For 18 Minutes, 15% of the Internet Routed Through China 247
olsmeister writes "For 18 minutes this past April, 15% of the world's internet traffic was routed through servers in China. This includes traffic from both .gov and .mil US TLDs." The crazy thing is that this happened months ago, and nobody noticed. Hope you're encrypting your super-secret stuff.
Nobody Noticed ... Except Everyone (Even Slashdot) (Score:5, Informative)
The crazy thing is that this happened months ago, and nobody noticed.
Odd, Slashdot reported the day afterward: Chinese ISP Hijacks the Internet (Again) [slashdot.org].
Re:Nobody Noticed ... Except Everyone (Even Slashd (Score:5, Informative)
That summary and article didn't report the .mil or .gov traffic.
I guess we just assumed it was only youtube videos or pokes on facebook.
Re:Nobody Noticed ... Except Everyone (Even Slashd (Score:5, Informative)
They hijacked prefixes, not data. At least not directly. If you sent a packet during that time, it may have been routed to China. I doubt they stood up a big infrastructure to close TCP sessions with all of that incoming traffic and actually capture anything. Perhaps for a very targetted attack they could have, but then there'd be better ways than this to do it, I imagine.
Re: (Score:2)
Re: (Score:2)
They did not become a transit network where all of this information was just flowing through waiting to be logged.
They falsely announced that they owned certain prefixes and asked the Internet (web of trust) to forward packets with those destinations to their network.
In order for them to capture an email you sent during that time, they'd have to maintain a TCP connection with you and a fake email server that matches the destination IP address you were using. For a website, they'd likely capture the initial
Re:Nobody Noticed ... Except Everyone (Even Slashd (Score:5, Informative)
Sorry to be AC.
as an IP engineer at a major backbone provider, I can safely comment on the hyperbole of this incident.
China Telcom -4134- would have to either send very/more specific routes and get max prefixes blown out, or send very general routes and loose to smaller routes.
yes, for a little while any "tier 1" player, or major government player, can convince another provider to send routes to an inappropriate AS, the game soon ends. anyone who isn't running at the very least a max prefix is a cluetard and needs their peering revoked anyway. From my 20%, 4134 is always a hair's breath away from getting a smackdown.
tldr; they can't really steal the whole internet, but we need to watch out for smaller route hyjacking.
Re: (Score:2)
UDP traffic would keep flowing to China so long as they advertised prefixes, but they're not really going to get any good intel out of that. Maybe some VoIP packets if they're lucky, but those are likely to end after about 20 seconds when the participants hang up because they can't hear each other (all packets are going to China, not to each other).
Anyone sending TCP traffic is going to stop as soon as they don't get an acknowledgment. Or never start if they can't complete a handshake. So not much is going
Re: (Score:2)
That summary and article didn't report the .mil or .gov traffic.
Big friggin deal. Any traffic captured from those TLD's would be external traffic. So now China know that Private Bloggins is jarhead59@gmail.com, and his girlfriend just dumped him. Quick, everybody panic!
Re:Nobody Noticed ... Except Everyone (Even Slashd (Score:5, Funny)
It's an API that lets you randomly write to memory addresses on their servers.
Re: (Score:2)
With half the calories burned.
Re:Nobody Noticed ... Except Everyone (Even Slashd (Score:4, Insightful)
Re: (Score:2)
What's the purpose of FarmVille?
Its the fastest way to insure that all your private data isn't private anymore. Why you would have private data on Facebook is beyond me, but playing the games (ie: allowing them access to your data) is the fastest way to insure that privacy is no longer a concern.
Re: (Score:2)
computer maintained relationships
What's wrong with that? I don't see how computer-based communication is inherently less personal than letters or phone calls. Perhaps you're more comfortable with the latter methods, but that's a personal preference.
Re: (Score:2)
lolwut?
If you have a better way to keep in touch with friends who live on the other side of the planet, I'm all ears.
Re: (Score:2)
Very odd. Posted as an AC, extolling the virtue of rekindling long dead relationships via automated computer tasks.
Telling.
Re:Stop the trolling (Score:5, Informative)
Since when has a low UID meant anything? Or, indeed, positive karma?
They're trolling, pure and simple. And quite well given you took the bait!
Re:Nobody Noticed ... Except Everyone (Even Slashd (Score:5, Funny)
You think the /. editors RTFA?
Re: (Score:3, Funny)
Isn't that why they have the whole meta-moderate in the firehose thing?
Re: (Score:2)
It's hard enough for Slashdot to keep up with the news, now you want them to keep up with what they keep up with? :P
Re: (Score:2)
In China the headline was: China Triumphs (Again) Imperial Denial of Services Attack Thwarted after only 18 Minutes of Disruption.
I would link to the article, but it's all in Chinese.
I knew something was weird (Score:5, Funny)
All my emails started showing up with fortunes and free eggrolls.
Re: (Score:3, Funny)
All my emails started showing up with fortunes and free eggrolls.
And ended with "in bed."
Re:I knew something was weird (Score:5, Funny)
An hour later.....
I wanted to read them again.
This points to obvious fact (Score:2)
...that one internet isn't really enough.
Re:This points to obvious fact (Score:5, Interesting)
Or it is.
It is just that the USA has forgotten the Internet basics. It has also forgotten major past incidents like that case from 10 years back when one small ISP in Florida directed most of the Internet traffic through itself and fell over.
USA internet has very little redundancy. Most of the peering is private, in very few locations and the routes announced by ISPs to each other are not filtered based on declared ISP announcement policy. As the few remaining ISPs are so big the announcement lists have grown to a size where filtering them poses a technical difficulty. In addition to that because the ISPs are big they trust each others change control that routes for blocks which are "somebody's elses will not be announced". Bad Idea (TM). And that is why this was possible in the first place.
Compared to that in Europe most of the peering is public and nearly all ISPs heavily filter the route announcements coming from other peers. A Chinese ISP which would announce blocks it does not own would simply be ignored. It is of course possible for the ISP in question to add the policy to its official export list, post it to RIPE, get it propagated to other ISPs and then announce the routes, but that will take time and will have a big chance to be noticed. It will also be clear that there is "no mistake" there so the ISP in question will really get kicked off the internet for this one.
Re: (Score:2)
It's also possible that someone in China also doesn't understand Internet basics, and figured if he/she said "route everything here" it would stop propagating that at the border, because
The end of that line is almost certainly "because all his other peers have always been smart enough to filter incoming routes like 0/0 and now he's met his match, a guy that doesn't filter his incoming routes" Then Kaboom.
Speaking as a guy whom did customer facing BGP in the USA for a couple years, a couple years ago, and yes we did have incoming filters, and yes I saw some pretty sad stuff sent to us and filtered out. I always wondered what would happen to those guys when I left, or when they got account
Re: (Score:2)
"Dark fiber". VPN tunnels. Modems. There are still a lot of ways data gets from point A to B without going through the normal routing rules, so near as I can tell, we already have more than one internet.
I remember that day (Score:3, Funny)
I had just finished torrenting a 10gig 1080p mkv and 18 minutes later I was hungry for more downloads.
As designed (Score:5, Insightful)
Isn't that what the Internet was designed to do; route as need to get bits to their destination?
Re: (Score:3, Interesting)
Yes. It worked as designed. That is the crazy thing.
Re:As designed (Score:4, Funny)
Re: (Score:2, Informative)
Well, it depends. The protocol is made to be elastic, and therefore sensitive to network topography changes. Lines might become congested or go down, which means the shortest path might indeed be through a rather round-about course. Routing all this data to China would be quite an extreme example, though. Either a lot of failure would have to occur at the same time, or they would have to broadcast false numbers to give themselves a better routing metric.
Imagine how china feels (Score:5, Insightful)
when that 18mins is over and all their stuff goes through American servers
Re: (Score:3, Insightful)
The Chinese aren't the reason to use encryption (Score:5, Insightful)
There are plenty of reasons to use encryption but the Chinese government just isn't one of them for me. If I view something they don't like, what exactly are they going to do? I suppose they could block my access but it's not like I would get thrown in a Chinese prison.
I have a lot more to worry about from identity thieves, scams and heck, my own government.
Re: (Score:3, Insightful)
Re:The Chinese aren't the reason to use encryption (Score:5, Insightful)
Depends. Sending any igs files of that new project to anybody?
How about that source code.
I fear we are getting way too comfortable with email for my taste.
Re: (Score:2)
Re: (Score:3, Insightful)
If you're sending any type of sensitive data without PGP or other good encryption, you're a fool.
Protect your own data, any idiot at the ISP can read your E-mails -- not just China.
Re: (Score:2)
I do know that. But all the same I have gotten IGS files from contractors in email. I have tried to inform people that email is as secure as a postcard but no one listens. We have even had people send credit card info to us in email.
We have a policy to contact them when they do and suggest they cancel that card. I wonder how many do.
Re:The Chinese aren't the reason to use encryption (Score:5, Insightful)
Yeah, seriously. I'm a lot more concerned about what the US government and the molestation department at TSA might do then I am about the Chinese government.
This story is interesting from a tech perspective, but the commentary at the end is BS on a site from a country with ever decreasing privacy standards.
Re: (Score:3, Insightful)
it is true that the usa has decreasing privacy standards
it is also true that china's privacy standards are orders of magnitude below the usa's standards, firmly entrenched in the toilet
so i don't understand a point of view that is more concerned with flawed standards, but much better standards, than they are with a country that is an actual, no-apologies firmly authoritarian "i tell you who your master is and what you can can cannot think" regime
it makes me wonder at your critical thinking skills
when you ca
Re: (Score:2)
it makes me wonder at your critical thinking skills
You might wonder at his critical thinking skills, while I wonder at your listening skills. The idea that one should be more concerned about the privacy policies of one's own government than of the Chinese is a perfectly valid viewpoint. Perhaps he's more concerned about the policies of the US because
a) They actually impact him personally
b) They are something he can actually do something about
Re: (Score:2)
so i don't understand a point of view that is more concerned with flawed standards, but much better standards, than they are with a country that is an actual, no-apologies firmly authoritarian "i tell you who your master is and what you can can cannot think" regime
Because as US citizens we do have a say about what our country does, but there is practically nothing we can do to affect China's policies.
My country, right or wrong.
If right to be kept right.
If wrong to be set right.
Re: (Score:2)
The other replies have it right. I travel to the US on a semi regular basis. The Department of Molestation (sorry, TSA) and the increasingly paranoia driven policies of the US government impact me. China does not.
The US is also full of hypocritical politicians who get up on the world stage and talk about "freedom" this and that, while letting their own country slide into the toilet on that very thing. This nonsense has to be stood up. China doesn't spend as much time being holier-then-thou.
Finally, Slashdot
The Invasion of the Chineeese Terror! (Score:4, Insightful)
Chineeese! It's ALIVE! It's coming for YOU and your family! Hide in your bomb shelters! Wrap wet towels on your heads! Cover your bedrooms in tin foils. The Chineeese Terror is coming!!!
Seriously, what is wrong with you Americans? Can't you and your government live through life without manufacturing an enemy to hate? What is it in your national psyche that requires an opponent? Is it because you actually bought into your own "we're the Good Guys(TM)" propaganda that the only way to validate this absurd world view is to manufacture "bad guys". My theory is that you are so hung up on WWII, the last "good war" that you fought in, that you and your leaders are subconsciously trying to recreate it so that you can feel good about yourselves again. Hence, the Axis of evil, war on terror, and now a more traditional enemy, the Red Peril. Get over it.
Re: (Score:2)
Well, I'm Canadian. And I think the commentary at the end is retarded. So I agree with your rant. :)
The story is actually interesting on a technical level. Stuff happened, and a lot of traffic got rerouted to China. Without the commentary nonsense it'd be a fine article.
Is .cn special? (Score:2)
Hope you're encrypting your super secret stuff.
I always encrypt sensitive data no matter if it routes through China, Sweden, the USA or any other country that may tap it.
Re: (Score:2)
That's best, among other things, but particularly given how the US government already has a track record of wholesale tapping of internet communications.
Re: (Score:2)
That's best, among other things, but particularly given how the US government already has a track record of wholesale tapping of internet communications.
And China's doesn't? I mean ... really?
Re: (Score:3, Insightful)
If you only encrypt sensitive data it attaches a huge neon light to it.
Re: (Score:3, Funny)
Re: (Score:3, Insightful)
you know i just had that conversation with my general manager.
except it was about shredding documents - they couldn't imagine someone going though a bag of strip shredded paper trying to find something.
my comment was - it takes effort and a reason.. important info that shouldn't be public is a good reason.. and if you only shred important things it makes the effort all that much easier..
needless to say we will be investing in a large capacity cross cut shredder - with hopes to put all our outgoing paper th
Re: (Score:2)
in outgoing i meant trashed.. while we do mail things.. we don't from this location.
Invalid Certificates (Score:4, Informative)
From National Defense Magazine: http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=249# [nationalde...gazine.org]
"If China telecom intercepts that [encrypted message] and they are sitting on the middle of that, they can send you their public key with their public certificate and you will not know any better," he said. The holder of this certificate has the capability to decrypt encrypted communication links, whether it's web traffic, emails or instant messaging, Alperovitch said. "It is a flaw in the way the Internet operates," said Yoris Evers, director of worldwide public relations at McAfee.
What makes this really annoying is that a lot of .mil sites use self-signed certificates. When doing mil-2-mil browsing, you just get used to clicking whatever to get into the site. So, I can easily see how China could do a MITM without alarming any of the end users.
Re: (Score:2)
you know - i knew a lot of mil sites used self signed but i ASSUMED it was a government CA they where using.. not just server self signed..
If i was the US government i would fix that.. make a US Government CA.. force all government sites to use it.. and to make sure that all computers belonging to me do not accept the China CA..
Re: (Score:2)
There was a funny thing at Brazil. Our government did go through that route, created a governemnt CA, ordered governamental sites to use it, but didn't do the small step of offering the certificates free of charge. That way, governamental entities must do a full selection process (a 6 month process, with luck) to get a certificate that is valid for a year. Guess what, most government sites at Brazil use a self signed cert.
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
In most cases, Slashdot posts are moderated by ignorant kids who harbor unsubstantiated biases, and consider "informative" any position that confirms what they already believe.
Facts will rarely get in the way of beliefs.
Re: (Score:2)
Who is modding this informative? No mil sites use self signed certs. Please get your facts straight.
From verifying a particular public-facing military website I have cause to frequent:
Re: (Score:3, Informative)
No, its not verisign. And of course they aren't self-signed, thats retarded. The US military has the largest PKI deployment in the world, they know a thing or two about certs. The DOD has their own root certificates which don't ship by default with commercial browser, since they aren't relevant f
Re: (Score:2)
There goes the neighborhood... (Score:5, Interesting)
On April 8, according to Web security specialists, a small Chinese Internet service provider published a set of instructions under the Border Gateway Protocol, that directed Web traffic from about 37,000 networks to route itself via computer servers in China.
The list was republished by China Telecom and briefly propagated itself across the global Web, which works on a trust system, with each server updating its routing instructions based on data provided by others in the network.
What the hell is a 'trust system' anyway? Is that part of the Border Gateway Protocol? [cisco.com]
Maybe someone needs to take a closer look at this 'trust system.'
Re:There goes the neighborhood... (Score:4, Informative)
with BGP if I advertise my self as a route to a subnet others around me will try to send me that traffic IF they trust me.
now with a small company like mine.. my telco doesn't accept any routes other than my own subnets so instead i would just black hole my self.
now take a large telco or backbone provider .. say Level 3.. if they started advertising a route to my subnets then everyone who is closer to them then me (basically everyone) they will send L3 the traffic..
this type of attack/what ever you want to call it - only works if you are a big enough player for your neighbors to believe what you are advertising.
with my L3 example.. not every telco (or any really) would review that route change.. as for all they know i got a leased line from L3 or set up a peering agreement..
the cardinal sin of BGP is to advertise a route that isn't yours. but that is all it is.. and advertisement.
Re: (Score:3, Insightful)
What the hell is a 'trust system' anyway? Is that part of the Border Gateway Protocol? [cisco.com]
Maybe someone needs to take a closer look at this 'trust system.'
This is a classic example of the guy who doesn't know wtf he's talking about being the only one asking the questions that actually need to be asked.
Re: (Score:2)
No, the people that do know what they are talking about have been asking each other that question for a while. The problem is that there's no practical answer right now.
and on the other side of the world... (Score:5, Insightful)
Always do (Score:2)
Hope you're encrypting your super secret stuff.
considering where it usually gets routed through.
IPSec time? (Score:2)
Wasn't IPSec supposed to protect against stuff like this, so even if someone was able to route internal traffic through a hostile source, all that could be done would be traffic analysis (finding which machines put more packets on the wire than others)?
Re: (Score:2)
Works when your session is already established before the man gets in the middle.
Gives you a false sense of security otherwise.
So? 100% of US traffic goes through NSA "closets" (Score:5, Interesting)
And for documentation about the NSA closets (Score:5, Informative)
I don't think the authors understand cryptography (Score:3, Insightful)
There are two problems here:
1) Can China redirect traffic through its network by advertising that it has the lowest cost routing path? (Apparently, yes.) This is a wormhole attack, and is well documented in research literature.
2) Can China record or alter any traffic that passes through its network? If the data is sufficiently well encrypted, it can not read that data, although it can record the cyphertext. The fact that China can issue a certificate does not mean that it can read *your* data. It only means that encrypted data sent to Chinese servers can be read by the holder(s) of the encryption keys used by those servers.
If you are sending data over the net, and want to protect it, be sure that it is encrypted. If you don't care, be aware that anyone might be able to monitor it, even governments of other countries. If you don't trust the Chinese root CA to certify the identity of servers that you go to, don't accept their CA's certificate as an authority for that purpose.
Re: (Score:2)
If the data is sufficiently well encrypted, it can not read that data, although it can record the cyphertext. The fact that China can issue a certificate does not mean that it can read *your* data.
If they used a Man-In-The-Middle attack during the routing change, creating signed certificates using a top-level CA, they won't even need to decrypt anything. In addition, having the cypher text means that they can spend a few months or years using brute-force to decrypt it (or less, now that they have the fastest supercomputer in the world). Once they do, they'll have the keys for those sessions. Using that, they may even be able to derive the server's private key.
At the very least, they have a copy of th
Re: (Score:2)
Breaking modern encryption algorithms using current techniques would take somewhere around the lifetime of the universe. The number of computations required to break a well designed algorithm increase exponentially with the key length. You should always use an algorithm and key length that can be expected to protect your data for longer than the data will remain valuable.
As I indicated in my explanation below, being able to create a certificate does not mean that they can trick you into trusting their sit
Re:I don't think the authors understand cryptograp (Score:5, Insightful)
2) Can China record or alter any traffic that passes through its network? If the data is sufficiently well encrypted, it can not read that data, although it can record the cyphertext. The fact that China can issue a certificate does not mean that it can read *your* data. It only means that encrypted data sent to Chinese servers can be read by the holder(s) of the encryption keys used by those servers.
I don't think you understand MITM attacks.
Take a moment to look at the list of trusted root certificate authorities in your web browser right now.
FF Preferences > Advanced > Encryption > View Certificates
Notice the Chinese ones? The Chinese government can compel any of those root CAs to produce a certificate for any domain they choose. For example, let's say CNNIC [slashdot.org] creates rogue certs for Google.com.
1) You request a secure page "https://mail.google.com"
2) MITM intercepts the request and makes their own connection to mail.google.com using the real cert.
3) MITM uses the fake cert to encrypt it's connection to you, and pass you the mail.google.com data.
4) Firefox validates the cert chain and gives you a big "look it's secure" bar, and you just got pwned.
The real problem is with the retarded cert system. Any CA can create certs for any domain without the domain's permission; If the CA is trusted your browser won't complain at all.
This is why it's important to view the certs that you are using (in Firefox, click or hover over the "secure" bar).
Note: If you had a cookie that kept you signed in to gmail, its too late to check the cert after the MITM is logged into your account.
Re: (Score:3, Insightful)
Please excuse the reply to myself, but I'd like to point out that I'm not trying to single out China here, the above statements apply to USA, UK, Canada, or government that a trusted Root CA company resides within.
Eg: The US Government could compel (and also gag-order) Thawte into creating fake certs for Google.com (or any other domain), and in Google's case, you wouldn't even find out you've been pwned by checking the cert...
Honestly, HTTPS / SSL is The Ultimate Theater of Security.
Re: (Score:2)
Certificates aren't used to encrypt anything. The certificate contains a set of assertions about the subject of the certificate, signed by the certificate issuer. One of those assertions is typically the subject's public key. All the certificate is claiming is that a certain public key is associated with a certain identity, where that identity is claimed by the certification chain starting at some root (in this case, the Chinese CA). If you trust a certain root CA, then you also must trust any assertion
Re: (Score:2)
Secrets? What secrets? (Score:2)
Re: (Score:2)
and corporate people.
Hah, just today my significant other responded to an email from someone lower down the ladder that read something like "if you don't want me to publish information X on the grounds that it was confidential, then why did you send it to me to be published?"
No, I wouldn't put all my money on the corporate world being able to keep secrets.
this is why I go with the station wagon (Score:3, Informative)
Does it really matter? (Score:2)
Does it really matter [cnn.com]?
Warhol was almost right... (Score:2)
In China, only 15% of everyone is famous for 18 minutes.
Protocols used on the 'net are horribly outdated (Score:2)
They were designed years ago, for an environment where it was actually somewhat sensible for everyone to trust everyone else. Major routing screwups like this, DNS cache poisoning exploits, the type of attack demonstrated by FireSheep, and even plain ol' spam are all possible largely because the underlying protocols are not secure.
Re:Protocols used on the 'net are horribly outdate (Score:4, Insightful)
You cannot have the centralized control you need to block out abuse without also having that centralized control in the hands of censorship happy powers.
Freedom of expression implies freedom to be an ass.
Re: (Score:2)
I thought "Freedom of expression" implies your own breast milk costs you $0.
Re: (Score:2)
You are missing a point (Score:2)
Simple to detect. (Score:2)
If you want to know if China is hijacking your data just looks for the bits that are shifted left.
Ah ha! I found you, Comrade Ping!
Re: (Score:2)
Argh! No mod points. +5 Epic fun
Whereas traffic going through the US is not scary? (Score:2)
This story is rooted in ridiculous xenophobia.
You have more to fear from your wi-fi or cable snooping neighbor than from China.
Security must be end-to-end. There is no such thing as a trusted ISP or country.
Re: (Score:2)
Re: (Score:2)
Security must be end-to-end.
And how can that be achieved? At some point you have to trust your Browser, OS or hardware vendor / manufacturer.
There is no such thing as a trusted ISP or country.
Tell that to all the "Trusted Root CAs" installed in your browser. Who did you trust to put them there? The governments that those CAs reside in can coerce them into creating fake certs; This requires an implied trust in the country those CAs reside in.
IMO, "end to end" security is not used at all during a HTTPS connection, it's inheretly a 3 party process: You, Them, The CA. Encrypted data m
Chinese spam (Score:2)
It would explain the increase in Chinese spam that I see since April 18th ;)
% loss? (Score:2)
This happened for 18 minutes? (Score:3, Funny)
But I thought Richard Nixon and Rosemary Woods were both dead...
So what? Most stuff is encrypted, and ... (Score:2)
As for my own stuff - they're welcome to see that I've ordered such-and-such a book, or that Cousin Thomas's measles are clearing up. Face it folks - most people's lives aren't that interesting. Except to themselves.
Encrypt everything, always! (Score:2)
It doesn't matter if the traffic was hijacked by China or the NSA, All traffic should be encrypted by default!