, it can not read that data, although it can record the cyphertext. The fact that China can issue a certificate does not mean that it can read *your* data. It only means that encrypted data sent to Chinese servers can be read by the holder(s) of the encryption keys used by those servers.
I don't think you understand MITM attacks.
Take a moment to look at the list of trusted root certificate authorities in your web browser right now.
FF Preferences > Advanced > Encryption > View Certificates
Notice the Chinese ones? The Chinese government can compel any of those root CAs to produce a certificate for any domain they choose. For example, let's say CNNIC creates rogue certs for Google.com.
1) You request a secure page "https://mail.google.com"
2) MITM intercepts the request and makes their own connection to mail.google.com using the real cert.
3) MITM uses the fake cert to encrypt it's connection to you, and pass you the mail.google.com data.
4) Firefox validates the cert chain and gives you a big "look it's secure" bar, and you just got pwned.
The real problem is with the retarded cert system. Any CA can create certs for any domain without the domain's permission; If the CA is trusted your browser won't complain at all.
This is why it's important to view the certs that you are using (in Firefox, click or hover over the "secure" bar).
Note: If you had a cookie that kept you signed in to gmail, its too late to check the cert after the MITM is logged into your account.
Please excuse the reply to myself, but I'd like to point out that I'm not trying to single out China here, the above statements apply to USA, UK, Canada, or government that a trusted Root CA company resides within.
Eg: The US Government could compel (and also gag-order) Thawte into creating fake certs for Google.com (or any other domain), and in Google's case, you wouldn't even find out you've been pwned by checking the cert...
Honestly, HTTPS / SSL is The Ultimate Theater of Security.
You cannot have the centralized control you need to block out abuse without also having that centralized control in the hands of censorship happy powers.
Freedom of expression implies freedom to be an ass.
Chineeese! It's ALIVE! It's coming for YOU and your family! Hide in your bomb shelters! Wrap wet towels on your heads! Cover your bedrooms in tin foils. The Chineeese Terror is coming!!!
Seriously, what is wrong with you Americans? Can't you and your government live through life without manufacturing an enemy to hate? What is it in your national psyche that requires an opponent? Is it because you actually bought into your own "we're the Good Guys(TM)" propaganda that the only way to validate this absurd world view is to manufacture "bad guys". My theory is that you are so hung up on WWII, the last "good war" that you fought in, that you and your leaders are subconsciously trying to recreate it so that you can feel good about yourselves again. Hence, the Axis of evil, war on terror, and now a more traditional enemy, the Red Peril. Get over it.
finding out who to defriend
But I thought Richard Nixon and Rosemary Woods were both dead...
#DeleteChrome
Sorry to be AC.
as an IP engineer at a major backbone provider, I can safely comment on the hyperbole of this incident.
China Telcom -4134- would have to either send very/more specific routes and get max prefixes blown out, or send very general routes and loose to smaller routes.
yes, for a little while any "tier 1" player, or major government player, can convince another provider to send routes to an inappropriate AS, the game soon ends. anyone who isn't running at the very least a max prefix is a cluetard and needs their peering revoked anyway. From my 20%, 4134 is always a hair's breath away from getting a smackdown.
tldr; they can't really steal the whole internet, but we need to watch out for smaller route hyjacking.
Since when has a low UID meant anything? Or, indeed, positive karma?
They're trolling, pure and simple. And quite well given you took the bait!