[LINK] China's Great Firewall spreads overseas

Martin Barry marty at supine.com
Mon Mar 29 23:14:58 AEDT 2010 

$quoted_author = "Kim Holburn" ;
> 
> Censorship can leak out of censored countries and affect people outside:
> 
> http://www.networkworld.com/news/2010/032510-chinas-great-firewall-spreads.html
> 
> > Security experts are not sure exactly how this happened, but it  

Actually, they have a pretty good theory. The Internet connectivity used by
the cluster was being tampered with by Chinese authorities.


> > server, based in China. That server, operated out of China by  
> > Swedish service provider Netnod, returned DNS information intended  
> > for Chinese users, effectively spreading China's network censorship  
> > overseas.

This is not correct. The cluster itself did not do anything wrong or
different. There appears to be have been a man-in-the-middle attack, with
spurious responses being sent in addition to the actual response from the
cluster.


> > Researchers have long known that China has changed DNS routing  
> > information to redirect users of censored services to government-run  
> > servers instead of sites such as Facebook and Twitter. But this is  
> > the first public disclosure that those routes have leaked    outside  
> > of China, according to Rodney Joffe, a senior technologist with DNS  
> > services company Neustar. "All of a sudden, the consequences are  
> > that people outside China may be subverted or redirected to servers  
> > inside China," he said.

These are the limitations of BGP.

There is only so much you can do to stop routes leaking beyond the intended
scope. You are reliant on third parties doing the right thing.


> > The ISP that used the bad routes probably misconfigured its BGP  
> > (Border Gateway Protocol) system, used to route information on the  
> > Internet, according to Danny McPherson, chief security officer with  
> > Arbor Networks. "I don't think it was done intentionally,    " he  
> > said. "This is an example of how easy it is for this information to  
> > be contaminated or corrupted or leaked out beyond the boundaries of  
> > what it was supposed to be."

Actually, the issue was likely to be closer to the source. Anycast DNS
clusters that are supposed to be limited in scope usually advertise their
routes with "no export". If a neighbour ignores that it's unlikely there is
much a remote ISP can do to prevent that causing harm.

cheers
Marty

More information about the Link mailing list