Re: Cyber Experts Have Proof That China Has Hijacked U.S.-Based Internet Traffic
This article is so-god-damned simplistic and more rumors. The Chinese didn't even try to hide it as per the BGPmon.net monitor. I'm 99% sure this was simply a fat-finger good old fashioned programming error on their peering/IP transit routers. This has HAPPENED MANY TIMES IN THE US/CANADA AND EUROPE.
Oh and BTW, the Chinese great firewall/DPI (deep packet inspection) "Golden Shield" according to public documents these days is mostly Huawei high-end routers including the NE80E, SIG9800 and a few others. Huawei have sold this product WORLDWIDE including Europe and the Middle East and they simply market the product/engineer the product like Cisco & Juniper. The Chinese government (aka CCP, some propaganda department probably) is responsible for the operation of the filter lists which gets passed to the semi-nationalized telecom operators (China Telecom, China Unicom/(ex. Netcom), China Mobile and a few others licensed for international inter-connect). China Telecom uses AS4134 and Unicom/Netcom uses 4837 for international peering with foreign countries. There are a few other Chinese AS'es I believe but those are for special reserved usage like VPN. The way it works is very simple, there are two layers. There's an internal AS layer within the provinces of China (not connected to outside the country) and an international layer. All international peering/IP-transit traffic is connected to a Cisco/Juniper device which passes all traffic to a Huawei DPI (deep packet inspection) for high-speed ASIC based filtering. If a keyword matches (e.g. twitter, facebook) the packet is dropped and the Chinese have aggregate logged data of filtered data like any other commercial product off the Huawei device. It is technically impossible to do massive packet capture unless they are specifically targeting something. The Chinese-fucked up routes probably sent to Chinese-border international border routers, their Huawei DPI probably dropped those packets. They also manipulate/use faux-DNS using their Huawei DPI. (So if you use opendns in China the DNS will still be manipulated, it's TIME FOR ENCRYPTED DNS!)
Here's another open industry secret:
The Chinese like any other international ISP have to connect their network to the international internet up-stream ISPs/ASN's right. I believe now they even have some of their DPI hardware in the US/Europe. Again all public data, see:
https://www.peeringdb.com/private/participant_view.php?id=308
https://www.peeringdb.com/private/participant_view.php?id=730
If the US gov't really wanted to see China's internet filter lists they could theoretically do the following (again this would be POLITICAL SUICIDE I'M GUESSING AND possibly touch off a war with China, and would require a warrant obviously):
Go to Any2 LA or Equinix San Jose or any other Chinese international peering/IP-transit place and go to China Telecom or China Unicom's cage. Seize the Huawei DPI device. Simple. Copy the data. Do analysis. Return it back to the Chinese!? LOL. It's a Chinese-registered APNIC IP with a public WHOIS registration of "FSKWC NET". Mhmm... F must standard for Firewall. Must be the Chinese-DPI-GFW firewall cluster. The internet community has discovered that all traffic to Mainland China passes through a FSKWC NET device before it goes further in-ward to China. Some of these devices we know are in the US and Europe where the Chinese peer before they are sent across the pacific on one of the Trans-pacific or Eur-Asia fiber-optic cables (TPE, etc...)
The real problem with China is political and political change. I believe this will change over time as change evolves, develops and moves towards a more open model. As an engineer I really don't care about political crap, I wish they would just develop an open internet policy like HK or Singapore or Japan. Filtering political extremism is fine for stability (remember in Chinese thinking/culture it's all about "stability" versus "individuality" in the West), just don't filter entertainment sites like YouTube/Twitter or Facebook. 99.9% of IP traffic to those sites are entertainment anyways. Wasn't there a recent study that says 60% of tweets to twitter was un-read anyways? I just don't want to use my god-damned VPN when I travel to China just to catch-up on my friends entertainment instead of standard HTTPS.
Oh and recommendations for website/software developers: Implement .com/.net DNS-SEC ASAP. Then MS and Mozilla should install the default DNS-SEC checker by default. Then Chinese internet users will know that their DNS entries are being forged (remember this is only one stage of the "Golden Shield"/"GFW"). They can program their ... DPI to forge the DNS-SEC responses anyways. When this happens they will have to face international internet governance pressure (aka ICAN and a few others) community on why the hell they are forging responses to something that makes the internet more secure. Like their forgery of International DNS. GAY GAY GAY GAY GAY GAY GAY GAY GAY GAY GAY GAY GAY GAY GAY GAY GAY GAY GAY GAY GAY
Will at 11/16/2010 5:54 PM
