China's Great Firewall Infects Other Countries 178
angry tapir writes "A networking error has caused computers in Chile and the US to come under the control of the Great Firewall of China, redirecting Facebook, Twitter, and YouTube users to Chinese servers. Security experts are not sure exactly how this happened, but it appears that at least one ISP recently began fetching high-level DNS information, from what's known as a root DNS server, based in China. That server, operated out of China by Swedish service provider Netnod, returned DNS information intended for Chinese users, effectively spreading China's network censorship overseas."
Uh Huh (Score:2)
Chinese official: "Whoops..." (with big grin on face).
Re: (Score:2)
Can't say that I'm surprised that it did happen.
Especially now when Google has decided to pull out. And China does have an urge to control any information that they don't like. Which would be the majority of the internet.
Re:Uh Huh (Score:5, Informative)
Can't say that I'm surprised that it did happen.
Especially now when Google has decided to pull out. And China does have an urge to control any information that they don't like. Which would be the majority of the internet.
And still this has nothing to do with the Chinese government. It's the ISP's fault that erroneously configured their servers to use the Chinese root DNS server.
Re:Uh Huh (Score:4, Informative)
Well in fairness it has a little bit to do with China. That whole censorship thing.
Re: (Score:2)
It has a lot to do with it...China is manipulating DNS for political reasons. I would say that's a problem...
Re: (Score:2)
ISP's in other countries are manipulating DNS too, but rather than for political reasons it's for child porn (there has been controversy when such lists are used for other purposes too) and copyright infringement (at least Italy blocks TPB, maybe others).
CHINA will set up a mirror server for Chinese netizens to visit Websites whose domain names end with .com or .net, Sina.com reported today.
Instead of being served by overseas domain servers for making visits, the new server will provide a domain name system or "DNS" function of its own, which will guarantee the security for netizens visiting from China and also raise the linking speed.
So it's a DNS for Chinese people. Why does ISP's in other countries use it? And since they do, it's no surprise their results get changed too.
Re: (Score:2)
"So it's a DNS for Chinese people. Why does ISP's in other countries use it?"
Because they're just as controlling. Duh.
Re: (Score:2)
So you're saying that because some governments try to limit the spread of child porn, the PRC has the right to deceive the people of China into thinking there was no "Tank Man" or that democracy is evil?
Nonsense. What they are doing will be remembered as a great injustice. It will be a cautionary tale for all societies with a chance to determine their own destiny. They will say, "We will not let it happen again."
No amount of cheap wealth will hide what is happening. No one sympathizes. They are known as
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
What I'm saying is that I don't believe that either the means justify the end or the end justifies the means. Neither are justification for something that's in itself immoral (again IMHO). So you are correct. I am saying that there is no moral use for nuclear bombs and internet filtering. There are "more" moral uses for them (Using a the threat of a nuclear bomb is more moral than dropping it), but that doesn't make th
Re: (Score:2)
Ummmm.... It's my understanding from historical Chinese government interaction with their businesses that it tells Chinese businesses what to do, how to interact with the rest of the world. It's not like their government isn't a totalitarian government.
IMO, it's self-defeating behavior to deny obvious possibilities.
Re: (Score:2)
And however this happened, it's plausible that now China looks like it's throwing a tizzy at getting stood up to on censorship by Google.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
i.root-servers.net is not "the root in China". A single Anycast node of i.root-servers.net is in China. It would probably be a good idea to research such statements before making them.
Re: (Score:2)
It's not semantics fuckwit. It changes the fundamental meaning of the post. Original statement said "querying the Chinese root is the default configuration" when in fact that behaviour is only the default if you are in China. Otherwise, querying i.root-servers.net in Los Angeles or Sydney or Auckland or London is the default.
So fuck off yourself.
Re: (Score:2)
Chilean official: "Whoops..." (with big grin on face).
There, fixed that for ya.
Re: (Score:3, Funny)
Question: Who controls the root?
Possible answers:
- the tree
- the tooth
- the administrator
- the problem
Re: (Score:2)
My bet is on either Money or Evil
Great Firewall of Sweden? (Score:2)
Now who should we blame?
China or Sweden?
Turn out the Swedes are operating the Great Firewall of China.
If the Chinese are to be blamed of censorship, the Swedes must be blamed of ENFORCING the censorship.
Re: (Score:3, Funny)
Re: (Score:2)
I knew I forgot one.
Pfft. (Score:3, Funny)
Re:Pfft. (Score:5, Insightful)
Also, the internet routes around censorship? Ooops....
Re:Pfft. (Score:5, Funny)
Also, the internet routes around censorship? Ooops....
Seems we were wrong. Apparently, the Internet detects censorship and routes it around.
Re:Pfft. (Score:5, Insightful)
Re: (Score:2)
Apparently there isn't much money in DNSSEC.
Fixed. No need to thank me. :)
Re: (Score:2)
"And their firewalls didn't detect the melamine in the imported DNS records? Pitiful."
I was going to recommend lead but I forgot this isn't the 80s-90s any longer.
Lead would've made a better explanation for the slower speeds and 'cancerous' degradation that's been showing up on The Internet Traffic Report [internettr...report.com] (currently at 62% as of this posting) with lead being heavier and all that fun chemistry stuff. ;)
China Fights Back (Score:2, Funny)
Re: (Score:3, Funny)
Nice headline (Score:5, Informative)
Re: (Score:3, Insightful)
Have they ever?
Re: (Score:2)
Funny, yours didn't say a thing about Nice [whytraveltofrance.com].
Misleading (Score:5, Insightful)
Re:Misleading (Score:4, Informative)
Re: (Score:2)
Re: (Score:2)
ooooooooooookie dokie.
Re: (Score:2)
How is this insightful? It's wrong! Noone misconfigured their DNS resolvers, the problem is that for some reason a couple of major routing nodes latched on to the incorrect node for i.root-servers.net (each DNS root is not a single server, it's a bunch of geographically separate servers with the same IP doing Anycast announcements) and connected downstream servers began using the node in China to perform resolution.
WW3 (Score:2)
In other news, WW3 started slowly with Google and Dell pulling out of China. Infowars continued to increase when China's root nameserver began to propagate its information out to the developing world, areas that had been increasingly reliant on Chinese funding since the post-cold-War US' international power began to wane..
Re: (Score:2)
In other news, Skynet, err The Great Firewall of China, became self-aware at 8:14am EDT March 26, 2010
Maintaining the Great Firewall (Score:5, Funny)
(Firewall is subverted...)
Damn you cyber-Mongorians!
Re: (Score:2)
http://i17.photobucket.com/albums/b87/hurt911gen/wat.jpg?t=1248974475 [photobucket.com]
404'd!
I think this is a shot across teh bow (Score:2)
Re: (Score:3, Insightful)
Your rampant racism not withstanding, that was an idiotic post.
China cannot 'take our DNS down'. In worst case scenario, the world would just disconnect from China if that were to happen.
Re: (Score:2, Funny)
Re:I think this is a shot across teh bow (Score:4, Funny)
What if every single router in the world is manufactured in China? Are you sure you know what's in that firmware?
Yes, lead, melamine, and poorly documented programming.
Re: (Score:2)
He wasn't being racist. He was being alarmist, or possibly McCarthyist. His is the same mentality that leads to films like "Red Dawn", not "The Birth of a Nation".
this gives me an idea.... (Score:5, Funny)
Re: (Score:2)
So if the entire world's DNS resolved to the Chinese firewall simultaneously would it DOS them to oblivion and end these shenanigans? I'd give up a day of using the internet to see that go down.
Why don't we just slashdot it?
Re: (Score:2)
Re: (Score:2)
The problem with your logic is, that if we stopped, it would work again.
And if we wouldn’t stop, nobody would have Internet. Not us, and not the Chinese people.
I think a botnet, DOSing them, makes more sense, and is already done.
Re: (Score:2)
Big names having problems (Score:2)
Re: (Score:2)
Completely unintentional (Score:3, Interesting)
US DNS servers magically start pulling DNS data from chinese servers? Uh huh. Completely an "accident".
Huh (Score:4, Funny)
Problems like this should be prevented (Score:4, Interesting)
So any wrongful destination now has a lot of passwords. Especially IMAP and POP and suchlike, not even a need to set up a misleading website, you can play totally innocent.
Prevention:
1) Don't have a root server in a country that wants to censor information
2) Implement free SSL certs so that it is no longer "normal" to just click through the SSL cert alert
3) DNSCurve, DNSSEC, whatever
4) Encrypt.
5) Even when using encryption always use auth schemes that cannot be replayed afterwards. Without certs I don't think you can stop MITM, but much too many people use only one password for a lot of different things, at least that one won't be in the sniffer's hands.
More?
Re: (Score:2)
Re: (Score:2)
1b) Don't allow unfiltered BGP updates from countries or companies you don't want running a DNS root server.
Re: (Score:2)
Well, no, since I specifically asked if there were any "More?". I'm sincerely interested in knowing if I overlooked something in my list. Name calling was not called for.
What good are my fifteen daily modpoints when it doesn't stop one from being insulted by anonymous cowards . . .
ancient chinese secret, huh? (Score:2)
hacker attack (Score:3, Informative)
Come on, are we really being that stupid? Of course it was a hacker attack. The chances of an IP address "accidentally" being pointed to a Chinese one is remote.
These Chinese hackers (and hackers in general) are getting more and more dangerous. If they hack the DNS servers, we're talking about a massive ability to steal passwords, since https is based on domain name and not IP address. If the DNS is configured to give incorrect DNS information, then we really could get hosed here.
Re: (Score:3, Informative)
It's not so much a matter of things being "pointed" anywhere, more a side-effect of anycasting the root DNS servers [wikipedia.org] so that if your current routing happens to put root servers in China as closer than any others, you'll get your results returned from them.
Of course, one could argue that countries shouldn't be allowed to mess with root DNS servers that they host and have them return invalid addresses for valid domains, but that's besides the point here.
Re: (Score:2)
If they hack the DNS servers, we're talking about a massive ability to steal passwords, since https is based on domain name and not IP address.
SSL uses domain names for verification, but it does not rely on them for authentication. If you hijack an SSL-enabled website, you would also need to steel their private key.
Re: (Score:2)
Or have a trusted CA operator sign over your private key.
Not that there's a Chinese CA operator in the trusted key set or an... er.
Don't mind me, I'm just rabble rousing. I do not believe that CNNIC is any less trustworthy than VeriSign. Or maybe more accurately, I do not expect that VeriSign is any more trustworthy than CNNIC :-) Oops, rabble rousing again.
Use 2FA for online banking, neither HTTPS nor DNS is safe.
Re: (Score:2)
OT (Score:2)
Maybe offtopic, but how does DNCSEC affect DNS level censorship?
Re: (Score:2)
In principle, DNSSEC prevents this form of attack because you cannot form a chain of trust through a hijacked answer.
In practice, no-one checks the result for a signature failure, because it's Hard to know what the right thing is to do, and it's Pointless until the roots are signed.
The issue I have... (Score:3, Interesting)
Heck, even Dell is pulling out.
So, because the Chinese persist in behaving badly it's time for internet war. Let's band together and shut 'em down. Close off internet to China and see how they like it - after all, the TLD's are controlled by the U.S. As to messaging etc. they can phone and fax.
Sorry for such a rant but there has got to be a consequence for the level and voracity of the issues and problems that emanate from China - especially when the government there is never responsible.
Re: (Score:3, Insightful)
Re: (Score:2)
Which is what? An economic collapse? A justification for war?
The Chinese government is just like any other government (they have more control over their populace). Chinese in general are really fond of business opportunities, which get harmed by this action.
Re: (Score:2)
No, the Chinese government does not desire to simply cut off all access to the outside world. If they wanted to do that, they could do it themselves, today.
They want access, and more, they need access, as it is essential to them growing their economy.
What they actually want is total control over that access. And now they are releasing yet another poison out into the rest of the world. Shutting them down would be a very good thing. Payback is a bitch.
Re: (Score:2)
Yeah; They just complain about trivial things like labour exploitation, poor wages, health and safety lapses, pollution, and foreign support for censorship technologies and the communist regime. It's not like the West has done anything wrong here!!!
Re: (Score:2)
Ask Neville Chamberlain how a policy of doing nothing works out.
Net views censorship as damage (Score:2)
Remember that quote [wikiquote.org]? "The Net views censorship as damage and, sometimes, routes into it..."
Oh, yes, another one of those "Why can't we be more like Europe?!" moments...
Re:Net views censorship as damage (Score:5, Informative)
I was following along with this on the dns-operations mailing list. This pertained to i-root in Asia, and various i-root node operators said "this is not our box". It was a rogue root server (whether installed by the Chinese government or an ISP guided by the government's hand) (as far as netnod/i-root is concerned) announcing the anycast block used by i-root. In doing so they basically advertised themselves as a root node for i-root and it doesn't seem like this was Netnod-affiliated at all. The summary (I didn't re-read the article to see if that said the same) implies that netnod was running this intentionally and serving up Chinese-censored results for affected sites. All this would take is a person with the ability to have their upstreams accept BGP announcements for the anycast block for i-root and run the server. Then any requests to i-root that are topologically "close" will start using this node.
Before anyone continually says that an ISP must have intentionally configured their servers to use this root, they should read up on IP anycasting and read the thread on the dns-operations mailing list instead of these 2nd/3rd/4th-hand summaries that are beginning to skew the facts.
https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005260.html
View from inside Chile (Score:2)
I live and work in Chile, and know the network problems well here. Here is my take on it.
I seen that nic.cl had several of their DNS servers that where failing about three weeks ago (I just figured someone would figure it out and fix it, guess not ). Any .cl using nic.cl as their primary dns server ( what most .cl domains use by default rather than having their own), was having failures based on which of the dns servers at nic.cl they were using (I think two of them where failing).
Here is what I seen happen
Re: (Score:2)
Re: (Score:2, Funny)
Life is really easy when you let someone like Glen Beck do all your thinking for you, isn't it Michael?
Re: (Score:3, Informative)
It's funny, because the Reagan years spent more than compared to the GDP than Clinton or GWB but you I happen to like those kind of "facts". In the Clinton years spending v GDP went down quite a bit. The only time our debt has gone down since that giant "debt clock" thing was built was under Clinton.
Re: (Score:2)
Yeah, let's make the handful of people who run the government have all the wealth and power. Somehow that's better, right?
At least *some* people get rich.
Wait, that works in China too. Ah, it's just screwed everywhere.
Re: (Score:2, Offtopic)
God I wish both Republicans AND Democrats would shut up. Both parties accept huge bribes (campaign contributions) in exchange for votes. There is always a shameful deficit no matter who is in power (don't get started with Clinton and his raiding of Social Security to make the budget look balanced. No matter who is in charge, the army is out invading some new country: Somalia, Kosovo, Iraq, Panama, etc.
This dumb Democrat healthcare bill is just as big a coporate handout to the pharmaceutical and insuranc
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I daresay that it wasn't deregulation that got us into this mess, but rather the mandate that housing is a right. Our government let us down when they decided that it didn't need to make financial sense for a person to own a home, only that they needed to want it badly enough and they could get a loan.
The shocker is that we're doing the same thing to healthcare and my children will be paying for it.
Re: (Score:3, Funny)
It's no secret in China that this square exists. It's just what happened there $%*+
NO CARRIER
Re:Now... (Score:5, Interesting)
It's the other way around than what you're suggesting. Chinese didn't try do anything. ISP's elsewhere mistakenly configured their servers to use Chinese DNS servers.
They are keeping their shit for them. It's just that someone else is fetching it from them to elsewhere.
Re:Now... (Score:5, Insightful)
Which, proves the point that perhaps China should not be allowed to have any DNS root servers.
I would say that if a DNS server does not return the same information as all other root servers in the world that it should not be allowed to be a root server.
Re: (Score:2, Informative)
Re:Now... (Score:5, Insightful)
China can have all the root servers they want - just don't configure your server to poll them.
Actually China is demonstrably incapble of having any working root servers at all. A DNS server that returns incorrect information is not a "root" server, if by "root" you mean "authoritative source of DNS information that resolves domain names properly."
It's really too bad that China is incapable of hosting DNS root servers. Hopefully by the end of the 21st century China will be a little less backward and isolated from the rest of the world, which would benefit greatly from interaction with so many people from such diverse cultural and political backgrounds.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
.... Chinese didn't try do anything. ISP's elsewhere mistakenly configured their servers to use Chinese DNS servers.
Not quite accurate. The Netnod server 'causing the problem' claims to have and be serving proper information, but the Chinese instance of that server is having it's data stream filtered by China (on the presumption that nobody outside of China is getting information from that server). The problem arose when a couple of high-volume servers (one, or more, in Chile and one, apparently in California) got their root query packets routed through China and ended up filtered the same way that internal-Chinese qu
Re: (Score:3, Insightful)
Now will somebody tell them to keep their sh*t for them? Or are we too weak to talk frankly to Chinese authorities?
Well, I suppose it pays to talk real sweet to a country that pretty much owns us now.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Are you sure you didn't end up at Redbook and CommUTube?