China censors facebook twitter & youtube web traffic world wide using US government DNS
China censors facebook twitter & youtube web traffic world wide using US government DNS http://bit.ly/dkp1Kd There has been some discussion on the GA concerning this. I'm surprised I have to yet see anything here on it. It's time Rod Beckstrom speak to these issues and soon. regards joe baptista
* Joe Baptista wrote:
China censors facebook twitter & youtube web traffic world wide using US government DNS http://bit.ly/dkp1Kd
We had this discussion in the Technical Issues WG. The background is quite different. Your action is at best misleading.
2010/3/31 Lutz Donnerhacke <lutz@iks-jena.de>
* Joe Baptista wrote:
China censors facebook twitter & youtube web traffic world wide using US government DNS http://bit.ly/dkp1Kd
We had this discussion in the Technical Issues WG. The background is quite different.
Fine - provide a link - I'll look at it.
Your action is at best misleading.
why? what exactly was misleading in my letter? The point of my letter is very clear. What happened? Who was affected? And what are the security repercussions to users world wide. So far ICANN has remained silent. cheers joe baptista
* Joe Baptista wrote:
The point of my letter is very clear. What happened? Who was affected? And what are the security repercussions to users world wide. So far ICANN has remained silent.
The problem is discussed in detail on dns-operators: https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/thread.html#5... To summarize: a) An network (connected to the Internet) installed a blocking technology by intercepting DNS queries. The technical method used is local route injection. b) Due to an operational error, the injected route leaked to the Internet and caused to redirect parts of the Internet world to participate in the blocking project. Let's focus on ICANNs part and PLEASE move to technical-issues-WG. -> technical-issues@atlarge-lists.icann.org My understanding is, that a) is not within ICANNs remit because it's internal to the participating autonomous systems. Autonomous systems occur as plain points (without any internal structure) in the visible Internet. OTOH b) is a well known problem. Hijacking foreign IP space is unfortunely common and causes heavy headache by all involved operators. The SIDR-WG at IETF is working on a solution to prevent the negative impact of such operational errors. Hijacking of foreign ressources is clearly a topic on ICANNs agenda. So please come to the technical-issues-WG. BTW: I'm biased on SIDR: My personal impression is, that their solution is much to complex and hardly handled by current routers. So I put my own proposal into this group (which was immediately ignored).
2010/3/31 Lutz Donnerhacke <lutz@iks-jena.de>
* Joe Baptista wrote:
The point of my letter is very clear. What happened? Who was affected? And what are the security repercussions to users world wide. So far ICANN has remained silent.
I should have specified the questions I'm asking are to ICANN. And the answers I want can only come from ICANN. Thats why I find the silence from ICANN unacceptable .. I will address this further below.
The problem is discussed in detail on dns-operators:
https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/thread.html#5...
To summarize: a) An network (connected to the Internet) installed a blocking technology by intercepting DNS queries. The technical method used is local route injection. b) Due to an operational error, the injected route leaked to the Internet and caused to redirect parts of the Internet world to participate in the blocking project.
OK so basically my letter to the president concerning the event is correct when I speculate the problem originated from a faulty gateway. But from what I can see of the conversations we don't have any official statement from ICANN to confirm or deny your conclusions or mine. This is all guess work and we need less guessing and more facts. Thats why I keep asking ICANN to make a statement that is long overdue.
Let's focus on ICANNs part and PLEASE move to technical-issues-WG. -> technical-issues@atlarge-lists.icann.org
My understanding is, that a) is not within ICANNs remit because it's internal to the participating autonomous systems. Autonomous systems occur as plain points (without any internal structure) in the visible Internet.
I completely agree but respectfully point out that claiming ICANN has no accountability or responsibility for this incident is disingenuous. ICANN is responsible on behalf of the U.S. Government for the operational stability and security of the DNS. Just because they were not in control of the event does not excuse them from the hot seat on this. Anyone who understands the significance of what happened must be very concerned. As I explained to President Obama what happened with the i-root is a national security concern. People - let's not forget what happened here. For a period of time user traffic in Chile and the United States was hijacked. So for ICANN to remain silent and point the finger of responsibility to some unknown third party is not acceptable practice here. What happened here is significant. I'm surprise this story has not been front page news. ICANN is very luck very few people understand the technology. Ignorance has been ICANN's best friend in this incident.
OTOH b) is a well known problem. Hijacking foreign IP space is unfortunely common and causes heavy headache by all involved operators. The SIDR-WG at IETF is working on a solution to prevent the negative impact of such operational errors.
I know. How long will it take to find a solution? 5 years .. 15 .. more? Now that a new attack vector is known to the script kiddies, criminals and governments how long will it be before it happens again?
Hijacking of foreign ressources is clearly a topic on ICANNs agenda. So please come to the technical-issues-WG.
There is only one solution to permanently solve this root issue. Run your own root. And if your a country ... simply pass legislation to nationalize the IANA root IP blocks and use the same routing technology to put all IANA servers under your governments control and make those servers available to your national infrastructure. That the most economic way to take control of your national infrastructure - you don't even need to tell your ISP's to change their root pointers. I developed the above methodology when we got a lot of opposition to the Turkish root. First all the ISPs had to be contacted to make the changes. This involved an economic cost on behalf of the ISPs. I felt there was a better way by just using the routing system. You simply nationalize the IANA root infrastructure and start answering on those numbers. Simple and easy solution. Much thanks for the pointers above Lutz. regards joe baptista
BTW: I'm biased on SIDR: My personal impression is, that their solution is much to complex and hardly handled by current routers. So I put my own proposal into this group (which was immediately ignored).
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org
http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann...
At-Large Official Site: http://atlarge.icann.org
JOe, On Wed, Mar 31, 2010 at 6:32 PM, Joe Baptista <baptista@publicroot.org> wrote:
2010/3/31 Lutz Donnerhacke <lutz@iks-jena.de>
* Joe Baptista wrote:
The point of my letter is very clear. What happened? Who was affected? And what are the security repercussions to users world wide. So far ICANN has remained silent.
I should have specified the questions I'm asking are to ICANN. And the answers I want can only come from ICANN.
I don't see how ICANN has to answer to you (or to anyone) for any random MiM attack. The DNS is there, its open, no security built in. ICANN didn't build it, they are however trying to add some security, which you bitch about. You can't have it both ways. ICANN serves the root zone to the root servers, L has said (read the dns-ops for the latest statement) that they are faithfully serving the ICANN root. Both ICANN and the rootop are doing their job. Running your own root is no solution to MiM attacks. Your "solution" does not address the current issue. -- Cheers, McTim "A name indicates what we seek. An address indicates where it is. A route indicates how we get there." Jon Postel
On Wed, Mar 31, 2010 at 2:21 PM, McTim <dogwallah@gmail.com> wrote:
I should have specified the questions I'm asking are to ICANN. And the I don't see how ICANN has to answer to you (or to anyone) for any random MiM attack.
You must be an ICANN apologist - or else you must not understand ICANNs role in this. First of all I have no idea if it is a MitM attack. That implies intend. So far from what I can see this was a technical error. I know your eager to implicate China in this but so far all I see is a misconfiguration of a gateway. But your MitM attack and my misconfiguration are nothing more then good guess work a.k.a. speculation. We need the speculation to stop and the responsible party to stand up and take a bow. Thats ICANN. Over the years I have seen a lot of bullshit from ICANN about security and stability. I know it's all mainly bullshit because I have always said security on the Internet is more an act of faith and has very little to do with reality or common sense. But were stuck with it. You people embraced it, you placed blind reliance on it. We have no other option we must make it work. And that includes dumping old methods of serving root - i.e. IANA. I do not accept the pass the buck attitude when it's inconvenient which is the sorry excuse your making for ICANN. Thats not right. In fact ICANN should publish something like a CERT anytime it gets MitMed or whatever. Thats sort of behavior is reponsible - passing the buck is not. ICANN also needs to examine if operating root servers censored countries - i.e. China - is a good idea. The fact thus far show it not. Maybe time to shutdown the China servers and prevent further episodes from that source. Thats the call I would make. The Chinese people are a very lovely advanced people with great national pride. But the ruling elite is retarded and corrupt. The only way I would maintain an IANA root in China is if the Government of China provided assurances it would mind it's own business.
The DNS is there, its open, no security built in. ICANN didn't build it, they are however trying to add some security, which you bitch about. You can't have it both ways.
I know the DNSSEC make work project very well. It's not a solution and is just as prone to MitM attacks. The encryption is juvenile, the economic costs are enormous and it's a bandwidth hog that fails to fix the Kaminsky bug while re-engineering the Internet in ICANNs favor. No thanks. 1% of Internet users use OpenDNS and they support DNScurve. That more people then there are DNSSEC domains in the wild. Now if ICANN adopted DNScurve I would be impressed. But it won't - too many ICANN cronies have invested in the DNSSEC dead end.
ICANN serves the root zone to the root servers, L has said (read the dns-ops for the latest statement) that they are faithfully serving the ICANN root. Both ICANN and the rootop are doing their job.
Yes - it's doing it's job in serving the root. Thats ICANN's basic contractual obligation to the U.S. government and world in general. But it's failing on the security and stability part of the equation.
Running your own root is no solution to MiM attacks. Your "solution" does not address the current issue.
Yes it does. It takes the MitM out of the middle - at least with respect to root. I personally know my connection experience was not effected. Unless of course the TLDs have gTLD servers also anycasting out of China. Oh dear ;) There I go again - another potential vulnerability exposed in running infrastructure from China. I just hope ICANN and the world finally understands we don't run critical world infrastructure from censored countries. regards joe baptista
On Thu, Apr 1, 2010 at 6:34 AM, Joe Baptista <baptista@publicroot.org> wrote:
On Wed, Mar 31, 2010 at 2:21 PM, McTim <dogwallah@gmail.com> wrote:
I should have specified the questions I'm asking are to ICANN. And the I don't see how ICANN has to answer to you (or to anyone) for any random MiM attack.
You must be an ICANN apologist - or else you must not understand ICANNs role in this.
I totally understand ICANNs role, it seems u do not.
First of all I have no idea if it is a MitM attack.
IF ICANN serves the zone to L and L serves the zone as they say they do (and knowing them personally, I take them at their word) then what else would it be?? Clearly someone was rewriting DNS replies from L node in Beijing. a "misconfigured gateway" is a nonsensical notion. That implies intend. So
far from what I can see this was a technical error. I know your eager to implicate China in this but so far all I see is a misconfiguration of a gateway. But your MitM attack and my misconfiguration are nothing more then good guess work a.k.a. speculation. We need the speculation to stop and the responsible party to stand up and take a bow. Thats ICANN.
I contend that it is not ICANN. L has made their claim, CNNIC has made theirs (they aren't responsible for the rewriting). It seems you want to make ICANN responsible for everything that ppl do with the DNS. It's just no so.
Over the years I have seen a lot of bullshit from ICANN about security and stability. I know it's all mainly bullshit because I have always said security on the Internet is more an act of faith and has very little to do with reality or common sense. But were stuck with it. You people embraced it, you placed blind reliance on it. We have no other option we must make it work. And that includes dumping old methods of serving root - i.e. IANA.
We have seen how much luck you have had with that over the years.
I do not accept the pass the buck attitude when it's inconvenient which is the sorry excuse your making for ICANN. Thats not right. In fact ICANN should publish something like a CERT anytime it gets MitMed or whatever. Thats sort of behavior is reponsible - passing the buck is not.
ICANN also needs to examine if operating root servers censored countries - i.e. China - is a good idea. The fact thus far show it not. Maybe time to shutdown the China servers and prevent further episodes from that source. Thats the call I would make.
ICANN does not have this level of control over rootops, not should they IMHO.
The Chinese people are a very lovely advanced people with great national pride. But the ruling elite is retarded and corrupt. The only way I would maintain an IANA root in China is if the Government of China provided assurances it would mind it's own business.
The DNS is there, its open, no security built in. ICANN didn't build it, they are however trying to add some security, which you bitch about. You can't have it both ways.
I know the DNSSEC make work project very well. It's not a solution and is just as prone to MitM attacks. The encryption is juvenile, the economic costs are enormous and it's a bandwidth hog that fails to fix the Kaminsky bug while re-engineering the Internet in ICANNs favor. No thanks. 1% of Internet users use OpenDNS and they support DNScurve. That more people then there are DNSSEC domains in the wild.
http://opendns.jobscore.com/job_seeker/jobs/job_posting?job_id=b7pSvUn3ir37a... I'm off on safari for Easter, so fire back with all the nonsense in your arsenal, I won't be replying. -- Cheers, McTim "A name indicates what we seek. An address indicates where it is. A route indicates how we get there." Jon Postel
see below .. and happy holidays .. On Wed, Mar 31, 2010 at 11:40 PM, McTim <dogwallah@gmail.com> wrote:
On Thu, Apr 1, 2010 at 6:34 AM, Joe Baptista <baptista@publicroot.org> wrote:
On Wed, Mar 31, 2010 at 2:21 PM, McTim <dogwallah@gmail.com> wrote:
I should have specified the questions I'm asking are to ICANN. And the I don't see how ICANN has to answer to you (or to anyone) for any random MiM attack.
You must be an ICANN apologist - or else you must not understand ICANNs role in this.
I totally understand ICANNs role, it seems u do not.
Oh but I do. Let me educate you. ICANNs role is defined in the Green Paper issued by the Clinton administration - here's a history lesson http://bit.ly/9wYQq1 one of ICANNs basic roles is stability. Obviously what happened violated the privacy and security of users in the continental United States and Chile - potentially this may have been a world wide phenomena. Does that sound like a stable situation to you? Not to me.
First of all I have no idea if it is a MitM attack.
IF ICANN serves the zone to L and L serves the zone as they say they do (and knowing them personally, I take them at their word) then what else would it be?? Clearly someone was rewriting DNS replies from L node in Beijing.
you mean "I". or are you telling me "L" was also involved? I don't think the root operators are involved in this. I believe them too. And I don't know if "someone" was rewriting DNS replies. I do know DNS replies were being rewritten. I don't yet know if the "someone" you reference is a MitM attack - or just a glitch in routing - or some other error. I also know the Great Firewall of China is in between "I" root server and the rest of the Internet. Basically the Great Firewall of China firewalls the "I" root in Beijing. Now I can tell you who knows what happened here. The Chinese. Those boys keep a very close eye on their network. By now they should of debugged the problem and "I" root should be back online. I'm not impressed the "I" root is still down. It shows me ICANN can't get priority with the Chinese and are being given the bureaucratic run around. This tells me there is a failure to communicate between ICANN - the Chinese - CNNIC and the "I" root boys. This problem should of been fixed by now.
a "misconfigured gateway" is a nonsensical notion.
It could be any silly thing that caused this. Don't play the ignoramus with me. You know systems. Your in the atlarge tech club. You know one wrong character in the wrong place can can cause little bugs to develop here and there on a network. The silliest nonsensical thing can cause havoc or mild annoyance (bugs). You know that. Thats why ICANN needs to pick up the phone (which it has already done I'm sure) and call the Chinese and ask them the simple question - whats going on - and then get the Chinese to fix it. I think ICANN has failed in managing it's relationship with the Chinese. The fact this networking error continues and the "I" root is still offline leads me to conclude the Chinese are ignoring ICANN. But again thats just speculation. We need to stop all this silly speculation coming from you and me and get down to the FACTs. Only ICANN has the power to do this and tell us what happened or happening. Seriously - a major component of the IANA root system is offline and no one can get the Chinese governments attention?
That implies intend. So
far from what I can see this was a technical error. I know your eager to implicate China in this but so far all I see is a misconfiguration of a gateway. But your MitM attack and my misconfiguration are nothing more then good guess work a.k.a. speculation. We need the speculation to stop and the responsible party to stand up and take a bow. Thats ICANN.
I contend that it is not ICANN. L has made their claim, CNNIC has made theirs (they aren't responsible for the rewriting).
Good. They are acting responsibly in issuing denials. They should not of been placed in the situation where they have to issue denials. ICANN should of made a statement advising the world the "I" root in Beijing was taken offline and why and then told us they were investigating. I find it embarrassing that the CNNIC and "I" root operator is reduced to making denials in light of ICANNs continued silence. This is like a technical who done it novel. So far we know the "I" root didn't do it. We also know the CNNIC didn't do it. Incidentally the CNNIC spoke on it's own behalf - I do not believe the CNNIC was speaking on behalf the Chinese Government. The Chinese won't make a public denial or not any statement - nor will they even acknowledge what happened. That leaves ICANN the only party to respond. So I don't support your position that ICANN has the right to remain silent. We need to know why the "I" root flew south. And ICANN is in a much better position to get at the facts. Also if this was criminal behavior as your MitM speculation would have us believe then we need to find those people, prosecute them, and put them in jail. The Chinese could be very helpful in this sort of investigation.
It seems you want to make ICANN responsible for everything that ppl do with the DNS.
No. I do know ICANN has a duty to report when Internet stability and security flies south.
It's just no so.
It is so :)
Over the years I have seen a lot of bullshit from ICANN about security
and
stability. I know it's all mainly bullshit because I have always said security on the Internet is more an act of faith and has very little to do with reality or common sense. But were stuck with it. You people embraced it, you placed blind reliance on it. We have no other option we must make it work. And that includes dumping old methods of serving root - i.e. IANA.
We have seen how much luck you have had with that over the years.
What are you talking about - the project was a massive success. I helped build a good replacement to ICANN. ICANN was shitting bricks as we took over DNS services in Turkey and most of Europe. Soon to be followed by Saudi Arabia and the UAE. The only luck here was ICANN's luck. On investigation I found the corporate structure which was to have looked something like this - http://bit.ly/atUfZw - in fact looked something like this http://bit.ly/aKyVFy - so i shut it down. Very lucky for ICANN.
i.e. China - is a good idea. The fact thus far show it not. Maybe time to shutdown the China servers and prevent further episodes from that source. Thats the call I would make.
I do not accept the pass the buck attitude when it's inconvenient which is the sorry excuse your making for ICANN. Thats not right. In fact ICANN should publish something like a CERT anytime it gets MitMed or whatever. Thats sort of behavior is reponsible - passing the buck is not.
ICANN also needs to examine if operating root servers censored countries
ICANN does not have this level of control over rootops, not should they IMHO.
I know. In the final analysis ICANN has very little control over anything. When ICANN started this adventure they labeled themselves a monopoly. Today the Chinese incident shows they in fact are a paper tiger.
The Chinese people are a very lovely advanced people with great national pride. But the ruling elite is retarded and corrupt. The only way I would maintain an IANA root in China is if the Government of China provided assurances it would mind it's own business.
The DNS is there, its open, no security built in. ICANN didn't build it, they are however trying to add some security, which you bitch about. You can't have it both ways.
I know the DNSSEC make work project very well. It's not a solution and is just as prone to MitM attacks. The encryption is juvenile, the economic costs are enormous and it's a bandwidth hog that fails to fix the Kaminsky bug while re-engineering the Internet in ICANNs favor. No thanks. 1% of Internet users use OpenDNS and they support DNScurve. That more people
then
there are DNSSEC domains in the wild.
http://opendns.jobscore.com/job_seeker/jobs/job_posting?job_id=b7pSvUn3ir37a...
I know about the job listing. Of course they are going to hire DNSSEC capable people. They are in the DNS business and like everyone else in the DNS business they are being forced to bear the economic cost of the DNSSEC make work project.
I'm off on safari for Easter, so fire back with all the nonsense in your arsenal, I won't be replying.
Enjoy your Easter and thank God you won't be replying. regards joe baptista
Joe, can I ask you a simple question ? (besides this one obviously), and please answer in a few short and concrete sentences. What do you want ? Regards Jorge
On Fri, Apr 2, 2010 at 8:49 PM, Jorge Amodio <jmamodio@gmail.com> wrote:
Joe,
can I ask you a simple question ? (besides this one obviously), and please answer in a few short and concrete sentences.
What do you want ?
A simple public statements from ICANN on what happened would be a nice start. regards joe baptista
Regards Jorge
_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org
http://atlarge-lists.icann.org/mailman/listinfo/at-large_atlarge-lists.icann...
At-Large Official Site: http://atlarge.icann.org
-- Joe Baptista www.publicroot.org PublicRoot Consortium ---------------------------------------------------------------- The future of the Internet is Open, Transparent, Inclusive, Representative & Accountable to the Internet community @large. ---------------------------------------------------------------- Office: +1 (360) 526-6077 (extension 052) Fax: +1 (509) 479-0084 Personal: http://baptista.cynikal.net/
* Jorge Amodio wrote:
Fine - provide a link - I'll look at it.
Nope. As interesting this article is, it has nothing to do with the current thread ... More ontopic blog entries might be (localized languages): http://www.netzpolitik.org/2010/youtube-ausfall-kollateralschaden-der-chines... http://www.fastcompany.com/1598176/china-green-dam-censorship-dns-error-swed... http://www.nu.nl/tech/2212625/firewall-china-filtert-amerikaans-verkeer.html For the technical details please come to the approbriate WG.
participants (4)
-
Joe Baptista -
Jorge Amodio -
Lutz Donnerhacke -
McTim