Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Chinese ISP Hijacks the Internet (Again)

Soulskill posted more than 4 years ago | from the phase-two-test-complete dept.

Networking 171

CWmike writes "For the second time in two weeks, bad networking information spreading from China has disrupted the Internet. On Thursday morning, bad routing data from a small Chinese ISP called IDC China Telecommunication was re-transmitted by China's state-owned China Telecommunications, and then spread around the Internet, affecting Internet service providers such as AT&T, Level3, Deutsche Telekom, Qwest Communications, and Telefonica. 'There are a large number of ISPs who accepted these routes all over the world,' said Martin A. Brown, technical lead at Internet monitoring firm Renesys. Brown said the incident started just before 10 am Eastern and lasted about 20 minutes. During that time the Chinese ISP transmitted bad routing information for between 32,000 and 37,000 networks, redirecting them to IDC instead of their rightful owners. These networks included about 8,000 US networks, including those operated by Dell, CNN, Starbucks, and Apple. More than 8,500 Chinese networks, 1,100 in Australia, and 230 owned by France Telecom were also affected."

Sorry! There are no comments related to the filter you selected.

configuration error?? (1)

kevvraja (1101661) | more than 4 years ago | (#31794562)

configuration error??

Re:configuration error?? (1)

WrongSizeGlass (838941) | more than 4 years ago | (#31795700)

configuration error??

Sometimes diplomacy is required, like when 'getting shot' is referred to as lead poisoning.

Accident (5, Insightful)

rmushkatblat (1690080) | more than 4 years ago | (#31794568)

It was an accident, of course.

Re:Accident (5, Insightful)

Anonymous Coward | more than 4 years ago | (#31795066)

"Once is an accident.
Twice is a coincidence.
Three times is enemy action."
-- Gen. Douglas MacArthur

Re:Accident (1, Funny)

Anonymous Coward | more than 4 years ago | (#31795356)

Once is an accident,

Twice is coincidence,

Three times is enemy action.

Re:Accident (0)

Anonymous Coward | more than 4 years ago | (#31795416)

> Once is an accident, Twice is coincidence, Three times is enemy action.

And when it's four times in one night, you get married.

cut out the middleman (5, Funny)

Michael Kristopeit (1751814) | more than 4 years ago | (#31794572)

now you can order iPad direct from china through

Not unintentional (5, Interesting)

Nickodeemus (1067376) | more than 4 years ago | (#31794598)

All that data routed to the wrong place accidentally... hmmm sounds like a perfect excuse to me - for intelligence gathering. If it passes through their routers, they have the data.

Re:Not unintentional (1)

Ruede (824831) | more than 4 years ago | (#31794726)

i thought the same thing. information gathering... maybe some passwords....

Re:Not unintentional (2, Informative)

robmv (855035) | more than 4 years ago | (#31794824)

and add to that a Chinese CA certificate inside Firefox and even SSL could be sniffed

Re:Not unintentional (1)

HungryHobo (1314109) | more than 4 years ago | (#31794960)

If the networks that your traffic is being routed to doesn't simply melt sure.

This has happened before quite a few times, it's a side of the internet which is surprisingly fragile.

Almost Certainly Unintentional (5, Informative)

billstewart (78916) | more than 4 years ago | (#31795040)

Limited-scope attacks like the Pakistani YouTube diversion are much more likely to be a deliberate attack; broad-spectrum attacks are obviously either mistakes (or really clever DDOS.) Advertising that you're the best route to half the world isn't exactly un-stealthy enough for intelligence gathering - and China doesn't have the bandwidth to handle that much traffic, either inside their entire country's network or especially across the Pacific; the only carriers with a chance of absorbing some fraction of AT&T's plus Level3's traffic are Verizon or possibly Google, and they're both competent enough not to do that.

This kind of thing happens occasionally with BGP, which was designed to be run in a relatively trusted environment by relatively-to-extremely-competent people, which means that it only explodes occasionally and most major carriers do a good job of filtering routing announcements that look seriously wrong, and detecting when other people advertise bogus information about their networks. The typical cause used to be bad conversions between external BGP routes and internal OSPF or RIP routes, especially back when some random customer would have left autosummarization on so they'd take their two Class C subnets, combine them into the Class A that they're both in, and announce to everybody in the world that they were the best route to reach the Tier 1 carrier who's their upstream (or who's the upstream of their local ISP, who wasn't bothering to filter their BGP announcements.)

The first time this happened in a big way was a bit of a surprise, as some little ISP announced that their T1 line was the best way to reach all of MAE-EAST (i.e. half the world), so suddenly there were gigabits of traffic headed that direction, at least until their self-DDOS killed off most of the BGP sessions and somebody fixed it. Since then, if you try to advertise being the best route to some large carrier who has a /8, you'll find they're also advertising a pair of /9s (which win), and that they'll be calling your upstream carrier within a couple of minutes to get your BGP session shut down. On the other hand, if this happens, it also means your upstream carrier wasn't filtering your BGP announcements for sanity, so they may also not be good at having somebody who can answer the phone and quickly resolve that level of problem.

Re:Not unintentional (3, Interesting)

TreyGeek (1391679) | more than 4 years ago | (#31795082)

Sounds a lot like "Stealthy IP Prefix Hijacking" [] . Advertise a BGP route that will be accepted by some people to attract their traffic. Do it correctly, it may be less noticeable than a full prefix hijacking (though it was obviously noticed in this case). You can also attempt to moderate the amount of traffic you receive so that you don't DOS yourself with the incoming flow and you can analyze the traffic easier. BGP is a pretty insecure protocol and depends a lot upon the upstream providers filtering announcements properly.

Re:Not unintentional (1)

religious freak (1005821) | more than 4 years ago | (#31795134)

Intelligence gathering, or just general probing of ability to control the Internet (if only for a somewhat short period of time - and how much time do you need, really?)

Google versus China (2, Funny)

Anonymous Coward | more than 4 years ago | (#31795510)

nuff said. Ok, I will ellaborate, but that shouldnt be neccecary. Do you really need to read more?

This may be a cyberwar between a multinational corporation and China. Google will of course win this war. The war is secret, and not fought with bullets. Oh, you want to know even more? That is hardly neccecary, but I will go on.

Also, we will need to equip an army of female acrobatic tech-warriors wearing tight-fitted latex with large open cleavages. That can probably keep the kung-fu chinese hackers at bay. Now you know all you need to know, no need to read further.

If all fails, the US must deploy the sharks with laser-beams on their heads witch they used to sever the middle-eastern Internet connection some years ago. They can keep the US coast safe from spyware. But this is all. I swear! There is no more sinister things going on.

Now, I must get back to my experiments. Nothing to see here .... move along....

Blacklist 'em (5, Interesting)

DogDude (805747) | more than 4 years ago | (#31794604)

Until China learns how to act as responsible Internet citizens, I'll continue to blackhole as many of Chinese subnets as I can find both at work and home. Spam, malware, and every kind of crap comes from China, and I don't do business with any Chinese, so it's a no-brainer.

Re:Blacklist 'em (0)

Anonymous Coward | more than 4 years ago | (#31794640)

Could you post that list somewhere to help the rest of us?

Re:Blacklist 'em (4, Informative)

merc (115854) | more than 4 years ago | (#31795206)

I use [] -- they seem to do a pretty decent job of keeping their database up-to-date. It will also provide the output in varying formats (net/mask, CIDR, ip range, etc).

Re:Blacklist 'em (2, Informative)

X0563511 (793323) | more than 4 years ago | (#31795640)

I also like []

Re:Blacklist 'em (5, Informative)

pv2b (231846) | more than 4 years ago | (#31794648)

Blacklisting China's IP ranges would do nothing to protect you against bad routing - something you as an end user don't have any control over.

Re:Blacklist 'em (1)

Luke has no name (1423139) | more than 4 years ago | (#31794790)

I second the AC above: If someone has a link for all Chinese Internet-routable subnets in order to drop, that'd be cool.

No, it won't protect against malicious fake routes, but it protects against attacks/scans/connections from legitimately Chinese networks.

Re:Blacklist 'em (1)

bsDaemon (87307) | more than 4 years ago | (#31794940) [] can give you the list, though it'll come in the form of an htaccess block list that'll generate for you. Short work to convert it into a list of apf rules, though. But, as you are aware, this still won't protect against most-specific route advertisements to BGP peers.

oops, bad link; sorry (2, Informative)

bsDaemon (87307) | more than 4 years ago | (#31794958)

I mistyped the link. The proper URL is []

Re:Blacklist 'em (1)

dave3138 (528919) | more than 4 years ago | (#31795162)

This should be a good chunk of them. There's probably quite a few other AS #s for China as well: []

Re:Blacklist 'em (1)

Qzukk (229616) | more than 4 years ago | (#31795190)

I found this site [] that has Chinese and Korean lists in several formats

Re:Blacklist 'em (0)

Anonymous Coward | more than 4 years ago | (#31795152)

This is why we need universal adoption of IPv6 and end-to-end large#bits encryption.

But of course no government in the world wants this, because they wouldn't be able to snoop on everyone.

Re:Blacklist 'em (1)

pv2b (231846) | more than 4 years ago | (#31795304)

IPv6 does nothing to protect you against malicious routing updates, as far as I'm aware.

IPsec is a mandatory feature of an IPv6 stack, but nobody's forcing anyone to use it.

Re:Blacklist 'em (2, Interesting)

beadfulthings (975812) | more than 4 years ago | (#31795348)

Of course, you are right about the routing. But since giving in to my baser impulses and blacklisting the entire country on my one humble web server, I've had a remarkable decrease in my annoyance factor in terms of crap like port scans, login attempts, comment spam in the blogs, and even a respite from the damned Baidu spiders who won't observe anybody's robots.txt file. Along about the fall of last year, I began observing what looked like attempts at ddos attacks--all originating from China. None of them succeeded, but my annoyance levels grew by leaps and bounds. When they started in with the UDP port scans (which I confess baffle me), I'd had enough. Incidentally, if you try to contact Baidu to see about their injudicious crawling, your email will most likely be returned with a note that your email provider has been blacklisted in China. I don't know what I'll do with all the time I'm saving--take up a hobby, perhaps.

Re:Blacklist 'em (5, Interesting)

PNutts (199112) | more than 4 years ago | (#31794806)

Until China learns how to act as responsible Internet citizens, I'll continue to blackhole as many of Chinese subnets as I can find both at work and home. Spam, malware, and every kind of crap comes from China, and I don't do business with any Chinese, so it's a no-brainer

Well, since more SPAM comes from the US I assume you'll block those subnets too? []

Also, in March the US was the source of most malware, but since you already have that blocked for SPAM you should also block Korea who for some reason in the month of April took the lead. []

In regard to China learning how to act as responsible Internet citizens, you are not leading by example.

Re:Blacklist 'em (-1, Troll)

Monkeedude1212 (1560403) | more than 4 years ago | (#31794964)

You know, I wonder how that kind of data is collected. What, deducing the origin of the spambot? That doesn't mean the Spam is coming out of the States, it means some Spammer in China is using the states. And since the States simply has one of the bigger online populations, thats to be expected.

You look at their Top Spammers - Eastern Europe and Asia, hmmm, how many Americans?

When you look at WHO IS RESPONSIBLE - it's definately not nearly as bad in America as it is in China, North Korea, Ukraine, etc etc.

Re:Blacklist 'em (1)

Galactic Dominator (944134) | more than 4 years ago | (#31795242)

Wow, that is infallible logic. Completely repudiated.

I wish to subscribe your newsletter, hmmm?

Re:Blacklist 'em (1)

anarche (1525323) | more than 4 years ago | (#31795036)

I think the point he's making is that he's blocking a country's list where that country has demonstrably proven not to trust its own citizens with the internet. Why should he?

If you are offended, just block US subnets in retaliation?

Re:Blacklist 'em (2, Insightful)

Anonymous Coward | more than 4 years ago | (#31795118)

Dude pull your head out of the sand. The US government doesn't trust its own citizens too - that's why they datamine and wiretap your ass.

The sheer hypocrisy and the little fantasies Americans tell themselves to feel better about themselves - need a new 'cold war' enemy to fight against, sandal-wearing dipshit? Was 'Al-Qaeda' as the big bad 'bogeyman' not doing enough to wet your sado-masochistic 'warrior' fantasies?

I've never seen a more clear-cut example of 'pot calls kettle black'. America has been the no #1 importer/exporter of crime, terrorism, rape, and pillage for over 50 years now - but it helps when you can point at another country and say: "Them bad, we good". Never mind that the US gave most-favoured nation status to China, and still does so. If they're so 'bad', why won't the Congress drop that? Oh, that's right, all industry is over there - your cheap-ass goods wouldn't be getting made - you would have no clothes, no computer to type this shit on and all those other little perks that Chinese 'slave' wagers are manufacturing for you.

You are a hypocrite at heart and you know it - in fact, that slogan McDonalds has - 'I'm loving it' - that's what you live by each and every single day. America - land of the cowardly and land of the delusional.

Re:Blacklist 'em (1)

DarkOx (621550) | more than 4 years ago | (#31794938)

yes than your traffic can get router there anyway when the start advertising American, and European subnets.

Re:Blacklist 'em (2, Funny)

Anonymous Coward | more than 4 years ago | (#31795104)

English, motherfucker. Do you speak it?

Re:Blacklist 'em (-1, Offtopic)

ls671 (1122017) | more than 4 years ago | (#31795412)

> Do you speak it?

I doesn't need to to post on /. Some people write pretty decent English but you can hardly understand them when they speak it ! ;-))

Re:Blacklist 'em (0)

Anonymous Coward | more than 4 years ago | (#31795000)

I don't do business with any Chinese

And you posted this comment using a computer system that contains absolutely no Chinese-made or designed hardware or subcomponents? I call B.S.

Re:Blacklist 'em (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31795204)

Yeah, it's almost so ironic it would be funny if it weren't so pathetic.

I'm guessing most Americans would STFU real fast if America really GOT a war on with China - then, all of a sudden, they would find themselves out of computer hardware to buy, out of cheap clothes to buy, and most of those other things that AMERICAN MANUFACTURERS all PRODUCE IN CHINA.

Guess what - when most 'Slashdotters' had their 'freak on' badmouthing Toyota - GUESS WHAT? Toyota was WILLING TO BUILD MANUFACTURING PLANTS IN AMERICA - but see, it feels too 'good' to 'badmouth' a Japanese company and say 'USA! USA! USA' - it's far better that American companies go off-shore, invest all their money in Chinese manufacturing plants and that Americans then import all those goods. That makes for a GREAT ECONOMY according to numerous financial American analysts and a braindead public.

The Great Firewall of China, works two ways (2, Funny)

Tisha_AH (600987) | more than 4 years ago | (#31795532)

Good walls work both ways. To "help" China from being tainted by the evil ways of us westerners let's just cut them off completely.

Access to Zebra, Re:Blacklist 'em (2, Insightful)

ls671 (1122017) | more than 4 years ago | (#31795572)

While at it, I offer you to query my own Zebra server, I guarantee to only return the best available routes ;-)) []

Contact me off-line if you are interested.

Seriously, I have some friends who do like you, they start by blocking China, then Korea, then end up blocking half of the world to enhance their security.

In my humble opinion, this is not a valid security approach, I actually use some requests or connection attempts from these countries to test and strengthen my security. Hackers can get to your machine from US relays/proxies or US compromised machine anyway and blocking only drops the packets as they arrive to your machine, no DOS protection or bandwidth savings.

In short, I believe blocking China gives you a false sense of security, use China to learn how to make your system secure in the first place instead but the is just my 2 cents hence my very personal opinion ;-))

An old saying... (4, Insightful)

marmoset (3738) | more than 4 years ago | (#31794614)

"Once is an Accident, twice is a Coincidence, and three times is a Pattern."

Re:An old saying... (3, Informative)

Jaysyn (203771) | more than 4 years ago | (#31794710)

Three times is enemy action.

Re:An old saying... (1, Insightful)

timeOday (582209) | more than 4 years ago | (#31795298)

Wow, I can't believe the level xenophobia in here. Hate to break it to you guys, but BGP misconfiguration has always been an issue with the Internet and happens all the time [] (that paper is from 2002 btw). (Oh noes! Pakistan [] is attacking us too! And Spain! [] And we're even attacking ourselves [] !

You hawks would be funny if some of you didn't hold power.

Re:An old saying... (0)

Anonymous Coward | more than 4 years ago | (#31795650)

Xenophobia is misplaced agression towards an outside force/community with no known reason.
We're 50+ years past that point.

Re:An old saying... (4, Informative)

MagikSlinger (259969) | more than 4 years ago | (#31794786)

The correct quote is:

"Once is happenstance. Twice is coincidence. Three times is enemy action."

-- Auric Goldfinger, "Goldfinger" by Ian Fleming

Re:An old saying... (5, Funny)

BJ_Covert_Action (1499847) | more than 4 years ago | (#31794992)

Yeah, but it came from Confucius so it can't be trusted.

Re:An old saying... (4, Funny)

DriedClexler (814907) | more than 4 years ago | (#31795608)

Confucius say, Man who walk through airport turnstile sideways is going to Bangkok.


Re:An old saying... (1)

Blakey Rat (99501) | more than 4 years ago | (#31795372)

"A communications disruption can mean only one thing... invasion!" - some shitty Star Wars movie

Re:An old saying... (1)

Arancaytar (966377) | more than 4 years ago | (#31795838)

"Once is an Accident, twice is a Coincidence, and three times is" ...enemy action, I think it was. Appropriately.

Wiskey Tango Foxtrot (4, Insightful)

Archangel Michael (180766) | more than 4 years ago | (#31794650)

Any sufficient level of Incompetence is indistinguishable from Malice.

Solution however is exactly the same.

Re:Wiskey Tango Foxtrot (1)

Nerdfest (867930) | more than 4 years ago | (#31794720)

I think they're hoping that the people don't notice that the opposite can be true as well.

Re:Wiskey Tango Foxtrot (1)

namoom (926916) | more than 4 years ago | (#31795524)

the only difference between genius and stupidity is genius has limits

What about signing & certificates? (5, Interesting)

Turzyx (1462339) | more than 4 years ago | (#31794678)

The ISP in question only controls 30 networks, yet other routers blindly accepted thousands. Why isn't there basic verification of such re-configurations? I'm actually very shocked, the potential for abuse is huge; and TWICE as well.

Re:What about signing & certificates? (1, Informative)

Anonymous Coward | more than 4 years ago | (#31794780)

It wasn't the same ISP twice, I don't think.

And you cannot do 'basic verification' of such things on our side of the pond, that's not how BGP works. It's unreasonable to enumerate every block that China Telecommunications announces, as they are a very, very large ISP. The problem was that they in turn should have verified what the small ISP was allowed to announce. But they didn't, those routes popped up on their routers and then propagated out.

Re:What about signing & certificates? (3, Informative)

TooMuchToDo (882796) | more than 4 years ago | (#31795090)

No one wants to move to secure BGP (which uses PKI to validate route announcements) for a variety of reasons. Google "secure bgp" or "sbgp" to familiarize yourself with the situation.

Re:What about signing & certificates? (0)

Anonymous Coward | more than 4 years ago | (#31795570)

I can only find RFCs and things alike.
Could you provide a short explanation on the problems?

built to spill (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31794702)

... faulty by design.

Fall guy (3, Interesting)

Manip (656104) | more than 4 years ago | (#31794732)

Why can one "small" ISP do this? I mean from a technical point of view how can they spread routing information for endpoints their network doesn't own? While they have clearly dropped the ball, I struggle to understand how they could accomplish this even if they tried, that is if everyone else's equipment is configured correctly *cough*

Re:Fall guy (4, Informative)

Paralizer (792155) | more than 4 years ago | (#31794826)

The internet runs the BGP routing protocol. It is by design a 'trust' system. You explicitly neighbor with autonomous systems you want to directly connect to and you freely exchange routes. It's possible to filter that routing information if you wanted (both in and out), but because you explicitly connected with them there's a certain level of "I trust anything you tell me, as I you should of me."

Re:go back to old school principles (1)

neutrino38 (1037806) | more than 4 years ago | (#31795012)

IP V6 everywhere
static herarchical routing everywhere based on geographical IP addresses prefixex.
like in the old telecom way.

Fat Chance that IPv6 actually fixes this problem (4, Interesting)

billstewart (78916) | more than 4 years ago | (#31795336)

By "old-school principles", you did mean "pre-ARIN IPv4 Swamp Addresses", didn't you? :-)

Yeah, the people who designed IPv6 hoped that by having a big enough address space with no pre-existing reservations, they could make routing simpler and cleaner and delay the problem of routers running out of special route table memory and routing protocol horsepower, but that was pretty much a pipe dream:

  • Medium-large businesses want to own their own address space instead of using provider-owned space so they've got the ability to change carriers without renumbering,
  • businesses that want multi-homing for diversity need to have routing table presence regardless of what size their address blocks are,
  • geographical addressing may be ok for single-site businesses, but tends to fail for businesses with multiple offices (at least multiple offices with public presence),
  • and anybody who wants to be an early adopter (i.e. actually be using IPv6 long enough to be stable before the IPv4 ship sails off the edge of the world and everybody else notices the dragons and their ISP does something useful about IPv6) is likely to spend the ~$1250 to get their own public IPv6 space as opposed to just building a tunnel to SiXXs or Hurricane Electric,

so the IPv6 world's going to be a non-hierarchical mess just like the IPv4 world.

Trust but Verify (1)

billstewart (78916) | more than 4 years ago | (#31795126)

As several other people have commented, the ISPs they connect to are responsible for doing some sanity filtering on the routes they announce. It's not universal, especially for connections between ISPs (as opposed to connections from end-user customers that use BGP for multi-homing, where ISPs usually do a better job), and there's nothing close to universal agreement about address range registration systems or how to validate BGP information.

Re:Fall guy (1)

diamondsw (685967) | more than 4 years ago | (#31795252)

However, why should a network be able to advertise routes for subnets that are out of its control? Even if we accept multiple levels of peering relationships, there should be some safeguards against overly broad routes and "hijacking" of networks known to be authoritatively announced by other peers.

(Note: I'm genuinely asking, as I'm fairly ignorant of the design of BGP - I'm much more LAN than WAN.)

The whole idea of "trust" on the network is something of an anachronism. The internet is not the secure, safe place it was 20 years ago. We slowly learned in computer science never to trust external sources with data (no client-side processing, whitelists instead of blacklists, basic data validation, etc), so why aren't we taking similar steps with the backbone of the internet?

Re:Fall guy (0)

Anonymous Coward | more than 4 years ago | (#31795508)

> However, why should a network be able to advertise routes for subnets that are out of its control?

Because they need to! If you're a large enough company you have your own IP space. Take a popular example: Microsoft. Microsoft is not an ISP, but they have plenty of their own public IP addresses assigned to them. Let's say Microsoft sits behind Level 3 as a carrier. Microsoft very much relies on Level 3 being able to announce that Microsoft is reachable through Level 3, even though Level 3 has absolutely no control over the networks Microsoft owns. In fact, Microsoft owns so much network space that it's fairly likely that Level 3 just trusts Microsoft and propagates the routes Microsoft tells them to because Microsoft moves network space from facility to facility as required, and doesn't want to have to deal with Level 3 every time a minor change is made.

Re:Fall guy (1)

zenchemical (1468505) | more than 4 years ago | (#31795540)

because you don't know if the subnets are out of its control or not. If you have small-china-isp that is peered with BIG_ISP_A and BIG_ISP_B, and for some reason BIG_ISP_A has no route to BIG_ISP_B, the network is set up in such a way so that it will failover to its only path, which is BIG_ISP_A -> SMALL_CHINA_ISP ->BIG_ISP_B. this is part of the overall network fault tolerance strategy. - sean (previous voting member of seattle IX)

Re:Fall guy (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#31795506)

It reminds me of a scenario we had at work. We come in one day and find that about half the computers in the building are getting bad IP addresses, and as such, weren't able to connect to the email servers or the internet. We found out it was a rogue router on the network, dishing out 192.168.1.x/24 addresses when that specific building was under 172.21.30.x/20. We were lucky that it was obviously a default linksys setup, we were able to log into it once we found the IP and disable DHCP. Then we had to go through our routers and switches IPTables/MAC Tables to find out which port this rogue device was plugged in on. Gratefully, our ports are labelled, and each cable is labelled on the patch panel.

So we go and its this dinky little thing inside a janitors closet. One of the lab computers and the lab instruments need to be on a 192.168.1.x/24 subnet because the lab instrument software is programmed terribly. So someone through that router down there years ago and solved the problem, forgetting about it entirely. Cleaning guys accidentally unplugged things one evening, and plugged things back in how they thought it went. They were wrong.

And that is the kind of crap we have come to expect from a company with a network set up about as security intensive as the rest of the internet.

Re:Fall guy (0)

Anonymous Coward | more than 4 years ago | (#31794836)

Keep in mind where most of the world's routers are manufactured.

Re:Fall guy (3, Insightful)

lukas84 (912874) | more than 4 years ago | (#31794852)

The small ISP can't do this if the big ISP would've done it's job properly.

Re:Fall guy (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#31795096)

If you are expecting a router to pass GOOD data, how hard is it to believe that someone can trick you into accepting BAD data?

This is no different than you downloading a Windows Update that bluescreens your computer. Clearly your equipment isn't configured correctly.

In actuallity, in order to route things through China, you have to trust China, and yes, that sucks, and yes, I'm using way too many comas.

Re:Fall guy (1)

dave562 (969951) | more than 4 years ago | (#31795476)

I'm using way too many comas.

If you were putting your comas to good use, you wouldn't have enough consciousness left to over-use the commas.

Chinese bashing? (1)

oldhack (1037484) | more than 4 years ago | (#31794752)

How rare/common is such screwups? Or are we just bashing Chinese (not that I mind it all that much, don't let me get in the way)?

Re:Chinese bashing? (1, Informative)

Anonymous Coward | more than 4 years ago | (#31794912)

It happens rather frequently. Several times a year.

A large event was a few years back when Iran decided to block by announcing their network space as being reachable via Iranian routers, and blackholing the traffic. Unfortunately they neglected to properly configure their outbound prefix filters and that routing announcement made it onto the Internet at large, causing many international routers to believe was reachable via Iran.

Corrections - every couple of years, and Pakistan (1)

billstewart (78916) | more than 4 years ago | (#31795394)

It was actually Pakistan, not Iran, and significant problems are more like every couple of years - and most ISPs have enough filtering to prevent most accidental screwups from getting very far, at least for very long. But yeah, it's not rare, and it only takes multi-party incompetence, not malice.

Re:Chinese bashing? (5, Interesting)

Blackbrain (94923) | more than 4 years ago | (#31794976)

This kind of thing happens all of the time. Subscribe to the operators list at [] and you will see reports of mis-announced prefixes every month or two. This is just China bashing and media sensationalism. (Which I do mind very much, thank you)

When r they going to learn? (1)

hesaigo999ca (786966) | more than 4 years ago | (#31794760)

First of all don't pass by another country to go get your dns name resolution, use in home servers, second, if you are hopping through another country for x reason, you have to make sure to specify having NO name resolution until you are in local ground.
Why are they not doing something about this, this is an old problem, and still needs to be updated it seems.

Re:When r they going to learn? (1)

pv2b (231846) | more than 4 years ago | (#31794816)

This hijack was on the routing level, not the DNS level.

timeout (0)

Anonymous Coward | more than 4 years ago | (#31794792)

Ok, China. Until you learn to play nice with the other children, you go into timeout.

Gotta Build A Fence (5, Funny)

MrTripps (1306469) | more than 4 years ago | (#31794820)

Obviously the only way to protect the Border Gateway Protocol is to build a fence around it. (Spits. Scratches ass.)

What exactly happened? (1)

King Coopa (1374689) | more than 4 years ago | (#31794844)

So let me get this strait... IDC sent out a EIGRP instructing all these routers to direct traffic through them?

Re:What exactly happened? (0)

Anonymous Coward | more than 4 years ago | (#31795144)

IDC sent out BGP announcements for those prefixes, their uplink accepted them, the rest of the world accepted them from there.

EIGRP is only used between Cisco routers, and while it can be used as an EGP it isn't used on the Internet as such. That's all BGP.

Re:What exactly happened? (1)

NeumannCons (798322) | more than 4 years ago | (#31795270)

Sort of. EIGRP is a routing protocol used within an organization (Interior Gateway Protocol or IGP). BGP is the routing protocol used between organizations (Exterior Gateway Protocol or EGP). So you may be running EIGRP (or OSPF, RIP2, etc) within your company but speaking BGP to the other companies your connected to. Also, while there are several IGPs, for all practical purposes, there's only one EGP (BGP). It functions similarly to other routing protocols, using metrics to detmine the best routes to other networks. If it advertises a better route to reach a network, everyone is going to start sending traffic destined for that network to them.

This concludes our lesson for TLAs (Three Letter Acronyms).

Re:What exactly happened? (1)

zenchemical (1468505) | more than 4 years ago | (#31795392)

This is actually pretty common among larger carriers, to trust network updates. One of the common BGP peering mistakes that used to be quite frequent is that small , multi-homed ISP's would misconfigure BGP from , say, uunet and sprint, and suddenly they would be routing uunet's traffic to sprint (oops). It's sort of how the network 'works', at a fundamental level, and it works really well if everybody basically trusts their peers and knows what they're doing.

Close enough (2, Informative)

billstewart (78916) | more than 4 years ago | (#31795498)

ISPs use BGP to talk to each other, but internally they may use iBGP or EIGRP or OSPF or (once upon a time) RIP, and they usually have a complex routing structure internally and a small number of border routers that announce a simplified set of routes to their upstream carriers or peers. Badly-automated conversions between OSPF/etc and BGP are the easiest place to make a big mistake like that, though some operators are clever enough to break their routing purely by hand.

Why the FUCK does china still have internet access (0, Troll)

Anonymous Coward | more than 4 years ago | (#31794886)

Why; God damn it WHY?!

  We could of saved a lot of taxpayer dollars cutting off China instead of drafting a "cyber terrorism bill"

Re:Why the FUCK does china still have internet acc (0)

Anonymous Coward | more than 4 years ago | (#31795120)

Why the FUCK does USA still have internet access?

Re:Why the FUCK does china still have internet acc (2, Funny)

Anonymous Coward | more than 4 years ago | (#31795378)

'cause we created it. Thanks.

Re:Why the FUCK does china still have internet acc (4, Interesting)

zero_out (1705074) | more than 4 years ago | (#31795174)

Our Grand Communist Party of the Great Nation of China plan to get the rest of the world to leave us alone about our glorious firewall, and desire, nay, duty to protect our citizens:

Step 1: Push out Google

Step 2: Muck up their internet

Step 3: They kick us off "their" internet

Step 4: Setup our own, national, internet

Step 5: Be praised by the lesser nations for staying off their internet, rather than chastised for walling ourselves off and keeping their realfacts out

Step 6: Spread propaganda, er... goodfacts about our Grand Communist Party of the Great Nation of China

Step 7: Unlimited, eternal power to do whatever we please

Google? (0)

Anonymous Coward | more than 4 years ago | (#31794910)

Notice they didn't hack Google, again. Lesson learned?

Does Narus do business with China? (2, Interesting)

Beelzebud (1361137) | more than 4 years ago | (#31795046)

This should really be cause for alarm. Does China also use the Narus systems that the NSA is using to spy on all Americans?

Chinese fire drill? (3, Funny)

StuartHankins (1020819) | more than 4 years ago | (#31795170)

Someone had to say it.

Filter BGP updates? (3, Insightful)

zenchemical (1468505) | more than 4 years ago | (#31795320)

This is sort of the nature of BGP, at least when you are in the habit of trusting BGP peers. Methinks the large carriers should probably be in the habit of filtering BGP updates from chinese carriers, at least until they can pass "peering 101"

does this imply large scale packet sniffing ? (2, Interesting)

Anonymous Coward | more than 4 years ago | (#31795386)

So while this was going on could the chinese save off the network traffic? They have the infrastructure Cisco routers, etc.
Could they decrypt SSL packets ? It may take awhile but they're not doing this real-time.
Go through any interesting attachments ? Spreadsheets, documents, ...
I think I'll read up more on asymmetric warfare and the Red Army officer's paper on the subject.

What? (0)

Anonymous Coward | more than 4 years ago | (#31795414)

How the hell can something like this happen? I thought the Internet was unstoppable... and a simple accident and fuck up things this much for so many people on the Internet? We need a new Internet. Seriously, we need to re-think most of our protocols.

How to protect against this (1)

Midnight Thunder (17205) | more than 4 years ago | (#31795424)

This is unlikely to be the last this will happen. What can be done to protect against this sort of issue?

Failure of Tier 1 ISP's (1)

Bruha (412869) | more than 4 years ago | (#31795546)

Tier 1 & 2 ISP's should really be filtering all subnets they own. A lot of them do, but also a lot of them do not or think their Tier 2's are handling it. I've seen a company who was assigned a /24 misstype a number and suddenly they're claiming a /16 and disrupt a bunch of our customers.

Unfortunately many companies are ill equipped to detect this type of error, internally they may see everything is fine, but it's external traffic that's being detected.

It's easy if you can setup a server to check who's advertising your AS and report if things change.

Slashdot hit by China... (1)

ls671 (1122017) | more than 4 years ago | (#31795800)

It seems like Slashdot has been hit hit by China.

If I try: []

or []

I have been getting this for the past half hour:

Error 503 Service Unavailable
Service Unavailable
Guru Meditation:
XID: 147127282289

I have a copy of Wikipedia... I'm ready (0)

Anonymous Coward | more than 4 years ago | (#31795872)

I can't wait until the whole Internet goes belly up and I don't have to pay my mortgage anymore. I have a copy of Wikipedia, is all what I need to live in a world without internet.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?