Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
The Internet Technology

Fix To Chinese Internet Traffic Hijack Due In Jan. 92

alphadogg writes "Policymakers disagree about whether the recent Chinese hijacking of Internet traffic was malicious or accidental, but there's no question about the underlying cause of this incident: the lack of built-in security in the Internet's main routing protocol. Network engineers have been talking about this weakness in the Internet infrastructure for a decade. Now a fix is finally on the way."
This discussion has been archived. No new comments can be posted.

Fix To Chinese Internet Traffic Hijack Due In Jan.

Comments Filter:
  • What is the adage? Throwing code at a problem?

    This was a known problem, but they way until it really is exploited to then fix it with something untested and thrown together.

    Yep. I feel real good about it and have total confidence in the solution.

    • If it ain't broke, don't fix it.

      It's broke now, so it's time to fix it.

      That being said, I rather like this RPKI thing--but I think it can go a -lot- further.

      Universal encryption of all network sessions would help with authentication of resources, prevent man-in-the-middle attacks, prevent sidejacking, prevent...well, all manner of things.

      Additionally, the internet could only benefit from the enhanced PKI that would need to be deployed to enable this.
    • Re: (Score:3, Informative)

      by mysidia ( 191772 )

      What is the adage? Throwing code at a problem?

      Yeah.. like SSL prevents hackers from hijacking CC details in e-commerce transactions.

      RPKI has been in the works for years, and will be in the works for years.

      I don't know where the idea "this will be fixed Jan 1" came from. A pilot program for RPKI is no more an immediate fix than the pilot program for DNSSEC was an immediate fix for security issues, and no more than the IPv6 pilot program / 6Bone was an immediate fix for IP address exhaustion.

      Finali

    • by baerm ( 163918 )

      This was a known problem, but they way(sic) until it really is exploited to then fix it with something untested and thrown together.

      It's actually something that people have been working on for quite a long time, many years. It's not a last minute attempt to solve the issue.

  • Comment removed based on user account deletion
    • Re:What... (Score:5, Informative)

      by bsDaemon ( 87307 ) on Wednesday December 08, 2010 @01:14PM (#34490014)

      Chinese Telecom perpetrated a specific route 'attack' a few months ago where they advertised via their BGP feed more specific routes (longer netmask prefixes) for a few blocks, thus any other AS who's BGP feed had been updated with the bogus data was selecting the route to China rather than the route to the actual destination. This can either cause minor disruption, or taken advantage of to sniff all the traffic which is incoming towards the affected hosts. Whether China did it for specifically malicious purposes really isn't clear, but its happened by mistake in the past. It's a known issue in the design of the protocol and policies, and doesn't really take an 'exploit' so much as someone advertising a /22 for a block they may or may not own which preempts the legitimate /20.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        No, some moron working on China Telecom's Beijing AS posted the iBGP routing table to the eBGP side. It's that simple. It didn't cause too much trouble, really, since the only routers that were fooled by it were nearby routers - like the other edge routers in China, and those in S. Korea, Japan, and surrounding companies (in the network topology, which loosely mirrors real geography). The routers in the US would get two prefix advertisements, notice that one was too far away, and use the right ones.

        This is

  • by Monkeedude1212 ( 1560403 ) on Wednesday December 08, 2010 @01:08PM (#34489928) Journal

    So we're at phase 1, the "Hey, check it out" phase. You can expect this to reach a phase 2, the "actually possible" phase, after IPv6 gets implemented, which will then take years to reach phase 3, the "We should really get on that" phase. Phase 4, the "Okay guys this is actually becoming a problem" phase, comes a couple years later and will no doubt be brought up on slashdot a million times over. Phase 5, is still a theoritcal phase, the "Implementation and execution phase" has not yet been observed but we have reason to believe it might happen one day, if we wish upon enough stars.

    • by SEWilco ( 27983 ) on Wednesday December 08, 2010 @01:14PM (#34490016) Journal
      Hey, you have to wait until it's implemented. Right now, the fix is due in Jan, and we have to wait until Jan writes down the code and gets it working right. Once it's working right, we're OK and we can thank Jan.
    • by St.Anne ( 651391 )
      What about the "There, fixed it for ya. You're welcome." Phase?
    • by eldavojohn ( 898314 ) * <eldavojohnNO@SPAMgmail.com> on Wednesday December 08, 2010 @01:18PM (#34490098) Journal

      So we're at phase 1, the "Hey, check it out" phase. You can expect this to reach a phase 2, the "actually possible" phase, after IPv6 gets implemented, which will then take years to reach phase 3, the "We should really get on that" phase. Phase 4, the "Okay guys this is actually becoming a problem" phase, comes a couple years later and will no doubt be brought up on slashdot a million times over. Phase 5, is still a theoritcal phase, the "Implementation and execution phase" has not yet been observed but we have reason to believe it might happen one day, if we wish upon enough stars.

      Get politicians and pundits in front of the American cameras screaming "ZOMG Chineze Haz Our Intarwebz!" And you'll be simply amazed at how fast the sloth can move. If only they could have made the IPv4 -> IPv6 transition about nationalism or freedom or democracy or Al-Queda working with the Ruskies to undermine our securitization ... then that would have happened instantly!

      • I dunno, it's obvious that "ZOMG Chineze Hz Our National Budgetz!", but our politicians and pundits are just digging deeper holes instead of cutting the vast and counterproductive military budgets that just create debt China uses to own our national budgets. And it was the Qaeda "working with Iraq" that created over a $TRILLION in debt, much greater than even the entire US debt to China ($860B).

        • vast and counterproductive military budgets

          Which is a pale shadow of the vast and actually not productive entitlement spending that truly is killing us. The $850 billion of new deficit spending that Obama scored this week is a great example.
          • The $850B isn't "new deficit spending", it's revenue reduction. Of course it contributes to the deficit by depriving us of revenue that could fund spending, but it's not spending.

            What do you mean by "entitlement spending"? Be specific.

            • I assume GP is talking about what are collectively known as "Pork-barrel projects" which are often attached to bills that have nothing to do with the project but are seen as "certain to pass". That's the first thing that comes to my mind when I hear "entitlement spending" at any rate.
              • "Pork barrel" projects does not mean "projects arbitrarily attached to other bills". Pork barrel [wikipedia.org] projects might be arbitrarily to the previous purpose of the bill or not. They are the projects included in a bill as required by congressmembers who will not vote for the bill without them included, whether they're arbitrary or not, designating money for that congressmember's interest whether or not the expense supports the previous purpose of it. Sometimes it's "a piece of the action" of the main purpose, some

            • Of course it contributes to the deficit by depriving us of revenue that could fund spending, but it's not spending.

              Not exactly. It isn't like the $850B disappears, it simply stays in the pockets of those people who would have been experience an actual tax INCREASE over current rates. It isn't even a cut, it is just maintaining the status quo from the last many years. If history tells us anything, it tells us that if you put (or keep) money in people's hands, they will spend it. So the money will still

              • You're arguing semantics. The new tax cut is repeating a tax cut that Bush got through Congress by using the Congressional technique of "reconciliation", where ordinary majority rules are suspended but the passed bill must expire in 10 years. It's a new tax cut, following an old tax cut.

                That old tax cut didn't put enough money into the economy, which instead was faked with an orgy of debt spending by almost everyone: Federal/state/local governments, corporations (especially banks, which went bust), somewher

            • by mcgrew ( 92797 ) *

              He's probably referring to what the teabaggers call "entitlement spending"; Social Security, Medicare, which the teabaggers conviniently forget are funded by special taxes paid by those entitled to the benefits, and which the teabaggers incorrectly call "Ponzi Schemes".

              • Well, I'm curious what they're talking about. They did refer to tax cuts as spending, so they could mean anything, no matter what the term actually means. So far, who knows?

            • The $850B isn't "new deficit spending", it's revenue reduction

              No. You're thinking of the continuation of the tax rates, which "reduces" revenue by $150B. It's the extension of more unemployment benefits for another long stretch that requires the borrowing of $850B in brand new, shiny Chinese debt. That's what Obama was holding out for on the tax deal. The left can whine all they want about holding tax rates where they were - but the killer, as always, is the colossal new entitlement hemorrhaging.
              • The UI benefits for the next 2 years are $56B. The extended reduced tax rates on over $250K income costs $150B. The extended reduced tax rates on the first $250K costs $300B.

                Which programs are "entitlement spending"? None of them. Entitlement programs [auburn.edu] include Social Security, Medicare, and Medicaid, most Veterans' Administration programs, federal employee and military retirement plans, unemployment compensation, food stamps, and agricultural price support programs.

                Social Security pays for itself (workers pa

              • by spitzak ( 4019 )

                The $150B is for the over 250K income tax.

                I was always told the under 250K income tax is $700B. So there is the $850B there, it is all tax cuts.

                The unemployment spending does not appear to be in your total but it is about 50B. The payroll tax cut is also not there and I have heard it is significantly larger expense.

      • Businesses, unlike geeks in moms' basement do things when there is an economic reason to do so, not just 'because we have to one day'.

        Theres really no major reason to run head first into the transition, we've been 'running out of addresses this year' for 15 years.

        I suspect we'll have flying cars before we stop using IPv4.

        Yes, its going to happen eventually, but no, the Internet won't cease to function next week because we ran out of addresses, regardless of how many times someone writes a newspaper or press

    • by Anonymous Coward

      No sparky. I understand where you are coming from, but I have a feeling this is more of a quick and dirty 'Git er dun' sort of roll out. You see, such a control --a centralized control-- over the Border Gateway Protocol, could give someone in an office, not a square office but more of a sort of ova^M^M^M roundy sort of office to be able to push a button --a big red button-- so that if they are annoyed by a web site owner --lets call this hypothetical owner Julian Wiki-- they can then say "Hey Mr. Wiki, we

    • by mysidia ( 191772 )

      You forgot Phase 6, the "realize it's actually never gonna happen, and admit defeat, or we need a mandatory flag day" phase.

    • by Raptoer ( 984438 )

      This is on a completely different level though. The only people that have anything to do with BGP are the ISPs themselves. BGP is only used to route from groups of routers to other groups, where a single organization owns the entire group, and they're sending to the group of another organization.

  • Is there no way on a local machine to maybe add to a host file a list of non allowed hops or something, where the packets have info as to where they can not be sent, and avoid. I am not sure as I am not very knowledge about networking, as much as I am programming, I would see this as trivial to add to a packet a flag that says it must stay within a hopping locality or sequence?

    • by Lennie ( 16154 )

      The problem is that their is a lot of routing information shared between routers. If we also need to keep the end-nodes up to date that would not scale. And what would be the use of that ? Because that end-node only has one connection/provider, so the upstream router could tag the traffic if you wanted to do something like that.

      The problem obviously is that if you add something, how do you know you can trust that information more then all the information we currently have.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      That's not how the routing on the internet works. You just specify the destination, and the source and just fire that packet away to your next-hop / gateway / router. And then the router, based on what's configured into it by the Humans, makes a decision.

      These configurations are semi-automatic, thanks to the BGP (border gateway protocol), but it's still the humans who tell the router what rules to accept from its BGP peers and what rules to send to them (and what to which). So it can be fine-grained pretty

    • Well, you can always launch a preemptive strike:

      phoenix@olympus:~$ sudo nano /etc/hosts

      127.0.0.1 *.cn

      • Well, you can always launch a preemptive strike:

        phoenix@olympus:~$ sudo nano /etc/hosts

        127.0.0.1 *.cn

        Great, so you can't see China. I think this is the networking endpoint equivalent of sticking your head in the sand.

    • by Anonymous Coward on Wednesday December 08, 2010 @01:43PM (#34490450)

      "Is there no way on a local machine to maybe add to a host file a list of non allowed hops or something, where the packets have info as to where they can not be sent, and avoid. I am not sure as I am not very knowledge about networking, as much as I am programming, I would see this as trivial to add to a packet a flag that says it must stay within a hopping locality or sequence?" - by hesaigo999ca (786966) on Wednesday December 08, @01:10PM (#34489968) Homepage

      Specifically on HOSTS files, since I often post about them here? HOSTS files usage won't work vs. BGP exploits!

      (Think of BGP as SORT OF like arp is, which you also need for routing).

      ISP's use BGP to make routes between one another, and this is not something YOU have any control over... once you get packets in (from who knows where under this type of attack), & send them out again? You have ZERO control now at that point vs. BGP.

      BGP READ:

      http://en.wikipedia.org/wiki/Border_Gateway_Protocol [wikipedia.org]

      That URL's where you can read up more on BGP...

      and

      ARP READ:

      http://en.wikipedia.org/wiki/Address_Resolution_Protocol [wikipedia.org]

      That URL's where you can read up more on ARP which is used between routers/gateways...

      Why did I put those links up for you?

      Well - You stated you're more of a programmer than a network engineer/tech, & I was much the same a decade + 1/2 ago is why...: I KNOW WHERE YOU ARE COMING FROM! Those will help...

      (I too was "mostly coder & hardware tech" ONLY, back then circa 1994-1996, until I started doing webservices based coding + client-server work, where you HAD to have @ least SOME understanding of "things networking", & picked up MOST of it on IRC back then)...

      Later though? Heh, it ended up getting me work as a network administrator many times even, just because I took some initiative to "grow myself" a BIT more, to be more "well-rounded/all-around" & more "liberal arts", albeit STRICTLY around computing (learn BOTH coding & networking - it's worth it!).

      APK

      P.S.=> This isn't a first, though I truly DO suspect China did it intentionally (because of the military information being sampled as mentioned in the source articles is why MOSTLY), but iirc, some ISP in Florida USA did it by accident & FLOORED THEMSELVES (sort of funny, but NOT for their customers though I imagine - especially those that depend on the net for their work/livelyhood, education, etc./et al (& even if only in part))... apk

  • This is really good, now we can verify announcements.

    More importantly, in the article it says the RIR's also finish their part so now we can start building filters which actually work ?

    • Re: (Score:3, Interesting)

      by mysidia ( 191772 )

      More importantly, in the article it says the RIR's also finish their part so now we can start building filters which actually work ?

      No, that's still a few years off.

      The problem with RPKI is it's all well and good, until you realize there has to be a central authority, and that central authority is vulnerable to influence by governmental and corporate entities.

      For example, federal agents sending patriot act security letters demanding to have the encryption keys, needed to forge resource assignments to

  • by Anonymous Coward

    I have to wonder if the motivation for this is coming from our own government. They have now taken down domain names since the DNS service can be controlled in the US, but routing is still pretty flexible, so you can still reach the website.

    Would this fix not also result in the ability to lock down routing and lock out the rightful owners of IP addresses?

  • How is this a fix again? How is security the issue here? It's not like someone snuck onto the internets and did something malicious, a provider with BGP peering agreements sent out bad routes that their peers didn't filter.

    The problem is not something that additionally encrypting/signing messages will fix, it's a problem of network operators blindly trusting routes from their providers and passing them along.

    The only fix here is for operators to properly filter routes from people they peer with. Period.

    • by Hatta ( 162192 )

      The problem is not something that additionally encrypting/signing messages will fix, it's a problem of network operators blindly trusting routes from their providers and passing them along.

      You're right, blind trust is the problem. Cryptographic signatures are how you verify that trust.

      • Re: (Score:3, Interesting)

        by ckdake ( 577698 )

        Accepting a bad route from a peer and accepting a cryptographically signed bad route from a peer are the same thing.

    • I don't think most operators could do a better job. Every ISP I've dealt with has been pretty anal about what routes they accept from me.

      This incident happened at the large ISP level and currently they don't have the information required to do better filtering. In this case China Telecom might legitimately be the shortest path for some of this traffic some of the time and there is no way to tell otherwise.

      The PKI signed advertisements will provide trust that I have ownership of the resources and would proba

  • The correct response to exploits that take control of the Internet is to change the Internet so that kind of exploit doesn't work.

    The Internet's global community is responding to threats like China's power over it much better than countries are responding to Chinese threats. Maybe because the Internet's developers don't directly depend on China buying their debt.

  • For some reason, on Safari Mac, the word "Fix" is missing on the tab, both for the Slashdot story and the linked story. The tooltip shows it, the window title shows it, but the tab doesn't. Hopefully a fix for this is forthcoming as well.
  • Here [networkworld.com].
  • From the article: "How quickly RPKI will be adopted is unknown." How arrogant is that? Wouldn't it be better to say "It is unknown if RPKI will be adopted or not."

    The beauty of the Internet is also its greatest weakness, a lack of centralized control. Who do they think runs the "Internet"? I'd like to apply for that job :)

  • by Anonymous Coward

    The irony is one day we finally plugged all the holes, fixed all the leaks, chalked up all the cracks, only to find "freedom" has moved to China.

  • by Anonymous Coward

    It is working as advertised and some people don't like the Internet working that way -- wayward, without an overlord. This "fix" is the overlord.

  • I just logged into oracles OTN site at 09:30 CET today, it was in english, then I went into their DBA link and got the chinese site. Now, im in europe using an english language OS and i went to oracle.com. Why would I get a chinese site, unless...(tin foil at the ready) THEY THOUGHT I WAS FROM CHINA!! and my traffic was going through a chinese router!!!

    Is this still happening silently? Was that 15 minute incident the only incident?

"Trust me. I know what I'm doing." -- Sledge Hammer

Working...