Recently in Security Category

Here we go again. In March we wrote a blog entitled Accidentally Importing Censorship which described how incorrect DNS answers were returned in response to certain queries to the I-root. The problem was tracked down to a single instance of the I-root located in China. Queries to this server for domains blocked in China, such as Facebook, would return seemingly arbitrary answers. As we noted, countries, and even companies, can impose their own standards on the Internet and block anything they want. This story was only noteworthy because those blocks (via bad DNS answers) became visible outside of China. Well, guess what? We are once again seeing the Beijing I-root from outside of China.

How To Build A Cybernuke

| 13 Comments | 1 TrackBack

The Internet infrastructure has been having a bad month. Not as bad as, say, the world's aviation infrastructure, but bad enough.

First, Chinese Internet censorship leaked out to a few massively unlucky users of the I root server. Then China Telecom failed to filter someone who leaked thousands of hijacked routes to other people's networks through them, probably by accident.

And then, inexplicably, Forbes went where no one had gone before (with a wink to Wired), and asked whether China might actually be testing a "cybernuke".

At first, this irritated me. Journalists and bloggers and blogger-journalists are fanning the flames of US unease about the growing role of China in world affairs. But then I realized that I could probably make tens of thousands of people read my blog, too, by jumping on the bandwagon. By all means, then, grab an MRE and hunker down in your Internet bomb shelter while I try to answer some of the obvious questions that came our way in the wake of the Forbes article:

  • How would anyone build a cybernuke? What is that?
  • Could a single actor, state-sponsored or otherwise, actually take down the global or regional Internet infrastructure of 2010, disrupt financial markets, throw civilization into chaos?
  • How do I get my cybernuke movie screenplay optioned by Jerry Bruckheimer? His people won't return my calls.

With advancements in hardware and software, sophisticated filtering technologies are increasingly being applied to restrict access to the Internet. This happens at the level of both governments and corporations. Renesys is headquartered in the "Live Free or Die" US state of New Hampshire. In our small town of roughly 10,000 folks, we know of a local company who tries to restrict non-work related (e.g., shopping) websites from their employees. Unfortunately, someone who works there can't read about Amazon's cloud computing as a result — a small bit of collateral damage. Entire countries act in much the same way. The OpenNet Initiative keeps track of such state-sponsored restrictions and publishes interesting maps based on the level of filtering by topic. But given the open nature of the trust-based Internet, one country's restrictions, if not handled very carefully, can easily foul the global Internet nest we all live in. This blog is about one such story of Internet restrictions in China becoming visible (seemingly at random) from other parts of the world and going undetected for 3 weeks. Given the increasing complexity of this technology, the difficulty in controlling a very open Internet, and the strong desire of some to do just that, this could be a harbinger of things to come.

The Geopolitics of Iranian Connectivity

| 4 Comments | 1 TrackBack
As Iran celebrates the anniversary of the 1979 Islamic Revolution, it seems like an opportune time to look in on the evolving state of their Internet connectivity. When we last looked, after the disputed elections in June 2009, the picture was one of uneasy stability: logically diverse but physically constrained transit via the United Arab Emirates, backup transit via Turkey. Today, a third way out of the bottle is visible in the routing table: substantial amounts of Internet transit have materialized through a Russian provider. And there, in those obscure entries in the global Internet routing table, may lie echoes of Iran's larger geopolitical strategy.

Much Ado About Baidu

| 1 Comment

As our faithful readers know, Renesys monitors routing on the global Internet in real time and uses that information in a variety of ways. For example, we can instantly let you know which networks a hurricane has disabled or even tell you when a war has left things pretty much as they were. In short, we keep an eye on the Internet, the entire Internet, but this is all done at the level of IP addresses and the paths they follow.

The recent attack on Twitter got us thinking. Maybe we should be keeping an eye on a few more things? While your IP addresses and routes to them might be completely stable, the average user doesn't know about those. In other words, when was the last time you typed ...
    http://216.239.59.104
instead of ...
    http://www.google.com
into your browser?

What if someone manages to point your domain name to some other IP addresses? You would still be operational as far as the Internet routers were concerned, but no humans would probably be reaching you. And that's the problem we'll briefly consider in this blog.

Lights Out in Rio

| 1 Comment | 1 TrackBack
When the power goes out to a large part of Brazil, as happened last night shortly after 10pm, it's going to have an impact on telecommunications.

Staring Into The Gorge: Router Exploits

| 5 Comments

gorge.jpgI'm writing this blog entry from the campground at Vermont's beautiful Quechee Gorge, where I took the kids after work. Yes, Renesys is located smack in the middle of some of the nicest hiking, camping, and climbing on earth. No, you shouldn't move here, Northern New England has enough out-of-staters already, thanks. Unless, that is, you are an unusually talented web developer, have worked as a peering coordinator, or know the Internet transit industry inside-out, in which case you should send me your CV, posthaste. thanks, --jim





Here We Go Again.

Imagine an innocent BGP message, sent from a random small network service provider's border router somewhere in the world. It contains a payload that is unusual, but strictly speaking, conformant to protocol. Most of the routers in the world, when faced with such a message, pass it along. But a few have a bug that makes them drop sessions abruptly and reopen them, flooding their neighbors with full-table session resets every time they hear the offending message. The miracle of global BGP ensures that every vulnerable router on earth gets a peek at the offending message in under 30 seconds. The global routing infrastructure rings like a bell, as BGP update rates spike by orders of magnitude in the blink of an eye. Links congest. Small routing hardware falls over and dies. It takes hours for things to return to normal.

The Proxy Fight for Iranian Democracy

| 27 Comments | 3 TrackBacks

If you put 65 million people in a locked room, they're going to find all the exits pretty quickly, and maybe make a few of their own. In the case of Iran's crippled-but-still-connected Internet, that means finding a continuous supply of proxy servers that allow continued access to unfiltered international web content like Twitter, Gmail, and the BBC.

About the Renesys Blog

Our weblog is written by a variety of Renesys employees. They run the gamut from senior execs and engineers to sales guys. Anyone who has something to say that could be informative or of interest to our customers and visitors, says it here.

About this Archive

This page is an archive of recent entries in the Security category.

Politics is the previous category.

Society is the next category.

Find recent content on the main index or look in the archives to find all content.

Archives

Pages