Forbes: Bert Hubert explains the DNS issue with China

Sucked Into China’s Internet
It began with a jovial “Hi there!” on a fairly obscure listserv for discussing DNS operational issues. DNS denotes Domain Name System, a process that converts typed Web addresses into a series of phone-number like IP numbers which, in turn, enable you to “call up” a Web site from any of hundreds of servers.

Unlike the old days of phone calls, you don’t necessarily get directed straight to the person you want to speak to; in fact, for the Internet to operate the way it does, you might end up finding the Web site you want to read by going through a server halfway across the world. Usually, the system tries to connect you with the fastest server, which tends to be one fairly close by in geographic terms. But not always.

This is where DNS interacts with another acronym, BGP — Border Gateway Protocol. If DNS is an address book, think of BGP as a mapping program for Internet routers to reach that address. But neither technology is yet capable of authenticating valid addresses and routes, and not all servers are located in friendly countries.

Why is this important?

On March 24 Mauricio Vergara Ereche, a DNS administrator in Chile, noticed something distinctly odd in the routing of requests for Facebook, YouTube, Twitter and up to 30 other sites. Instead of retrieving the authoritative “.com” site, the Web users retrieved IP numbers located in China, which turned out to be completely different sites or error messages. It didn’t happen with every request, but it did happen with three requests originating from Chile and one from California that were routed through a server in Sweden.

Suddenly four people had been transported into China’s rigidly controlled Internet, although by whom and whether by design is unclear. As Dan Kaminsky, director of penetration testing at IOActive, cautions, attempts to interrupt route server traffic in flight have all the crudity of trying to pinpoint a target with a Scud: the effects are unpredictable and therefore the outcome may appear to be intentional when it really isn’t.

Even so, while China’s DNS servers routinely prevent its own people from accessing Facebook and other sites, this appeared to be the first time that Westerners trying to access Facebook were directed towards the same internal Chinese system of servers by a server inside China. Whether by error or design, China was redirecting global DNS traffic; its Great Firewall, which kept politically unacceptable material out, was sucking the outside world into the Chinese Internet. And if this could happen to Web sites, it could also happen to e-mail.

The first response on the listserv came from Bert Hubert of security company Fox-IT, a supplier of state-secret-level security solutions, and the founder of the software PowerDNS “Wow,” he wrote from the Netherlands. “This is stunning.” Rodney Joffe, senior vice president and senior technologist at Neustar, and one of the few people on the planet who knows how the Internet really works, told CNET. “This was a real world example of the Net security industry’s worst nightmare.”

But Joffe’s comment came at the end of the CNET article, which headlined the event in rather anodyne terms as a “mystery mix up.” PC World called it a “networking error,” inviting all but the hardened geeks to ignore the article, and the general media either focused on the clashes between Google and China, or continued speculating on whether people would swoon over or be flummoxed by Apple’s iPad.

“The media is not seeing the significance of this event,” says Hubert, via e-mail, “which is probably partially due to it not being explained very well…We struggle to explain these issues to our governments. At stake is little less than the ‘sovereignty’ of in-country Internet communications. In other words, can a country control where its e-mail goes. It turns out that it can’t.”

Because neither DNS nor BGP can yet establish “authenticity” — that the Facebook you download is the real Facebook — Internet users could, in theory, not just be denied access by being sucked into China’s Internet, they could be directed without knowing it to a simulacrum of Facebook or to any Internet site. Authenticating protocols exist, but by the time they would be widely implemented, they could be out-of-date.

The implications of a simulated Internet go far beyond censorship. “For example,” writes Hubert, “e-mail could be routed via untrusted servers that only make a copy but otherwise provide for high-fidelity retransmission.”

The dilemma for cybersecurity, says Kaminsky, is that the recent, exponential growth in fraud has created a crisis in law enforcement and, potentially, national security; and yet, at the same time, the Internet is not the kind of geopolitical environment where conventional law enforcement or statecraft easily apply. The Internet, says Kaminsky is a place where “non-state actors are the kings in a land without geography — or borders.” Imposing practical sovereignty by tightly controlling the fiber-optic links between countries is possible, but what will be the consequences for the Internet and economic growth if states start doing this? Kaminsky worries about states resorting to “clumsy tools to get that darn Internet under control,” and doing far more damage than good in the process.

Teasing out the implications of March 24 sent cyber and national security wonks into overdrive in Washington last week, with nary a comment from the press. Which is probably how government would prefer to deal with such issues. The consensus within the cybersecurity world is that there was one journalist who really had a handle on these issues — Brian Krebs — or rather, there was. The Washington Post laid him off on Dec. 31.

Trevor Butterworth is the editor of, an affiliate of George Mason University that looks at how numbers are used in public policy and the media. He writes a weekly column for Forbes.

Leave a Reply