Recent news
Fox-IT Security News Flash
China filters and manipulates international internet traffic, even traffic which has its origin and destination outside of China – probably unintended.
The situation
Since the beginning of 2010, there have been indications that international Internet traffic, having neither its origin or destination in China, has been filtered or manipulated by that country.
As of the 24th of March, this effect became very noticeable as facebook.com, twitter.com and youtube.com briefly became inaccessible for a number of Internet users in Chili and California. Investigations have shown that this was caused by Chinese infrastructure rerouting traffic to nonexistent destinations. This occurred through the manipulation of DNS packets.
Although it has long been known that China manipulates the Internet for its own residents, this is the first time that this same behavior has been seen internationally. This may show that “the great firewall of China” is in fact connected to international backbone traffic, too.
The effects of the above are far reaching. That Facebook, Twitter and Youtube can become inaccessible from Chili, because of an action in China shows quite clearly that effects of internet manipulation can stretch far beyond national boundaries.
While computers have IP addresses, people and websites have email addresses and URLs. Any action on the internet therefore starts with a translation between these human friendly names, and computer friendly IP addresses. And it is during this translation that even completely local traffic can have an international start in life.
In theory, this means that email between AmsterdamBank.NL and TheHagueCustomer.NL might be redirected, from abroad, to travel through countries tens of thousands of miles away.
Is this likely to happen?
As stated, almost any action on the internet starts with an IP lookup through the Domain Name System. At the core of this DNS are over 200 so called ‘root-servers’, located all over the world. In general, DNS implementations prefer to talk to root-servers close to them, either because of a technology called ANYCAST, or because implementations ‘lock in’ to those servers that tend to respond most quickly.
However, neither these technologies offer any guarantees of always choosing the closest server, and quite frequently DNS queries will travel abroad.
When such DNS traffic passes through foreign infrastructure, it may be manipulated, causing local traffic routing to be altered and possibly intercepted.
Did China deliberately manipulate international traffic?
Given the ham fisted nature of the manipulation involved, it is highly unlikely that this was an attempt to subvert international traffic. It is far more likely that local censorship efforts were accidentally applied to international traffic, with the unintended effect of shutting down Facebook, Twitter and Youtube for people as far away as Chili.
What short term countermeasures can be taken to prevent foreign
manipulation?
It is possible, though tricky, to reconfigure nameservers no longer to send queries to distrusted networks. The risk involved is that regular, non-manipulative, traffic would also be blocked. Another solution is to become a full-fledged root-server, so traffic is (more) likely to stay local.
For more information, please contact your Fox-IT account manager, or bert.hubert@fox-it.com.
Background information
More information can be found on the following links:
- http://www.root-servers.org/
Location of all 202 root-servers. - http://tinyurl.com/chili-dns
Original report about manipulation discovered in Chili and California. - http://tinyurl.com/autonomica
Statement by root-server operator Autonomica/Netnod disavowing any responsibility for the observed manipulation. - http://tinyurl.com/china-root-denial
Statement by Chinese root-server operator CNNIC disavowing any manipulation caused by their root-server. - http://tinyurl.com/reproduce-dns
Reproduction instructions.
You can download the information here
