[LINK] China's Great Firewall spreads overseas

Kim Holburn kim at holburn.net
Sun Mar 28 10:43:39 AEDT 2010 

Censorship can leak out of censored countries and affect people outside:

http://www.networkworld.com/news/2010/032510-chinas-great-firewall-spreads.html

> China's Great Firewall spreads overseas
> Bad DNS information affects users in Chile, US
> By Robert McMillan, IDG News Service
> March 25, 2010 04:31 PM ET
>
> A networking error has caused computers in Chile and the U.S. to  
> come under the control of the Great Firewall of China, redirecting  
> Facebook, Twitter, and YouTube users to Chinese servers.
> Five ways to beat the Great Firewall of China
>
> Security experts are not sure exactly how this happened, but it  
> appears that at least one ISP recently began fetching high-level     
> DNS (domain name server) information from what's known as a root DNS  
> server, based in China. That server, operated out of China by  
> Swedish service provider Netnod, returned DNS information intended  
> for Chinese users, effectively spreading China's network censorship  
> overseas. China tightly controls access to a number of Web sites,  
> using technology known colloquially as the Great Firewall of China.
>
> The issue was reported Wednesday by Mauricio Ereche, a DNS admin  
> with NIC Chile, who found that an unnamed local ISP reported that  
> DNS queries for sites such as Facebook.com, Twitter.com and  
> YouTube.com -- all of which have been blocked in China -- were being  
> redirected to bogus addresses.
>
> Related Content
> It is unclear how widespread the problem is. Ereche reported getting  
> the bogus information from three network access points in Chile, and  
> one in California, but on Thursday he said that the problem was no  
> longer popping up. "The traces show us that we're not hitting the  
> server in China," he wrote in a discussion group post.
>
> This issue occurred because, for some reason, at least one outside  
> ISP directed DNS requests to a root server based in China,  
> networking experts say. This is something that service providers  
> outside of China should not do because it allows China's censored  
> network to "leak" outside of the country.
>
> Researchers have long known that China has changed DNS routing  
> information to redirect users of censored services to government-run  
> servers instead of sites such as Facebook and Twitter. But this is  
> the first public disclosure that those routes have leaked    outside  
> of China, according to Rodney Joffe, a senior technologist with DNS  
> services company Neustar. "All of a sudden, the consequences are  
> that people outside China may be subverted or redirected to servers  
> inside China," he said.
>
> By using a China-based root server, ISPs are essentially giving  
> China a way to control all of their users' traffic over the network.  
> That could mean big security problems for people whose network  
> accepted the leaked routes, Joffe said.
>
> The ISP that used the bad routes probably misconfigured its BGP  
> (Border Gateway Protocol) system, used to route information on the  
> Internet, according to Danny McPherson, chief security officer with  
> Arbor Networks. "I don't think it was done intentionally,    " he  
> said. "This is an example of how easy it is for this information to  
> be contaminated or corrupted or leaked out beyond the boundaries of  
> what it was supposed to be."
>
> In February 2008, BGP information from Pakistan -- which had just  
> blocked YouTube -- was shared internationally, effectively knocking  
> Google's video site offline for millions of users.
>

-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list