Your SlideShare is downloading. ×
0
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Netizen Death Star - L0rd V
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Netizen Death Star - L0rd V

540

Published on

An alternate hypothesis for the Great China Internet Blackout of 2014.

An alternate hypothesis for the Great China Internet Blackout of 2014.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
540
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. 1 L0rd / Netizen Death Star
  2. 2 L0rd / Netizen Death Star An Alternate Hypothesis for the Great China Internet Blackout of 2014 L0rd / netizen.death.star@gmail.com
  3. 3 L0rd / Presenter background: Ÿ  Some cyber and hosting operation’ing Ÿ  Some intel analyzing Ÿ  Some sys(eng)(admin)’ing Ÿ  Analyzing People's Republic of China (PRC) cyber activity for 10+ years
  4. 4 L0rd / Disclaimer: Ÿ  This presentation is not under the auspices of my employer or clients Ÿ  This presentation represents my own opinion(s) and does not reflect opinion(s) of my employer or clients Ÿ  This presentation is performed at my own expense
  5. 5 L0rd / This talk: Ÿ  Examine Great China Blackout of 21 January Ÿ  They said this, others showed this Ÿ  Great Firewall (GFW) background Ÿ  Why this looks deliberate Ÿ  A usual target Ÿ  Plausible deniability Ÿ  Intelligence gaps
  6. 6 L0rd / The event: Ÿ  Tuesday afternoon, all queries for Internet domains and website names in mainland China suddenly began resolving to single IP address in Fremont, California. Ÿ  The redirection of nearly all Chinese netizen web traffic generated an unprecedented amount of traffic from PRC to the data center proximate to Silicon Valley. Ÿ  Problem did not completely clear until next day, until all PRC ISP’s had flushed their DNS server caches 21 January, 2014
  7. 7 L0rd / What happened According to official PRC-sanctioned sources Google Translate CNCERT CNNIC China Daily Xinhua
  8. 8 L0rd / What happened According to GFW trackers and PRC dissident 21 January 2014 Chinese Internet Outage (by GreatFire.org)   Timeline   Event   15:15   GFW DNS poisoning begins. First recorded instance.   15:17   Local DNS servers began to cache incorrect responses. Some large websites in China began to be affected e.g Sina Weibo.     Incorrect DNS continue to spread through Chinese DNS servers. Major websites including Baidu, Sina affected.   15:39   DNS poisoning lifted by GFW. But local DNS resolvers cached incorrect responses. Users continued to experience outage.   16:00   ISPs around China were manually flushing DNS caches and connections were gradually restored.  
  9. 9 L0rd / What happened According to PRC netizens whose Weibo posts were censored
  10. 10 L0rd / GFW background And why this doesn’t look like an accident
  11. 11 L0rd / Established 2002 “mankind’s largest information censorship project” Golden Shield (金盾工程) AKA GFW (防火⻓长城) TECHNICAL METHODS 1.  IP address blocking 2.  Packet & URL filtering 3.  Session resets 4.  DNS poisoning China Internet Network Information Center (CNNIC) – Responsible for “Internet Affairs” (AKA ISP Compliance with Government), DNS Security A Communications Security Bureau of Ministry of Industry and Information Technology B
  12. 12 L0rd / Injection of false IP address(es) GFW DNS Poisoning •  GFW poisoned answer appears to be designed to beat valid “true” answer to requesting client •  Caching (resolving) DNS servers inside GFW will store first (poisoned) answer for some time •  Q: What does GFW answer with when it poisons a DNS query?
  13. 13 L0rd / Answers GFW DNS Poisoning GFW DNS Poison Target IP Addresses 2010-2014   IP Address   ISP   Location   Notes   159.106.121.75   US DoD   No global route   Outbound traffic would not leave PRC   243.185.187.39   N/A   No global route   Outbound traffic would not leave PRC   59.24.3.173   Korea Telecom   South Korea   Appears null-routed by target ISP   203.98.7.65   TelstraClear   Auckland, NZ   Appears null-routed by target ISP   8.7.198.45   Level 3   United States   Does not appear internally routed by ISP   78.16.49.15   BT Ireland   Dublin, Ireland   Appears null-routed by target ISP   46.82.174.68   Deutsche Telekom   Germany   Appears null-routed by target ISP   93.46.8.89   Fastweb SpA   Catania, Italy   Appears null-routed by target ISP   37.61.54.158   Baktelekom   Baku, Azerbaijan   Larger subnet appears null-routed by target ISP  
  14. 14 L0rd / Practical You try it! •  Doesn’t work on hotel Wi-Fi (which “poisons the poison”) •  nslookup •  server dns1.chinatelecom.com.cn (actual caching server ) •  server 163.com, weibo.com, news.cn, etc. (not actual DNS servers) •  Query for “www.facebook.com”, “dit-inc.us”, “twitter.com” •  Bonus: capture your packets •  Was there a DNS race to your system? Who won?
  15. 15 L0rd / Shows history of GFW poisoning on contributor inside PRC Farsight Passive DNS database •  (Spreadsheet screenshot) •  VirusTotal also has a passive DNS record contributor inside GFW
  16. 16 L0rd / Which specific characteristics imply deliberate action rather than a blunder by careless administrator? •  If all domain queries were accidentally poisoned, the answers should have been from the nine usual IP addresses •  This time, the answer was a single IP address: 65.49.2.178 •  What is the significance of 65.49.2.178?
  17. 17 L0rd / Associated with Freegate Proxy exit range 65.49.2.178 •  Managed by Falun Gong-associated “Dynamic Internet Technologies” •  Freegate Proxy is free product designed specifically to tunnel through GFW and other nation-state firewalls •  “Five Poisons”- groups of people PRC considers the greatest danger to stability of its authoritarian regime 1.  Tibetans 2.  Uighurs 3.  Democracy advocates 4.  Taiwanese 5.  Falun Gong
  18. 18 L0rd / Spiritual movement banned in PRC Falun Gong •  Repeatedly targeted via cyber attacks by presumed PRC government elements Cyber troop “exercise” as featured on PRC state television Target: Chinese Grad student and Falun Gong practitioner personal website hosted on US University server
  19. 19 L0rd / Websites attacked via DDoS Falun Gong •  Falun Gong-allied media organization Epoch Times reported that its websites experienced large- scale denial of service attacks on March 29 and April 1, 2012 •  “Elements in Chinese Communist regime suspected”
  20. 20 L0rd / Why would the PRC government do that to itself? But wait….. •  Good question •  Consider that PRC regime considers the Internet a threat •  Controlling/severing Internet access to its populace probably always part of its playbook to maintain regime stability •  Still, outage like this would have had to be planned right?
  21. 21 L0rd / Official foreshadowing by CNNIC Evidence of information manipulation
  22. 22 L0rd / Official foreshadowing by CNNIC (continued) Evidence of information manipulation
  23. 23 L0rd / Official foreshadowing by CNNIC (continued) Evidence of information manipulation
  24. 24 L0rd / Official foreshadowing by CNNIC (the papers…) Evidence of information manipulation
  25. 25 L0rd / Official foreshadowing by CNNIC (the papers…) Evidence of information manipulation 2012 and 2013 DNS security in China compared: still not so good…danger, danger! eight days before “attack”
  26. 26 L0rd / GFW steady state DNS poisoning (GeoIP) Assessment summary
  27. 27 L0rd / 21 January event Assessment summary
  28. 28 L0rd / 21 January event (GeoIP) Assessment summary
  29. 29 L0rd / as purpose behind PRC’s Netizen Death Star What Lord / suspects •  This was a test of a “contingency option” cyber weapon by the PRC government •  Contingency option: financial industry term for option that doesn’t cost the bearer anything until actually exercised •  The Netizen Death Star option has been available since 2002, so why not test it •  Growing more powerful all the time •  Liken it to going to a schoolyard fight, with one rock in back pocket –  Don’t have to use it –  Can use it only once (no reloading) –  But it could do some serious (short term) damage if aimed right
  30. 30 L0rd / What were they thinking? Intelligence gaps •  If the 21 January event was in fact an offensive cyber capability exercise, was it deemed a success by the PRC government? •  Were all networks in the PRC poisoned? How about “VIP” networks? •  Why did the GFW engineers chose those nine steady state IP addresses over some other IP addresses? •  The ISP behind the 65.49.2.178 IP address is Hurricane Electric. What kind of impact did the traffic generated by the 21 January 2014 DNS poisoning of Netizen traffic by the GFW have on the Hurricane Electric backbone? •  Was it really 3400Gbps as suggested by the “target” net owner, Bill Xia? •  Alternate hypothesis to my alternate hypothesis: PRC used the event as an analysis “stimulus” on FreeGate proxy network and its user base within China, whose tunneled traffic would not have been poisoned by GFW. •  What do you think?
  31. 31 L0rd / Questions L0rd / netizen.death.star@gmail.com

×