Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Why Google Went Offline Today

Soulskill posted about 2 years ago | from the ok-who-tripped-on-the-cable dept.

Google 110

New submitter mc10 points out a post on the CloudFlare blog about the circumstances behind Google's services being inaccessible for a brief time earlier today. Quoting: "To understand what went wrong you need to understand a bit about how networking on the Internet works. The Internet is a collection of networks, known as "Autonomous Systems" (AS). Each network has a unique number to identify it known as AS number. CloudFlare's AS number is 13335, Google's is 15169. The networks are connected together by what is known as Border Gateway Protocol (BGP). BGP is the glue of the Internet — announcing what IP addresses belong to each network and establishing the routes from one AS to another. An Internet "route" is exactly what it sounds like: a path from the IP address on one AS to an IP address on another AS. ... Unfortunately, if a network starts to send out an announcement of a particular IP address or network behind it, when in fact it is not, if that network is trusted by its upstreams and peers then packets can end up misrouted. That is what was happening here. I looked at the BGP Routes for a Google IP Address. The route traversed Moratel (23947), an Indonesian ISP. Given that I'm looking at the routing from California and Google is operating Data Centre's not far from our office, packets should never be routed via Indonesia."

cancel ×

110 comments

Sorry! There are no comments related to the filter you selected.

And I thought.. (1, Funny)

Anonymous Coward | about 2 years ago | (#41898977)

And I thought the internet was a series of tubes...

Re:And I thought.. (4, Funny)

YodasEvilTwin (2014446) | about 2 years ago | (#41899013)

Only 6 and a half years late on that joke.

Re:And I thought.. (3, Funny)

jhoegl (638955) | about 2 years ago | (#41899359)

Quite, the noise resonates off the tubes causing packet loss and errors!

Re:And I thought.. (0)

Anonymous Coward | about 2 years ago | (#41899075)

hahah awesome

BGP Attack! (4, Informative)

Jeremiah Cornelius (137) | about 2 years ago | (#41899439)

Re:BGP Attack! (0)

Anonymous Coward | about 2 years ago | (#41899755)

Said every network admin for the last decade.

Re:BGP Attack! (2)

Jeremiah Cornelius (137) | about 2 years ago | (#41900045)

"BGP, I choose YOU!"

Re:And I thought.. (0)

OakDragon (885217) | about 2 years ago | (#41901069)

Hacked by Tagg Romney.

Re:And I thought.. (1)

Dan541 (1032000) | about 2 years ago | (#41901109)

More like a sewer clogged with garbage.

First Post (0)

Anonymous Coward | about 2 years ago | (#41899043)

I didn't even notice Google was down. This must have been a horrible outage.

All your packets are belong to... (5, Interesting)

Adeptus_Luminati (634274) | about 2 years ago | (#41899085)

... Network Admins who have no clue. Like when just 4 years ago, Pakistan took down Youtube...
http://securitywatch.pcmag.com/dns/285152-pakistan-takes-youtube-down [pcmag.com]

Clearly this should be on the agenda for the new "Cyber Reserves" of the department of Homeland Security. If Google can be taken down by accident in parts of the world, then it certainly can be taken down on purpose. Route filters are your friends!

CYBER RESERVES: http://www.techradar.com/news/internet/department-of-homeland-security-recruiting-for-cyber-reserve-1109906 [techradar.com]

Re:All your packets are belong to... (0, Redundant)

ArcadeMan (2766669) | about 2 years ago | (#41899331)

inconvenienced

Re:All your packets are belong to... (1)

dunng808 (448849) | about 2 years ago | (#41900125)

Truthy

Re:All your packets are belong to... (1)

Vellmont (569020) | about 2 years ago | (#41899353)

Clearly this should be on the agenda for the new "Cyber Reserves" of the department of Homeland Security.

Good god do I hope you're joking. The last thing we need is the US government involved, especially som quasi-military organization of retired people and contractors that get "activated" in an emergency, all run by the freaking Gestapo.

I'm not even a anti-goverment person who thinks they can't get anything right... but I sure as hell realize that this is an international problem that has to be solved internationally, not by some police force, or extension of it.

Re:All your packets are belong to... (0)

Anonymous Coward | about 2 years ago | (#41899573)

Are you kidding? All our leaders problems can be solved by using more drones.

Captcha: inaction

Re:All your packets are belong to... (0)

Anonymous Coward | about 2 years ago | (#41900169)

How is it a problem, again? Something bad happened, it got fixed right quick. I fail to see how it's a call to arms for anything. or anybody. If idiots keep broadcasting bad routes, then other networks will be more rigorous about their filtering. This doesn't need a committee.

Re:All your packets are belong to... (4, Insightful)

icebike (68054) | about 2 years ago | (#41900991)

How is it a problem, again? Something bad happened, it got fixed right quick. I fail to see how it's a call to arms for anything. or anybody. If idiots keep broadcasting bad routes, then other networks will be more rigorous about their filtering. This doesn't need a committee.

Something bad happened, it got fixed right quick. This Time.

What about next time, when the whole mess is run by the UN? [cnet.com]

If idiots are currently accepting bad routes from idiots that broadcast them, then it surely does need fixing.
Why would you rely on bottom-up security?

Re:All your packets are belong to... (0)

Anonymous Coward | about 2 years ago | (#41903109)

Well, perhaps an UN organization would defend the values commonly agreed, but not generally implemented. It might also be independent of any government and the voluntary firefighter component could be an essential part of the activities, while the national "cyber reserves" and organizations like CERTs help co-coordinating national activities and education. It could work with the right people.
  The OOPs Gestapo reference was funny as many emergency procedures during exceptional times depend on private and public entities enacting their planned and government regulated emergency procedures and organizational transformations.

Re:All your packets are belong to... (0)

Anonymous Coward | about 2 years ago | (#41903271)

It'll still get fixed quick if it's something popular. The people responsible for fixing it might even notice and start fixing it before being told to.

Could be different if it's your obscure company's AS that's down...

you are a fagot (-1)

Anonymous Coward | about 2 years ago | (#41899479)

a serious fagot...

Re:All your packets are belong to... (4, Funny)

aaaaaaargh! (1150173) | about 2 years ago | (#41899561)

If Google can be taken down by accident in parts of the world, then it certainly can be taken down on purpose.

Oh my god, that would be the end of the world as we know it... I'd have to use Bing for a few minutes!

You're right, we need to get the cyber-army ready!

Re:All your packets are belong to... (1)

ryzvonusef (1151717) | about 2 years ago | (#41899761)

Ugh, don't remind us, or we will try it again in an act of holy desperation that even Saudi doesn't apply.

In other news, youtube is still blocked for us.

Re:All your packets are belong to... (1)

petermgreen (876956) | about 2 years ago | (#41900859)

Route filters are your friends!

Sure a provider can and should filter routes from small customers and small peers.

But a providers can't really filter routes from their upstreams (since the whole point of them is to provide you with routes to the whole internet) and it's difficult for them to filter routes from other large networks (since they have so many direct and indirect customers). So it just takes one large provider to be either sloppy (not filtering routes from their small customers) or malicious (introducing bogus routes themselves) for a bad route to reach large parts of the internet.

Already mitigated in most cases (1)

dutchwhizzman (817898) | about 2 years ago | (#41904293)

Almost all BGP capable equipment at most exchanges is now able to filter the amount of address blocks each ISP can announce. Once someone starts announcing a whole lot more than the filter is set for, the announcements are ignored and alerts are triggered.

While that mitigates problems, the actual solution is already being put in place. IP address blocks are being assigned to parties and those parties can sign routing announcements for those IP blocks using a PKI system. By having the BGP equipment check each request with the public key of the published "owner" of the block, rogue announcements should be ignored. Not all equipment is capable of this and not all exchanges have made this mandatory, but this will most likely happen in the future. Sure, by stealing keys, finding weaknesses in the implementation of router vendors and such, attacks will still be possible, but admins making mistakes will hopefully not mess up things anymore.

This works perfectly for end points in routes, but I am not certain how routes through someone's AS to another AS are being dealt with. I assume you can tag certain ASes as "transit AS" and accept unsigned routes from them. That would make you still vulnerable for rogue announcements through those ASes, but only if those providers didn't use signed announcements and filters on how many netblocks a peer could announce.

Re:Already mitigated in most cases (1)

Bengie (1121981) | about 2 years ago | (#41907143)

I don't directly work with routers, but how might a signed block help? Each network is different and has different routes, unless the owner of an IP block is willing to work with every network operator in the world, there is no way for them to sign a block to state said route is correct.

Thats Internet (0)

Anonymous Coward | about 2 years ago | (#41899087)

OMG :-P

Happens all the time, just not usually to Google (1)

Jonah Hex (651948) | about 2 years ago | (#41899089)

Another networking issue that is probably never going to go away, I'm just surprised it isn't used more maliciously than it is. - HEX

Re:Happens all the time, just not usually to Googl (3, Insightful)

Adeptus_Luminati (634274) | about 2 years ago | (#41899173)

Seriously, a porn link in your sig?

Anyway... clearly Anonymous hasn't learned how to delete BGP filters and inject fake routes yet.

Re:Happens all the time, just not usually to Googl (5, Funny)

Anonymous Coward | about 2 years ago | (#41899285)

Errr, yeah, what about that porn link? That's really... that's awful. I can't believe that they would have that there. Man, porn. Anyway, I've just got to go and do... a thing. Nothing interesting, don't you worry about it, just... Go about your business.

Re:Happens all the time, just not usually to Googl (2)

Anonymous Coward | about 2 years ago | (#41899405)

Since when does erotic nudes immediately equal "porn", and clearly you haven't visited the site.

Re:Happens all the time, just not usually to Googl (0)

Anonymous Coward | about 2 years ago | (#41899783)

Since when does erotic nudes immediately equal "porn", and clearly you haven't visited the site.

Since it all goes in the spank bank. Different places maybe, but same bank.

Rated thirty == porn (0)

tepples (727027) | about 2 years ago | (#41900413)

Since when does erotic nudes immediately equal "porn"

Since it's in the top-level domain that's the Roman numeral for thirty.

Re:Happens all the time, just not usually to Googl (3, Funny)

Beardo the Bearded (321478) | about 2 years ago | (#41899807)

Seriously, a porn link in your sig?

Anyway... clearly Anonymous hasn't learned how to delete BGP filters and inject fake routes yet.

The only reason you replied was to bookmark!

Re:Happens all the time, just not usually to Googl (4, Informative)

Jonah Hex (651948) | about 2 years ago | (#41900051)

We don't do Porn, we try to keep on the erotic art side of things, and thanks for drawing attention to it lots of visitors from your mention! - HEX

Re:Happens all the time, just not usually to Googl (1)

admdrew (782761) | about 2 years ago | (#41900205)

...to be fair, you *are* using a TLD explicitly intended for porn.

Re:Happens all the time, just not usually to Googl (0)

Jonah Hex (651948) | about 2 years ago | (#41900835)

Strategic decision, while I do own the hex.ms domain I knew once .xxx came out it would be as recognized and memorable as the big three .com/.net/.org and just try getting a three char name on one of those. :P Also when we started we wanted the "freedom" to do "porn" if the story/script supported it, but the major issue is the credit card companies, we wouldn't be able to use Paypal, etc, so we dropped the idea. - HEX

Re:Happens all the time, just not usually to Googl (1)

Adeptus_Luminati (634274) | about 2 years ago | (#41901959)

It's just that the link is right above the "Reply to This [comment]" link. Easy to click by accident. Somebody slashdoting from work may get in trouble or worse. And as for some other comment in this thread, no obviously I haven't clicked on it... I'm at work. Wait let me fix that... I'm at "work". Ok.

Re:Happens all the time, just not usually to Googl (1)

Jonah Hex (651948) | about 2 years ago | (#41903143)

No wonder no one replies to me, they are all distracted by my link and visit my site instead! A bittersweet win-win situation! As for visiting from work, no one sets their alert threshold that low for even adult material, sure you might get a blocked page but you won't get HR on your back for it. Of course my area and level of IT we're exempt from filtering usually, too many good resource sites get erroneously filtered. (and we implement the filters lol) - HEX

Re:Happens all the time, just not usually to Googl (2)

kasperd (592156) | about 2 years ago | (#41900523)

Another networking issue that is probably never going to go away

Oh, really? I thought Route Origin Authorisations were designed to address exactly this issue?

Re:Happens all the time, just not usually to Googl (0)

Jonah Hex (651948) | about 2 years ago | (#41901123)

I call in the networking team/group when it gets to this point, but I've seen it happen so often behind the scenes at Fortune 500's as well as publicly like this occurrence to have heard that it's "un-fixable by design" from those networking folks. Glad to see some progress is being made to really fix the issue. - HEX

Will DNSSEC help with this? (0)

Dhrakar (32366) | about 2 years ago | (#41899097)

Can this system of Network addresses and border gateways also be protected by DNSSEC? It seems like a pretty wide open way for mischief. It seems like it should all be part of BIND, but then I know just enough about IP routing to get m'self in trouble :-)

Re:Will DNSSEC help with this? (5, Informative)

X0563511 (793323) | about 2 years ago | (#41899143)

Nope. DNS doesn't mean shit if the routers are sending your traffic to the wrong place. (DNS points to an IP, which is (supposed to) point to the target machine. If that last part isn't working, the first part won't work no matter what)

Re:Will DNSSEC help with this? (1)

Anonymous Coward | about 2 years ago | (#41899319)

And this is why encryption is your friend, because you can't be sure whose networks your packets are going to travel through...

On each protocol, not just DNS lookups - eg HTTPS, SSH etc.

Re:Will DNSSEC help with this? (1)

sgt_doom (655561) | about 2 years ago | (#41900633)

And an historical note to what X0563511 said: back in the day, one had go to a Scientologist-ridden place (SRI) to obtain the host address from the IP numbers --- these SRI clowns actually referred to themselves as "physicists" and "scientists" not whackjob scientologists with their weird-assed orgone boxes, or whatever they called those string and tube crap.

Re:Will DNSSEC help with this? (1)

skids (119237) | about 2 years ago | (#41900083)

Well, I'm sure a scheme could be devised, assuming one could reliably trust that they can get to an authoritative source.

The question is really how far into the core can we move such security measures before it implodes. Core routers have to carry the entire routing table for every subnetwork advertised with external BGP in the entire world, and then worry about doing the same for IPv6 as it slowly kicks into gear. They are always in need of an upgrade, even right after an upgrade and sometimes even before any such upgrade exists. Moreover they can legitimately hear advertisements for the same network through multiple interfaces -- and we are not talking multiple as in three, but tens to hundreds given how well meshed things are.

Currently it is jelly-doughnut security: the carriers all just trust each other to not trust the end sites. After establishing a customer relationship, they filter the end-sites, only allowing in the ASN's that the customers have ownership rights to. Once that perimeter is breached it's up to ISPs to react to individual incursions of rogue advertisements after the fact.

Re:Will DNSSEC help with this? (2)

kasperd (592156) | about 2 years ago | (#41900541)

Can this system of Network addresses and border gateways also be protected by DNSSEC?

No, but I think Route Origin Authorisations can help.

Uh Oh... (0)

Anonymous Coward | about 2 years ago | (#41899117)

I hope my job application with Google wasn't misrouted as well...

I bet it was :\

Job Application Recieved. (0)

Anonymous Coward | about 2 years ago | (#41900223)

Don't worry, We at the Nigerian Non Scammers Search Placement Company got your job application. To complete your job application we just need your bank account number, Mothers maiden name, and whatever other personal information you may have.

I had a Google phone once... (0)

Anonymous Coward | about 2 years ago | (#41899125)

Just gotta unplug the battery and plug it back in. It should be running in a few minutes.

In the UK... (0)

Anonymous Coward | about 2 years ago | (#41899147)

I didn't notice or know about it at all. Everything seemed ok here.

Root cause was PCCW, not Moratel (5, Interesting)

Aqualung812 (959532) | about 2 years ago | (#41899149)

From TFA:

Someone at Moratel likely "fat fingered" an Internet route. PCCW, who was Moratel's upstream provider, trusted the routes Moratel was sending to them. And, quickly, the bad routes spread.

Yes, someone at Moratel screwed up, but this is exactly why upstream ISPs should never allow advertisements from their customers for networks that their customer does not control.

PCCW is to blame for allowing this to happen. Never trust customers with things that don't belong to them.

Re:Root cause was PCCW, not Moratel (5, Interesting)

Anonymous Coward | about 2 years ago | (#41899295)

PCCW is to blame for allowing this to happen.

Again. They were also the upstream for the Pakistan-takes-down-YouTube fiasco.

Re:Root cause was PCCW, not Moratel (5, Informative)

vlm (69642) | about 2 years ago | (#41899647)

Yes, someone at Moratel screwed up, but this is exactly why upstream ISPs should never allow advertisements from their customers for networks that their customer does not control.

Another important point is its twenty freaking twelve and at a "respectable" ISP this was part of my job a decade ago. Too many customers try advertising too much stupid space. Rule number one for a BGP operator... never trust whats incoming from nobody. Rule number two is when you call in for support and 1st level call center tells you to reboot everything, tell them to F off and transfer directly to my desk unless you want to learn the joys of route flap dampening. Rule 2 is hilarious when there's a genuine catastrophic failure and like 30 customers all want to talk to me personally because all their sessions dropped when the Juniper caught fire or whatever it was... so beware.

There are only three things funnier than a fat finger BGP route advertisement:
1) Why can't I advertise my old /28 from AT&T on your network? Well dumbass thats their space not "your" /28, and secondly on the civilized internet everyone filters at /24 or bigger to keep out the riff raff so even if I was dumb enough to advertise a subnet of another ISPs space, no one gonna see it past our borders.
2) Multihomed people who basically accidentally try to turn themselves into a transit network. Oh, you connect to L3? How nice. You don't really want to advertise that the whole freaking internet can route thru you to reach it, do you?
3) Advertising space in BGP, maybe redistributing a static or null route, doesn't mean you can actually route it on your internal network. OK I see your measly little /20 and now that you let me know to update our filters, we can all see it via us on any looking glass in the world. Yes I'm quite sure it doesn't work and no its not BGPs fault, go fix your internal routing protocol and filters and GTF off my phone so I can go back to sleep. No for the 20th time its not a BGP problem just look at the looking glass I'm not filtering you anymore.

The primary problem is BGP is a social layer 8 protocol for how network managers... manage. You don't learn that shit in a weekend training class where they teach you the exact syntax of "show ip bgp neighbor" or by memorizing AS path regex syntax or whatever. At least up till I got out of the business half a decade ago, no one was teaching anything like "this is how to use BGP while not making an ass outta yourself" class. No book either. I think "Internet Routing Architectures" and maybe the name Halabi sticks in my mind as a good theoretical book as I recall, but no one had a practical "real" hands on class or book. I suppose I shouldda done something about that but its been a long time now. Then again I've probably forgotten more about BGP that most one week CCNP bootcampers will ever know, so maybe its not too late anyway. Another "in my infinite spare time" project.

Sorry if I've offended any /.er I've actually talked to on the job who Fed up, nothing personal... But since I carefully identified noone by name, at least no one knows you Fed up. If today I failed to offend anyone who Fed up while I was doing front line BGP support then I'll try harder next time. BGP is kind of the network engineering version of giving little kids boxes of matches. Its surprising more networks don't burn down, but boxes of matches are so blasted useful if you actually know how to use them safely so its not like we'll ever get rid of it.

Re:Root cause was PCCW, not Moratel (0)

Anonymous Coward | about 2 years ago | (#41902141)

So the internet is not really a peer to peer network, it's a powerful and experienced network administrator-to-powerful and experienced network administrator network. And when the powerful and experienced network administrators misbehave, they can break the internet for everyone.

BOFH? (0)

Anonymous Coward | about 2 years ago | (#41905707)

Is that you?

Re:Root cause was PCCW, not Moratel (4, Informative)

steelfood (895457) | about 2 years ago | (#41900591)

In the age of information, there is one thing people continue to forget: information relies on trust. And like sociology tells us, trust as a commodity is only easy to trade on a small scale. Trust is very hard to acquire in large populations.

There are two fundamental flaws with the internet. The first is that it was originally designed and built on a small scale. Trust was not an issue. This is apparent everywhere, at every layer. Every piece of information received is inherently considered true. Validation is limited only to determining the accuracy of the reproduction.

When trust became a problem, people attempted to address this issue via a glorified whitelist. Certificates were meant to address both concerns of the accuracy of the information, and the validity of the origin. Trust in the contents of the whitelist was implicit. It worked on small scales, but on large scales, it fails.

The whitelist was used because of the second fundamental problem: statelessness. Trust relies on the continual accuracy throughout many interactions. It cannot be calculated or created out of materials, but is acquired over time. The more times the information is accurate from a particular source, the greater the trust in the information. Time requires state. It requires having both a before, and an after.

The stateless nature of the internet makes it impossible to be fully trusted. Even if the internet had state, it is difficult to enough to devise an algorithm that will accurately calculate the trustworthiness of a piece of information. Trust is a judgment call. It is a product of emotion, not of logic. Without state, it is an impossibility.

Re:Root cause was PCCW, not Moratel (1)

jon3k (691256) | about 2 years ago | (#41902697)

And how exactly do you know which portable AS that a particular peer should be allowed to announce? If I have a customer come online tomorrow and they want to announce their own portable AS, what happens when I try to announce it upstream, and then the next AS peering relationship? Do I have to call you and have you update a prefix list, and everyone down the line? You're only thinking in terms of a stub AS not a transit AS (which is where the problem starts to really appear).

See if you trust A and A trusts B, you inherently trust B. There's no simple fix for this.

Google is more evil than Microsoft ever was (-1)

Anonymous Coward | about 2 years ago | (#41899163)

Re:Google is more evil than Microsoft ever was (-1, Flamebait)

LordThyGod (1465887) | about 2 years ago | (#41900067)

Wrong thread bimbo.

Re:Google is more evil than Microsoft ever was (-1, Flamebait)

partyguerrilla (1597357) | about 2 years ago | (#41900979)

Oh Kimmy, it's sad to see you're done trolling 4chan because you're too stupid to bypass the captcha.

On the other hand: escape from bad ISP (4, Interesting)

DamonHD (794830) | about 2 years ago | (#41899171)

This sort of 'feature' did allow me once to escape from a misbehaving ISP holding me hostage and preventing me getting my mail to, for example, change my DNS glue records many many years ago. A helpful friendly new ISP managed to reroute traffic to me via them with a "bogus" routing announcement long enough for me to fix those records and then escape the old ISP when the new records propagated.

Rgds

Damon

Re:On the other hand: escape from bad ISP (0)

Anonymous Coward | about 2 years ago | (#41900233)

Interesting story... Smallest BGP advertisement accepted publicly is generally a /24. You had an entire /24 and managed to cause an ISP to hold you hostage? Or your new ISP risked impacting multiple other customers within that /24 to "help" you out? I'd love a few extra details on this... not callin B.S, just sayin'....

Re:On the other hand: escape from bad ISP (1)

DamonHD (794830) | about 2 years ago | (#41904373)

In those days I had several /24s (and I only would have only needed at most one to get back mail briefly) but we may even have done just a /32 for the mail server: it was enough since the old and new ISPs were quite close topographically. But I don't remember exactly, and I don't need to wake sleeping lawyers.

Rgds

Damon

fat-fingered censoring/mitm (0)

El_Muerte_TDS (592157) | about 2 years ago | (#41899177)

Hardware failure? Sure, Indonesia hasn't attempted to censor the internet so far.

China already did this in 2010 (5, Interesting)

hydrofix (1253498) | about 2 years ago | (#41899229)

China Telecom also hijacked web traffic to US government websites [cnet.com] in April 2010 for 17 minutes. At least that incident seems to have been a purposeful disruptions to capture sensitive data and/or try out a novel cyberwarfare tactic.

Re:China already did this in 2010 (1)

jon3k (691256) | about 2 years ago | (#41902719)

They're probably STILL going through that stuff. Crazy. I wonder how much traffic they dumped into pcap files before the route announcement got fixed.

LOL Android (-1, Flamebait)

Anonymous Coward | about 2 years ago | (#41899261)

This is why I use Macs and iOS devices. Safe, secure and virus-free.

Re:LOL Android (0)

Anonymous Coward | about 2 years ago | (#41899419)

This is why I use Macs and iOS devices. Safe, secure and virus-free.

What.

Re:LOL Android (-1)

Anonymous Coward | about 2 years ago | (#41899467)

My post is written in plain English. Are you retarded?

Re:LOL Android (0)

Anonymous Coward | about 2 years ago | (#41899547)

He may be, but you're a putz for writing that statement, since the security of your device has nothing to do with this issue.

Re:LOL Android (1)

aicrules (819392) | about 2 years ago | (#41899585)

Your Mac and iOS devices would also not be able to reach google in this scenario. Maybe that's what he meant....but really, probably just retarded.

Re:LOL Android (1)

PIBM (588930) | about 2 years ago | (#41899651)

A BGP attack matched with a cert. leak could yield you on a spoof site, and you would provide your credentials to that man in the middle whichever device you are using. Except if you are using google chrome, where you might understand with the pinned certificate error that something is not correct, or with an android device that you were so eager to dismiss...

Re:LOL Android (1)

davewoods (2450314) | about 2 years ago | (#41899931)

It was not really the language that concerned him, but probably the lack of being on-topic.

Re:LOL Android (1)

viperidaenz (2515578) | about 2 years ago | (#41899711)

Re:LOL Android (1)

Lunix Nutcase (1092239) | about 2 years ago | (#41899787)

That's a Trojan not a virus.

Re:LOL Android (0)

Anonymous Coward | about 2 years ago | (#41899895)

Doesn't meet the definition of virus. It's a trojan, and also available for Android. It was pulled from the iOS App Store, no mention if it was pulled from Google Play.

Google should know (0)

Anonymous Coward | about 2 years ago | (#41899591)

"To understand what went wrong you need to understand a bit about how networking on the Internet works."
Perhaps Google ought to know a bit about how networking on the Internet works?

Re:Google should know (4, Funny)

Shrike Valeo (2198124) | about 2 years ago | (#41899721)

As long as those looking to fix the problem don't start by Googling the problem..

What i's it with all the'se apo'strophe's? (1)

Daniel Franklin (60786) | about 2 years ago | (#41899603)

Do the editors even read the submissions?

Filtering (2)

Todd Knarr (15451) | about 2 years ago | (#41899645)

I get the feeling that upstreams should start to not completely trust BGP announcements from peers. I know in my firewalls the configuration knows which networks ought to appear where, and the rules are set to block traffic when that network shouldn't be able to appear on that interface. Perhaps it's time to look into having an administrative communication of which ASes each peer ought to be handling, and having the BGP system at the upstream filter out or ignore announcements for ASes that that peer isn't supposed to be handling. The problem I see with that though is that it works well at the edges, but the closer to the core you get the larger the list of potentially valid ASes and I can see it getting unmanageable pretty quickly. But with the number of these incidents, I think we need to do something to change the assumption that you can unconditionally trust peers to only hand you valid routing data, because that assumption pretty clearly isn't true anymore.

Re:Filtering (0)

Anonymous Coward | about 2 years ago | (#41899899)

Good upstreamers DON'T trust their customers. Its just a huge pack of shitheads at PCCW who don't know any better, are too lazy to care, or some combination of the above.

Re:Filtering (3, Interesting)

vlm (69642) | about 2 years ago | (#41900121)

I get the feeling that upstreams should start to not completely trust BGP announcements from peers.

Start? This was BAU at respectable ISPs a decade ago. Guess what I was doing at that time, endless Fing around with filtering. Bureaucratic level varied a lot over time but when I left that part of the biz it was crystallizing around something like the 800 number letter of agency process, where you need a company officer to fax a signed sheet verifying thats really your space and yes we really do have permission to advertise it. At least at that time ARIN did not do dun and bradstreet numbers and there's no way to verify via whois and everyones merging, so we needed that signed letter to protect us legally just as much as the internet needed it so we could protect the internet from them. At least as I recall.

Basically if you are "Ford dealer of chicago" I have no legal idea if you're allowed to advertise ARIN's ford.com space, but if we have a LOA then at least if it all hits the legal fan we have a signed letter from a corporate officer at the dealership to get us off the hook (at least partially) when the real ford goes after us, or at least we can tell the "real ford" who to add to the lawsuit. Many a time I had to call the ARIN registered owners to verify an apparently unrelated minion should be advertising some of their space. Sometimes yes, sometimes no. It was always an entertaining conversation. Except for when the ARIN contact info was invalid. Then the swearing began.

Most of the time, obviously, its just a dude advertising additional space with identical ARIN contact info as the old space, so it doesn't come to this level of paperwork.

I don't know if the situation has gotten better or worse since the mid 00s.

but the closer to the core you get the larger the list of potentially valid ASes

Ah but that's not where you need it. At least not for black hole events like this. If I'm properly filtering at the border, I don't need to filter in the middle, in fact it shouldn't ever be even theoretically necessary and its none of the cores business what business deal I've signed at the border anyway. Also god help us there were people trying to what amounts to dynamically load balance and disaster recovery using BGP, not necessarily a "stable" situation anyway. Route flap dampening is enough of a PITA.

depends on what you mean by "border" (1)

r00t (33219) | about 2 years ago | (#41904161)

If I'm properly filtering at the border, I don't need to filter in the middle

You absolutely have to filter when crossing an international border. National security requires it. Maliciousness can be of a military nature, and you'd better be expecting it. The network admin on the other side may be coerced, an eager participant, or unaware. You ever can't trust what he does or what he says.

Thank God it was Google! (-1)

Anonymous Coward | about 2 years ago | (#41899715)

If this had been Bing or Facebook the summary would read "They went down coz their teh suck!!!!1111!!!!"

Shift (1)

omarius (52253) | about 2 years ago | (#41899969)

I don't know what says more about the change in the average Slashdot reader--the fact that the summary for this story assumes that the reader doesn't know anything at all about BGP, or the fact that this is the first comment to bemoan that.

Re:Shift (4, Funny)

93 Escort Wagon (326346) | about 2 years ago | (#41900355)

It's okay, those of us who aren't network admins just need to type "Border Gateway Protocol" into Google and... oh crap!

Re:Shift (1)

mk1004 (2488060) | about 2 years ago | (#41900403)

I don't know what says more about the change in the average Slashdot reader--the fact that the summary for this story assumes that the reader doesn't know anything at all about BGP, or the fact that this is the first comment to bemoan that.

Even if most /. readers are technically literate, not all technical disciplines require even the slightest knowledge of networking. So why wouldn't it be OK for the summary to assume the reader may not know anything about BGP. If this were an article about IC processing, I might make the same comment if the summary assumed that the reader didn't know anything about IC fabrication. But I wouldn't, because I know that you can't be knowledgeable in all fields.

Re:Shift (2)

DMUTPeregrine (612791) | about 2 years ago | (#41902227)

Slashdot is targeted at the tech-oriented crowd. The set of all tech-oriented people is quite a bit larger than the set of network administrators. It's therefore a good idea to explain what BGP is so that the mathematicians, scientists, engineers, etc, can understand what the article is about. Even for many network administrators BGP will be a thing they learned about and then mostly forgot, since it's not used directly by smaller organizations, and larger organizations likely have some admins responsible only for internal systems.

The Real Reason (2)

guttentag (313541) | about 2 years ago | (#41900321)

The Google logo got caught [google.com] with its hand in the ballot box cookie jar! It's all over Google's front page!

BGP is inherently broken (0)

Anonymous Coward | about 2 years ago | (#41900515)

Why bother breaking into systems when you can reroute them into your private network and use MIM attacks. It seems if you are a well connected pipe and you make sure the route can complete it would be possible to use bad bgp advertising to pull in a targets traffic, sniff it then forward it back to it's correct location out a different pipe.

Re:BGP is inherently broken (1)

marcosdumay (620877) | about 2 years ago | (#41902219)

Why bother breaking into systems when you can reroute them into your private network and use MIM attacks.

Keep it in mind. Internet security is done end to end. The old telephony networs are dead, and even them weren't really reliable.

If you have sensitive data to transmit, you shouldn't even think about where it will go. Wherever it is, it is not a safe place, and your data must be protected.

the communication itself is sensitive (1)

r00t (33219) | about 2 years ago | (#41904197)

If BGP abuse lets China detect a previously-unknown site that communicates with a known US spy agency, China has learned something valuable.

nfagorz (-1)

Anonymous Coward | about 2 years ago | (#41901187)

More than just broken. (1)

epSos-de (2741969) | about 2 years ago | (#41901233)

Google keeps having error messages and random reloads on Gmail, Adsense, but not in Adwords at least. Their websites are dependent on JavaScript and the scripts can not cope with load errors, so they keep reloading the page until the servers are overloaded. I suspect that they are not aware of this too, becasue I have seen it last month already and they did nothing. I suspect that they run buggy code.

Re:More than just broken. (1)

SuperQ (431) | about 2 years ago | (#41905771)

I suspect you don't know what the fuck you're talking about. Also, that has nothing to do with PCCW not filtering BGP announcements.

Stories of late (0)

Anonymous Coward | about 2 years ago | (#41901249)

I read slashdot. I'm not an idiot. How about referencing articles and quoting sources that aren't for end users.

lolwut (0)

Anonymous Coward | about 2 years ago | (#41902733)

ZOMG HAX!

UCLA Cyclops (2)

jroysdon (201893) | about 2 years ago | (#41904441)

UCLA's Cyclops [ucla.edu] is a great tool to monitor your own IP space and make sure you know immediately when this sort of this occurs.

packets should never be routed via Indonesia (1)

Novogrudok (2486718) | about 2 years ago | (#41905921)

Why the hell not? I thought the reason for the internet was to provide a way for data packages to get to their destination without having to have a particular fixed route. Does it says somewhere in the internet standard that data packets *must* be delivered using the shortest route possible?

S-BGP don't prevent this to happen? (0)

Anonymous Coward | about 2 years ago | (#41906297)

So S-BGP don't prevent this to happen? is it in use already? or is just vaporware?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>