×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

China's Great Firewall Infects Other Countries

Soulskill posted about 4 years ago | from the trial-run-successful dept.

Bug 178

angry tapir writes "A networking error has caused computers in Chile and the US to come under the control of the Great Firewall of China, redirecting Facebook, Twitter, and YouTube users to Chinese servers. Security experts are not sure exactly how this happened, but it appears that at least one ISP recently began fetching high-level DNS information, from what's known as a root DNS server, based in China. That server, operated out of China by Swedish service provider Netnod, returned DNS information intended for Chinese users, effectively spreading China's network censorship overseas."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

178 comments

Uh Huh (1)

MightyMartian (840721) | about 4 years ago | (#31629462)

Chinese official: "Whoops..." (with big grin on face).

Re:Uh Huh (1)

Anonymous Coward | about 4 years ago | (#31629500)

who controls the root? hmm, we'll see who end up with a bigger whoops and a bigger grin

Re:Uh Huh (1)

Z00L00K (682162) | about 4 years ago | (#31629740)

Can't say that I'm surprised that it did happen.

Especially now when Google has decided to pull out. And China does have an urge to control any information that they don't like. Which would be the majority of the internet.

Re:Uh Huh (4, Informative)

sopssa (1498795) | about 4 years ago | (#31629818)

Can't say that I'm surprised that it did happen.

Especially now when Google has decided to pull out. And China does have an urge to control any information that they don't like. Which would be the majority of the internet.

And still this has nothing to do with the Chinese government. It's the ISP's fault that erroneously configured their servers to use the Chinese root DNS server.

Re:Uh Huh (3, Informative)

e2d2 (115622) | about 4 years ago | (#31630010)

Well in fairness it has a little bit to do with China. That whole censorship thing.

Re:Uh Huh (1)

vvaduva (859950) | about 4 years ago | (#31630272)

It has a lot to do with it...China is manipulating DNS for political reasons. I would say that's a problem...

Re:Uh Huh (1)

sopssa (1498795) | about 4 years ago | (#31630406)

ISP's in other countries are manipulating DNS too, but rather than for political reasons it's for child porn (there has been controversy when such lists are used for other purposes too) and copyright infringement (at least Italy blocks TPB, maybe others).

CHINA will set up a mirror server for Chinese netizens to visit Websites whose domain names end with .com or .net, Sina.com reported today.

Instead of being served by overseas domain servers for making visits, the new server will provide a domain name system or "DNS" function of its own, which will guarantee the security for netizens visiting from China and also raise the linking speed.

So it's a DNS for Chinese people. Why does ISP's in other countries use it? And since they do, it's no surprise their results get changed too.

Re:Uh Huh (2, Insightful)

ircmaxell (1117387) | about 4 years ago | (#31630332)

Well, that's assuming that the ISP actually made that configuration. There are a number of other possibilities (Such as someone hacked those servers, someone silently redirect queries from the actual root server to the China one, etc). Regardless of how the issue came about, the fact that China had those systems in place makes them at least partially responsible (not from a legal perspective, but from a philosophical one) for people not reaching their destination...

Re:Uh Huh (0)

Anonymous Coward | about 4 years ago | (#31631178)

The ISP is thinking "that's weird, we just hired a chinese exchange student to help our sys admin...come to think of it, he's missing"

Re:Uh Huh (1)

quatin (1589389) | about 4 years ago | (#31631530)

Regardless of how the issue came about, the fact that China had those systems in place makes them at least partially responsible (not from a legal perspective, but from a philosophical one) for people not reaching their destination...

So philosophically, the creator of every tool is responsible for it's end use? How far do you take this? Is Google responsible for finding links to illegal file sharing websites?

Re:Uh Huh (0)

Anonymous Coward | about 4 years ago | (#31630434)

I recall that all chinese ISPs are either directly state-run, or at least know that they'd better do as they are told.

Re:Uh Huh (-1)

Anonymous Coward | about 4 years ago | (#31630324)

News just in, a reporter was able to take a snapshot [imageshack.us] of the official in question.

Come on, you knew it was coming.

Pfft. (2, Funny)

fuzzyfuzzyfungus (1223518) | about 4 years ago | (#31629480)

And their firewalls didn't detect the melamine in the imported DNS records? Pitiful.

Re:Pfft. (4, Insightful)

einhverfr (238914) | about 4 years ago | (#31630056)

Also, the internet routes around censorship? Ooops....

Re:Pfft. (5, Funny)

_Sprocket_ (42527) | about 4 years ago | (#31630706)

Also, the internet routes around censorship? Ooops....

Seems we were wrong. Apparently, the Internet detects censorship and routes it around.

Re:Pfft. (5, Insightful)

TheRaven64 (641858) | about 4 years ago | (#31631314)

Not really surprising, because the root DNS servers are not yet all signed with DNSSEC and Verisign is dragging its heels when it comes to implementing DNSSEC in the .com domain. Apparently there isn't much real-world use for DNSSEC. Nice to have a concrete counter-example - thanks China.

Now... (0, Redundant)

courteaudotbiz (1191083) | about 4 years ago | (#31629492)

Now will somebody tell them to keep their sh*t for them? Or are we too weak to talk frankly to Chinese authorities?

Re:Now... (4, Interesting)

sopssa (1498795) | about 4 years ago | (#31629846)

It's the other way around than what you're suggesting. Chinese didn't try do anything. ISP's elsewhere mistakenly configured their servers to use Chinese DNS servers.

They are keeping their shit for them. It's just that someone else is fetching it from them to elsewhere.

Re:Now... (5, Insightful)

JWW (79176) | about 4 years ago | (#31629940)

Which, proves the point that perhaps China should not be allowed to have any DNS root servers.

I would say that if a DNS server does not return the same information as all other root servers in the world that it should not be allowed to be a root server.

Re:Now... (1)

origin29 (535097) | about 4 years ago | (#31630382)

China can have all the root servers they want - just don't configure your server to poll them.

Re:Now... (5, Insightful)

radtea (464814) | about 4 years ago | (#31631436)

China can have all the root servers they want - just don't configure your server to poll them.

Actually China is demonstrably incapble of having any working root servers at all. A DNS server that returns incorrect information is not a "root" server, if by "root" you mean "authoritative source of DNS information that resolves domain names properly."

It's really too bad that China is incapable of hosting DNS root servers. Hopefully by the end of the 21st century China will be a little less backward and isolated from the rest of the world, which would benefit greatly from interaction with so many people from such diverse cultural and political backgrounds.

Re:Now... (1, Informative)

mandelbr0t (1015855) | about 4 years ago | (#31630428)

The great firewall can work both ways. I experimented for a time with simply banning all asian netblocks at my firewall. If China refuses to play nice, everyone else can simply ignore them.

Re:Now... (1, Funny)

Anonymous Coward | about 4 years ago | (#31631232)

And China would raff at you.

Re:Now... (0)

Anonymous Coward | about 4 years ago | (#31629980)

Chinese didn't try do anything. ISP's elsewhere mistakenly configured their servers to use Chinese DNS servers.

I'd like to know what ISP you use, where their employees are magically invincible to bribery or other acts of subterfuge.

Re:Now... (1)

Threni (635302) | about 4 years ago | (#31629954)

Is there a site somewhere which lists the companies willing to assist China (and other equally repressive countries)? I'm not in Sweden but if it turned out for example that a UK based company was helping them block access to Google or whatever then I'd take my business elsewhere.

Re:Now... (2, Insightful)

Third Position (1725934) | about 4 years ago | (#31630114)

Now will somebody tell them to keep their sh*t for them? Or are we too weak to talk frankly to Chinese authorities?

Well, I suppose it pays to talk real sweet to a country that pretty much owns us now.

I am not a fan of the USA gov't (0, Flamebait)

Ralph Spoilsport (673134) | about 4 years ago | (#31629512)

or any other bunch of capitalist parasites. But I should like to take this moment to say to the people reading this who are monitoring this site for the Chinese Government, these few simple words:

Kindly go fuck yourself.

Re:I am not a fan of the USA gov't (0, Troll)

Archangel Michael (180766) | about 4 years ago | (#31629830)

US Government isn't capitalist. With Obama and GWB and Clinton taking over larger and larger parts of the economy, I dare say it is officially socialistic. Capitalism is dead, and we're enslaving our children in unsustainable debt.

But hey, if you like that kind of "compassionate governance" great. I happen to not like it much.

Re:I am not a fan of the USA gov't (1, Informative)

Anonymous Coward | about 4 years ago | (#31629880)

I greatly prefer it to enslaving our children in unsustainable debt to make the a handful of industrialists even richer.

Re:I am not a fan of the USA gov't (1)

The End Of Days (1243248) | about 4 years ago | (#31630950)

Yeah, let's make the handful of people who run the government have all the wealth and power. Somehow that's better, right?

Re:I am not a fan of the USA gov't (1)

Fred_A (10934) | about 4 years ago | (#31631322)

Yeah, let's make the handful of people who run the government have all the wealth and power. Somehow that's better, right?

At least *some* people get rich.
Wait, that works in China too. Ah, it's just screwed everywhere.

Re:I am not a fan of the USA gov't (1, Funny)

MickyTheIdiot (1032226) | about 4 years ago | (#31629924)

Life is really easy when you let someone like Glen Beck do all your thinking for you, isn't it Michael?

Re:I am not a fan of the USA gov't (1, Funny)

Anonymous Coward | about 4 years ago | (#31629952)

Well Micky, who does your thinking? Sean Penn?

Re:I am not a fan of the USA gov't (0)

Anonymous Coward | about 4 years ago | (#31629960)

Does Fox know your not watching them? Kindly leave as we'll never get the smell of stupid out of the Slashdot couch...

Re:I am not a fan of the USA gov't (3, Informative)

Anonymous Coward | about 4 years ago | (#31630122)

It's funny, because the Reagan years spent more than compared to the GDP than Clinton or GWB but you I happen to like those kind of "facts". In the Clinton years spending v GDP went down quite a bit. The only time our debt has gone down since that giant "debt clock" thing was built was under Clinton.

Re:I am not a fan of the USA gov't (0, Flamebait)

ScentCone (795499) | about 4 years ago | (#31631140)

The only time our debt has gone down since that giant "debt clock" thing was built was under Clinton

Yup. And lucky Clinton got to benefit from the coasting period following the Regean economic growth, and he got have a nice big vacation from the Cold War and its current counterparts. This had nothing to do with Clinton, and everything to do with what he was handed by circumstance. By the time Clinton was done, we were well on our way to a recession, a ruinous housing/tech bubble, and Islamists that he was hoping would just go away were ramping up to 9/11, even though Clinton gave them a very stern lecture about attacking the WTC the first time, blowing up US embassies, and damaging the USS Cole with casualties to her crew, etc.

Re:I am not a fan of the USA gov't (1, Insightful)

buswolley (591500) | about 4 years ago | (#31630490)

bullshi+. Bush, Reagan were huge debt creators. Now you blame Obama for the increase in debt when the bailout was designed by Bush in the first place, and also necessary to keep this economy from falling flat on its face by the greedy, uncontrolled and short-sighted bankers. The war? How expensive has that been? Besides, healthcare is national defense and will reduce abortions by providing effective birth control to women more often. Bug the f off.

Rearry? (-1, Troll)

Anonymous Coward | about 4 years ago | (#31629540)

I didn't know there were loot dns selvers in China.

Tiannamen Square (0)

Anonymous Coward | about 4 years ago | (#31629592)

If you are reading this, you are not affected.

China Fights Back (2, Funny)

jamesyouwish (1738816) | about 4 years ago | (#31629622)

Fine Google you want to leave China. Where you going to go when we take over the whole internet.

Re:China Fights Back (0)

Anonymous Coward | about 4 years ago | (#31629708)

Maybe this is why Google is installing its own backbones.

DNSCurve will own. (0)

Anonymous Coward | about 4 years ago | (#31629684)

This is why we need DNSCurve implemented on the wide scale. Badly.

Misleading (5, Insightful)

ClownPenis (1315157) | about 4 years ago | (#31629696)

Misconfiguration of resolv.conf does not put China's firewall in your way. Add yourself to the tool belt.

Re:Misleading (4, Informative)

Anonymous Coward | about 4 years ago | (#31630288)

It's more than that. According to the post at https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005266.html [dns-oarc.net] someone is actively spoofing DNS replies to DNS request packets bound for entire class A and B net ranges.

Re:Misleading (1, Interesting)

ClownPenis (1315157) | about 4 years ago | (#31630418)

It's more than that. According to the post at https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005266.html [dns-oarc.net] someone is actively spoofing DNS replies to DNS request packets bound for entire class A and B net ranges.

The only way someone is going to "actively spoofing DNS replies" is via a sophisticated MITM attack. The problem here, is that some idiot forgot to keep his "root.hints" file current on his DHCP published name server. A "firewall" has always been understood as a bastion host and/or a packet filter. Breaking DNS doesn't break routing. The inverse may not be true, but routing doesn't depend on DNS.

Re:Misleading (0)

Anonymous Coward | about 4 years ago | (#31630492)

Did you even read the link? I just tried the exercise myself with tshark, send the mgcxxx.com request and watch several replies come back trying to race each other, with the fake ones usually winning. There are even replies coming back when querying other IP addresses in that range, IPs that are not running a DNS server.

Not Really Misleading (1)

medv4380 (1604309) | about 4 years ago | (#31630920)

The reference to firewall is just different in this case. In China it's called the "Golden Shield Project" outside of China it's called the "Great Firewall of China". If you miss configure your DNS to look at China's DNS then you are using their Golden Shield hence you are using The Great Firewall of China.

WW3 (1)

watanabe (27967) | about 4 years ago | (#31629768)

In other news, WW3 started slowly with Google and Dell pulling out of China. Infowars continued to increase when China's root nameserver began to propagate its information out to the developing world, areas that had been increasingly reliant on Chinese funding since the post-cold-War US' international power began to wane..

I think this is a shot across teh bow (1)

filesiteguy (695431) | about 4 years ago | (#31629854)

China wants to rule the world. (Or at least make sure they make money somehow everywhere.) I can see the Chinese - all using Red Flag Linux (or some pirated copy of Wintendo) - gathering together to control all DNS machines. This was a warning - mess with us and we take your DNS down.

Re:I think this is a shot across teh bow (3, Insightful)

Anonymous Coward | about 4 years ago | (#31630008)

Your rampant racism not withstanding, that was an idiotic post.

China cannot 'take our DNS down'. In worst case scenario, the world would just disconnect from China if that were to happen.

Re:I think this is a shot across teh bow (2, Funny)

oldspewey (1303305) | about 4 years ago | (#31630752)

What if every single router in the world is manufactured in China? Are you sure you know what's in that firmware?

Re:I think this is a shot across teh bow (3, Funny)

Jazz-Masta (240659) | about 4 years ago | (#31631346)

What if every single router in the world is manufactured in China? Are you sure you know what's in that firmware?

Yes, lead, melamine, and poorly documented programming.

Re:I think this is a shot across teh bow (1)

ObsessiveMathsFreak (773371) | about 4 years ago | (#31631152)

Your rampant racism not withstanding, that was an idiotic post.

He wasn't being racist. He was being alarmist, or possibly McCarthyist. His is the same mentality that leads to films like "Red Dawn", not "The Birth of a Nation".

this gives me an idea.... (4, Funny)

datapharmer (1099455) | about 4 years ago | (#31629876)

So if the entire world's DNS resolved to the Chinese firewall simultaneously would it DOS them to oblivion and end these shenanigans? I'd give up a day of using the internet to see that go down.

Re:this gives me an idea.... (1)

Jazz-Masta (240659) | about 4 years ago | (#31631358)

So if the entire world's DNS resolved to the Chinese firewall simultaneously would it DOS them to oblivion and end these shenanigans? I'd give up a day of using the internet to see that go down.

Why don't we just slashdot it?

Big names having problems (1)

fremsley471 (792813) | about 4 years ago | (#31629900)

Youtube, Wikipedia and hell even Slashdot have had access problems this week. 6th form conspiracy theorist asks "Is 'something' is going on"?

Re:Big names having problems (1)

buswolley (591500) | about 4 years ago | (#31630534)

yeah i could load up Foxnews easy, but Huffingtonpost was not accessible. Tea Bag Terrorists at it again

Completely unintentional (2, Interesting)

Hadlock (143607) | about 4 years ago | (#31629902)

US DNS servers magically start pulling DNS data from chinese servers? Uh huh. Completely an "accident".

redirecting Facebook, Twitter, and YouTube users (0)

Anonymous Coward | about 4 years ago | (#31629968)

... and nothing of value was lost

Problems like this should be prevented (3, Interesting)

Lorens (597774) | about 4 years ago | (#31630030)

So any wrongful destination now has a lot of passwords. Especially IMAP and POP and suchlike, not even a need to set up a misleading website, you can play totally innocent.

Prevention:

1) Don't have a root server in a country that wants to censor information

2) Implement free SSL certs so that it is no longer "normal" to just click through the SSL cert alert

3) DNSCurve, DNSSEC, whatever

4) Encrypt.

5) Even when using encryption always use auth schemes that cannot be replayed afterwards. Without certs I don't think you can stop MITM, but much too many people use only one password for a lot of different things, at least that one won't be in the sniffer's hands.

More?

Re:Problems like this should be prevented (0)

Anonymous Coward | about 4 years ago | (#31630124)

The Chinese usually point to IP's belonging to the US DOD. At least what I've see so far here in Shenzhen..

Re:Problems like this should be prevented (0)

Anonymous Coward | about 4 years ago | (#31630338)

But problems of other types should be allowed?

thank you Captain Obvious

The Net interprets censorship as damage and routes (0)

Anonymous Coward | about 4 years ago | (#31630152)

"The Net interprets censorship as damage and routes around it"

- John Gilmore

yeah i bet!!! (1)

hesaigo999ca (786966) | about 4 years ago | (#31630186)

How much you want to bet that this was not deliberate on their part...this is part of the whole scheme of them cyberattacking all other countries and controlling the new cyberage.

hacker attack (3, Informative)

CPE1704TKS (995414) | about 4 years ago | (#31630238)

Come on, are we really being that stupid? Of course it was a hacker attack. The chances of an IP address "accidentally" being pointed to a Chinese one is remote.

These Chinese hackers (and hackers in general) are getting more and more dangerous. If they hack the DNS servers, we're talking about a massive ability to steal passwords, since https is based on domain name and not IP address. If the DNS is configured to give incorrect DNS information, then we really could get hosed here.

Re:hacker attack (0, Informative)

Anonymous Coward | about 4 years ago | (#31630470)

si si senjor legalize it

Re:hacker attack (2, Informative)

Spad (470073) | about 4 years ago | (#31631040)

It's not so much a matter of things being "pointed" anywhere, more a side-effect of anycasting the root DNS servers [wikipedia.org] so that if your current routing happens to put root servers in China as closer than any others, you'll get your results returned from them.

Of course, one could argue that countries shouldn't be allowed to mess with root DNS servers that they host and have them return invalid addresses for valid domains, but that's besides the point here.

OT (1)

fulldecent (598482) | about 4 years ago | (#31630290)

Maybe offtopic, but how does DNCSEC affect DNS level censorship?

Re:OT (0)

Anonymous Coward | about 4 years ago | (#31630562)

Don't consider me perfectly reliable, but... it should prevent returning an incorrect result, but not returning no result. So the censors can still arrange for a site to be unfindable by DNS - but they can't redirect the query to a 'You arn't allowed to see this' message. It'll just give the user an error page.

The issue I have... (2, Interesting)

XB-70 (812342) | about 4 years ago | (#31630518)

is that all the problems with China seem to be one way. We don't hear of Chinese complaining about melamine in products from Western countries. It always seems to be about hacking, cheating, deception, malfaisance, obfuscation, corruption and blackmail.

Heck, even Dell is pulling out.

So, because the Chinese persist in behaving badly it's time for internet war. Let's band together and shut 'em down. Close off internet to China and see how they like it - after all, the TLD's are controlled by the U.S. As to messaging etc. they can phone and fax.

Sorry for such a rant but there has got to be a consequence for the level and voracity of the issues and problems that emanate from China - especially when the government there is never responsible.

Re:The issue I have... (2, Insightful)

jizziknight (976750) | about 4 years ago | (#31631036)

Except that the Chinese government would be perfectly happy to be cut off from the rest of the Internet. If we cut them off, they can just blame it on the US and claim they've done nothing to censor anything. You'd be giving them exactly what they wanted.

Re:The issue I have... (1)

ObsessiveMathsFreak (773371) | about 4 years ago | (#31631196)

We don't hear of Chinese complaining about melamine in products from Western countries.

Yeah; They just complain about trivial things like labour exploitation, poor wages, health and safety lapses, pollution, and foreign support for censorship technologies and the communist regime. It's not like the West has done anything wrong here!!!

Net views censorship as damage (1)

mi (197448) | about 4 years ago | (#31631148)

Remember that quote [wikiquote.org] ? "The Net views censorship as damage and, sometimes, routes into it..."

That server, operated out of China by Swedish service provider Netnod

Oh, yes, another one of those "Why can't we be more like Europe?!" moments...

what a firewall. (0)

Anonymous Coward | about 4 years ago | (#31631262)

In Soviet Russia, Firewall misconfigures you!

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...