funsec mailing list archives
Re: [Infowarrior] - China's Great Firewall spreads overseas
From: RL Vaughn <rl_vaughn () baylor edu>
Date: Mon, 29 Mar 2010 12:34:38 -0500
On 3/29/10 11:54 AM, Danny McPherson wrote:
On Mar 29, 2010, at 10:16 AM, RL Vaughn wrote:On 3/29/10 9:53 AM, Valdis.Kletnieks () vt edu wrote:http://www.computerworld.com/s/article/9174132/China_s_Great_Firewall_spreads_overseas So was this a DNS or BGP issue? The reporter appears to be confused, or was it the Arbor Networks talking head?It was a DNS issue. One host in i-root was providing incorrect answers. The reason for those incorrect answers is unknown but the solution was to remove the responsible host from the i-root anycast.Are you certain of this Randy? There are at least two questions:
Hmmm. Perhaps I am reading too much into Kurtis Lindqvist's note on dns-operation. In fact, in that note, Kurtis says they are still investigating the issue and, pending the results of that investigation, they have: "withdrawn the route announcements from one of our anycast nodes for i.root-servers.net" But that certain seems like a 'fix' albeit the permanency of the fix is not mentioned. The dig output provided was: $ dig @i.root-servers.net www.facebook.com A ; <<>> DiG 9.6.1-P3 <<>> @i.root-servers.net www.facebook.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7448 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.facebook.com. IN A ;; ANSWER SECTION: www.facebook.com. 86400 IN A 8.7.198.45 ;; Query time: 444 msec ;; SERVER: 192.36.148.17#53(192.36.148.17) ;; WHEN: Wed Mar 24 14:21:54 2010 ;; MSG SIZE rcvd: 66
1) Why was someone in Chile using that server (i.e., the routing bit)
Good question. I can imagine, of course, how someone in Chile can end up using i-root.
2) Why were the responses they were getting "incorrect"
The original report, again on dns-operations, mentions that when querying one of the i-root-server's nodes that node responds with an IP instead of a referral.
Regarding the latter, just because a client receives an "incorrect answer" doesn't necessarily mean it's what the server ("i-root") was transmitting.
Exactly, other things can cause this symptom and I give those equal weight as having a rogue node. Still, the reported response appears to identify a DNS issue.
Removing the anycast instance from the i-root cluster means the ingress path towards i-root was withdraw, so that instance, and anything on the return path towards the client, are no longer an issue. I think the latter set of my comments in the article from last week allude to this (i.e., potential middleboxen manipulation).
That said, I do eagerly await an authoritative postmortem from the relevant parties. But if you have data that suggests that "i-root was providing incorrect answers", I suspect folks would be quite interested in that.
Me too. The only evidence I have is i-root has taken steps to avoid producing the reportedly incorrect answers which does not imply they were the ones providing incorrect answers.
-danny
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- [Infowarrior] - China's Great Firewall spreads overseas Valdis . Kletnieks (Mar 29)
- Re: [Infowarrior] - China's Great Firewall spreads overseas RL Vaughn (Mar 29)
- Re: [Infowarrior] - China's Great Firewall spreads overseas Dan Kaminsky (Mar 29)
- Re: [Infowarrior] - China's Great Firewall spreads overseas Danny McPherson (Mar 29)
- Re: [Infowarrior] - China's Great Firewall spreads overseas RL Vaughn (Mar 29)
- Re: [Infowarrior] - China's Great Firewall spreads overseas Dan Kaminsky (Mar 29)
- <Possible follow-ups>
- Re: [Infowarrior] - China's Great Firewall spreads overseas Juha-Matti Laurio (Mar 29)
- Re: [Infowarrior] - China's Great Firewall spreads overseas RL Vaughn (Mar 29)