China's Great Firewall Infects Other Countries 178
angry tapir writes "A networking error has caused computers in Chile and the US to come under the control of the Great Firewall of China, redirecting Facebook, Twitter, and YouTube users to Chinese servers. Security experts are not sure exactly how this happened, but it appears that at least one ISP recently began fetching high-level DNS information, from what's known as a root DNS server, based in China. That server, operated out of China by Swedish service provider Netnod, returned DNS information intended for Chinese users, effectively spreading China's network censorship overseas."
Re:Now... (Score:5, Interesting)
It's the other way around than what you're suggesting. Chinese didn't try do anything. ISP's elsewhere mistakenly configured their servers to use Chinese DNS servers.
They are keeping their shit for them. It's just that someone else is fetching it from them to elsewhere.
Completely unintentional (Score:3, Interesting)
US DNS servers magically start pulling DNS data from chinese servers? Uh huh. Completely an "accident".
Problems like this should be prevented (Score:4, Interesting)
So any wrongful destination now has a lot of passwords. Especially IMAP and POP and suchlike, not even a need to set up a misleading website, you can play totally innocent.
Prevention:
1) Don't have a root server in a country that wants to censor information
2) Implement free SSL certs so that it is no longer "normal" to just click through the SSL cert alert
3) DNSCurve, DNSSEC, whatever
4) Encrypt.
5) Even when using encryption always use auth schemes that cannot be replayed afterwards. Without certs I don't think you can stop MITM, but much too many people use only one password for a lot of different things, at least that one won't be in the sniffer's hands.
More?
Re:Misleading (Score:1, Interesting)
It's more than that. According to the post at https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005266.html [dns-oarc.net] someone is actively spoofing DNS replies to DNS request packets bound for entire class A and B net ranges.
The only way someone is going to "actively spoofing DNS replies" is via a sophisticated MITM attack. The problem here, is that some idiot forgot to keep his "root.hints" file current on his DHCP published name server. A "firewall" has always been understood as a bastion host and/or a packet filter. Breaking DNS doesn't break routing. The inverse may not be true, but routing doesn't depend on DNS.
The issue I have... (Score:3, Interesting)
Heck, even Dell is pulling out.
So, because the Chinese persist in behaving badly it's time for internet war. Let's band together and shut 'em down. Close off internet to China and see how they like it - after all, the TLD's are controlled by the U.S. As to messaging etc. they can phone and fax.
Sorry for such a rant but there has got to be a consequence for the level and voracity of the issues and problems that emanate from China - especially when the government there is never responsible.