[Infowarrior] - China's Great Firewall spreads overseas

Richard Forno rforno at infowarrior.org
Mon Mar 29 14:13:39 UTC 2010 

China's Great Firewall spreads overseas
Robert McMillan

http://www.computerworld.com/s/article/9174132/China_s_Great_Firewall_spreads_overseas
March 25, 2010 (IDG News Service)

  A networking error has caused computers in Chile and the U.S. to  
come under the control of the Great Firewall of China, redirecting  
Facebook, Twitter, and YouTube users to Chinese servers.

Security experts are not sure exactly how this happened, but it  
appears that at least one ISP recently began fetching high-level DNS  
(domain name server) information from what's known as a root DNS  
server, based in China. That server, operated out of China by Swedish  
service provider Netnod, returned DNS information intended for Chinese  
users, effectively spreading China's network censorship overseas.  
China tightly controls access to a number of Web sites, using  
technology known colloquially as the Great Firewall of China.

The issue was reported Wednesday by Mauricio Ereche, a DNS admin with  
NIC Chile, who found that an unnamed local ISP reported that DNS  
queries for sites such as Facebook.com, Twitter.com and YouTube.com --  
all of which have been blocked in China -- were being redirected to  
bogus addresses.

It is unclear how widespread the problem is. Ereche reported getting  
the bogus information from three network access points in Chile, and  
one in California, but on Thursday he said that the problem was no  
longer popping up. "The traces show us that we're not hitting the  
server in China," he wrote in a discussion group post.

This issue occurred because, for some reason, at least one outside ISP  
directed DNS requests to a root server based in China, networking  
experts say. This is something that service providers outside of China  
should not do because it allows China's censored network to "leak"  
outside of the country.

Researchers have long known that China has changed DNS routing  
information to redirect users of censored services to government-run  
servers instead of sites such as Facebook and Twitter. But this is the  
first public disclosure that those routes have leaked outside of  
China, according to Rodney Joffe, a senior technologist with DNS  
services company Neustar. "All of a sudden, the consequences are that  
people outside China may be subverted or redirected to servers inside  
China," he said.

By using a China-based root server, ISPs are essentially giving China  
a way to control all of their users' traffic over the network. That  
could mean big security problems for people whose network accepted the  
leaked routes, Joffe said.

The ISP that used the bad routes probably misconfigured its BGP  
(Border Gateway Protocol) system, used to route information on the  
Internet, according to Danny McPherson, chief security officer with  
Arbor Networks. "I don't think it was done intentionally, " he said.  
"This is an example of how easy it is for this information to be  
contaminated or corrupted or leaked out beyond the boundaries of what  
it was supposed to be."

In February 2008, BGP information from Pakistan -- which had just  
blocked YouTube -- was shared internationally, effectively knocking  
Google's video site offline for millions of users.

In an e-mail message, Netnod CEO Kurt Erik Lindqvist said his company  
is not hosting the bad routes on its server. They were most likely  
changed by machines somewhere on the Chinese network, McPherson said.

The incident shows that BGP remains a major weak link in the Internet,  
Joffe said. "It's really disconcerting form a security point of view  
and from a privacy point of view."

This is the first time that this type of behavior has been made  
public, but it has apparently been going on for some time. In a  
discussion group post on Wednesday, Nominet Researcher Roy Arends said  
that he has been studying this issue for a year.

Arends has compiled a list of 20 domain names that will trigger the  
kind of bad results, reported by Ereche. Arends is keeping the names  
of those domains secret, but he did publish some of his data in his  
discussion post.

"I wanted to keep this internal, however, the cat is out of the bag  
now," Arends wrote.

More information about the Infowarrior mailing list