http://www.sott.net

Tue, 23 Nov 2010 00:18 CST
Print

Earl Zmijewski
Renesys

There’s been sudden interest recently in a Chinese route hijacking incident that occurred way back in April, brought about by a new report to the US Congress that highlighted the event (see pages 236-247). A second Chinese event, also in the report, has received almost no attention despite being much more interesting (technically, anyway). A Chinese DNS censorship incident occurred just one month earlier, in March, and although we already presented an analysis of that event (here and here), today we’ll provide an update on the incident and its scope. But first, let’s step back and get some context on events such as these, and see if the hype is warranted.

Remember What the Internet Is

The Internet is a globally distributed network without a central governing body. In other words, no one is in charge, folks. If you are expecting strict accountability, you’ve come to the wrong place. Furthermore, the Internet is a very complex system. Errors occur with some frequency, and occasionally have global impact. There have been plenty of them over the years (see our past blogs). No evidence has yet surfaced to convincingly suggest that either of these Chinese incidents was anything more than a mistake. The Internet was designed to be trust-based and these vulnerabilities are well-known and long-standing.

So maybe it wasn’t cyber-espionage after all. Let’s review the DNS event – very interesting in its own right – and you can decide for yourself. (And in the next installment of this blog, we’ll consider the general problem of hosting global services in a country known to tamper with Internet traffic.)

The Chinese DNS Problem

There are 13 different root nameserver IP addresses, referred to by the first 13 letters of the alphabet, namely, the A-root, B-root, …, M-root. These are the servers that tell you really basic things, like, ‘where’s dot com?’ At first glance this may seem like a pretty small set for the entire world, but they are replicated at hundreds of locations. The J-root is the most prolific, found worldwide at 70 different sites. And instances of the F-, I- and J-roots are all found in Beijing, China, which lays the seeds for a potential problem. If you live outside of China and by chance query a root nameserver hosted in China, your queries will pass through what is known as the The Great Firewall, potentially subjecting you to the same censorship imposed on Chinese citizens.

With respect to DNS, such censorship typically involves intentionally returning incorrect answers to the blacklisted domains. (See The Great DNS Wall of China for more technical details.) It would seem that the root nameservers in China are typically excepted from this behavior when queried from outside the country, but for unexplained reasons that allowance temporarily disappeared for the I-root back in March. (See our AMS-IX talk for more details.) That is, queries to the I-root from outside of China for popular domains such as Facebook or Twitter suddenly started returning incorrect answers. Due to the vagaries of Internet routing, web surfers around the world found themselves essentially blocked from these sites – exactly as if they lived in China. While the exception for the I-root was eventually reestablished, no reason for the apparent snafu was offered.

But isn’t it unusual for someone outside of China to query a Chinese root server?

No, not at all. On the Internet, you will often query “nearby” servers, but the concept of “nearby” is not the same in the cyber world as it is in the physical one. Rather, distance is measured in terms of existing business relationships. If your Internet service provider has a relationship with China Telecom, the root nameservers in China may by “closer” to you than identical ones in your own country, and hence preferred.

Renesys collects routing data from hundreds of locations (BGP peers) around the world. From this, we can observe when the IP space (prefixes) for the root nameservers propagate from domestic Chinese providers to non-Chinese ones. When this happens, routes to Chinese root nameservers are visible outside of the country and these servers will end up being queried from non-Chinese hosts. The following graph shows the number of our non-Chinese sources observing and selecting routes to the F-, I- and J-root nameservers via Chinese providers over the course of 2010.

rootserverstraffic

© Renesys

Ok, but that’s just a fraction of your data sources. How many affected people are we talking about here?

More than you might think! While the total number of providers selecting the Chinese routes is interesting, it’s the size and scope of these providers that determine how many organizations end up using the Chinese servers. For example, if a major global provider (sometimes called a Tier-1) is one of these, many hundreds or thousands of downstream customers can be impacted. And as it turned out, there were a number of major providers represented in this small set.

To capture the breadth of the exposure to Chinese root nameservers in 2010, we considered every provider (Autonomous System) that selected a Chinese route at any point during the year. There were 38 such providers in total. Then we calculated all downstream networks (prefixes) of those 38 providers and ended up with about 57% of all networks on earth. To get a sense of the geographic impact, the following map gives the rough percentage of each country’s networks that could have used a Chinese root nameserver during the year. While the countries bordering on China tend to have the higher percentages, many others do as well. This is not the least bit unusual or alarming; it simply speaks to the global nature of the Internet.

trafficmap

© Renesys
The strong influence in Russia and Southeast Asia is not very surprising, but Chile? It turns out that Mauricio Vergara Ereche in Santiago was the first to report on bad DNS answers coming out of China. And despite making the most noise about the event, the US was only modestly affected.

So can we prevent DNS tampering in the future?

Yes. The accepted replacement for DNS is something called DNSSEC (“secure DNS”). Next week, we’ll talk about DNSSEC and look more at Internet censorship. What can you do when other people’s governments force service providers to lie to you? How can you protect yourself from having your DNS responses edited, when your traffic has to transit China or even Germany or Australia?

.