2014年12月9日星期二

---Great God by Google refers collar excavated ---from research.dyn.com of accidentally importing inspection (engineering, network, security Earl Zmijewski) [30-3-2010] !! - and DDoS attacks and security reports Arbor Networks of IT (by: Craig · Labovitz) [19-11-2010] - and --- [bgpmon.net/chinese-isp-hijacked -] (Posted by ANDREE Toonk - 2010 年 4 月 8 日 - hijacking -) Finally---from research.dyn.com of protection if you use peer messy !! ---[Engineering,, Doug Madory] (2014 年 11 12 May)? - exposing the false deceit continent chinaman crime !! - ---由谷歌大神的指領發掘出的---來自research.dyn.com的---意外導入檢查(工程，網絡，安全伯爵Zmijewski)[30-3-2010]!!-和DDoS攻擊和安全報告的Arbor Networks的IT(按：克雷格·Labovitz)[19-11-2010] -及---[bgpmon.net/chinese-isp-hijacked-](發貼者ANDREE Toonk - 2010年4月8日-劫持-)最後是---來自research.dyn.com的---如果使用保護對等雜亂?!!---[ 工程學,, 道格Madory](2014年11月12日)-揭露虛假欺騙的大陸chinaman罪行!!- USA/UK/SEAOUL KOREAN/TW/MACAU(FDZ)/HKS/FR/JP/UKN/DE/FA/POL/VI/ESP`/CO/ARG/PY/MEX/MO/AUST./RU/HO/MAL/NW/CA/IT/PH/Swedis/Mongolian/TUR/Arabic/Latin/INDON./Greek/Dansk/THAI/......All the world lauguage-

---Great God by Google refers collar excavated ---*from research.dyn.com of accidentally importing inspection

(engineering, network, security Earl Zmijewski) [30-3-2010] !!* - and *DDoS attacks and security reports Arbor
Networks of IT (by: Craig · Labovitz) [19-11-2010] -* and --- [bgpmon.net/chinese-isp-hijacked -] (Posted by ANDREE Toonk - 2010 年 4 月 8 日 - hijacking -) Finally---*from research.dyn.com of protection if you use peer messy !! * ---[Engineering,, Doug Madory] (2014 年 11 12 May)? - exposing the false deceit continent chinaman crime !! -
---由谷歌大神的指領發掘出的---來自research.dyn.com的---*意外導入檢查(工程，網絡，安全伯爵Zmijewski)[30-3-2010]!!*-和*DDoS攻擊和安全報告的Arbor
Networks的IT(按：克雷格·Labovitz)[19-11-2010] -*及---[bgpmon.net/chinese-isp-hijacked-](發貼者ANDREE Toonk - 2010年4月8日-劫持-)最後是---來自research.dyn.com的---*如果使用保護對等雜亂?!!*---[ 工程學,, 道格Madory](2014年11月12日)-揭露虛假欺騙的大陸chinaman罪行!!-
**USA/UK/SEAOUL KOREAN/TW/MACAU(FDZ)/HKS/FR/JP/UKN/DE/FA/POL/VI/ESP`/CO/ARG/PY/MEX/MO/AUST./RU/HO/MAL/NW/CA/IT/PH/Swedis/Mongolian/TUR/Arabic/Latin/INDON./Greek/Dansk/THAI/......All the world lauguage**-

-**Please use the god home use Google translator to translate the language of your country or city Oh ^^-

-**請各位用家善用谷歌大神的翻譯器,來翻譯你們的國家或城市的語言喔^^-

-**국가 또는 도시 오 ^^의 언어를 번역하는the 하나님의 가정에서 사용하는 구글 번역기를 사용하십시오-

-**Se il vous plaît utiliser l'utilisation de la maison de Dieu traducteur de Google pour traduire la langue de votre pays ou ville Oh ^^-

-**あなたの国や都市ああ^^の言語を翻訳するために神の家庭用のGoogle翻訳を使用してください -

-**Будь ласка, використовуйте бог домашнього використання перекладач Google перевести мову вашої країни або міста Oh ^^-

-**Bitte benutzen Sie den Gott den Heimgebrauch Google Übersetzer, um die Sprache Ihres Landes oder Stadt Oh ^^ übersetzen-

-**Käytäthe jumala kotikäyttöön Googlen kääntäjä kääntääthe kieli maata tai kaupunkia Oh ^^-

-**Proszę używać korzystania bóg startowej Google Translator przetłumaczyć język kraju lub miasta Oh ^^-

-**Vui lòng sử dụng việc sử dụng thần chủ Google phiên dịch để dịch các ngôn ngữ của đất nước, thành phố của bạn Oh ^^-

-**Utilice el uso dios casa traductor de Google para traducir el idioma de su país o ciudad Oh ^^-

-**Utere deo, domum usu translator Google Translate to the language of patriae, civitatem O ^^-

-**Пожалуйста, используйте бог домашнего использования переводчик Google перевести язык вашей страны или города Oh ^^ -

-**Gebruik de god thuisgebruik Google vertaler naar de taal van uw land of stad Oh ^^ vertalen-

-**Sila gunakan digunakan di rumah tuhan penterjemah Google untuk menterjemahkan bahasa negara atau bandar anda Oh ^^-

-**Bruk gud hjemmebruk Google oversetter til å oversette språket i landet eller byen Oh ^^-

-**Si prega di utilizzare l'uso dio Home page di Google traduttore per tradurre la lingua del proprio paese o città Oh ^^-

-**Mangyaring gamitin ang bahay diyos paggamit tagasalin ng Google upang i-translate ang wika ng iyong bansa o lungsod Oh ^^-

-**Använd guden hemmabruk Google översättare att översätta språket i ditt land eller stad Oh ^^-

-**الرجاء استخدام استخدام إله المنزل مترجم جوجل لترجمة لغة بلدك أو المدينة أوه ^^-

- **Utere deo, domum usu translator Google Translate to the language of patriae, civitatem O ^^-

-**Silahkan gunakan penggunaan dewa rumah Google translator untuk menerjemahkan bahasa negara atau kota Oh ^^-

-**Brug venligst gud hjemmebrug Google oversætter til at oversætte sproget i dit land eller by Oh ^^-

-**Παρακαλώ χρησιμοποιήστε το θεό οικιακή χρήση του Google μεταφραστή να μεταφράσει τη γλώσσα της χώρας ή της πόλης σας Ω ^^-

-**กรุณาใช้theใช้งานที่บ้านพระเจ้าของ Google แปลที่จะแปลภาษาของประเทศหรือเมืองของคุณโอ้ ^^the-

-**Bonvolu uzi la dio hejmo uzo Google tradukisto por traduki la lingvon de via lando aŭ urbo Ho ^^- **

http://research.dyn.com/2010/03/fouling-the-global-nest/

Accidentally Importing Censorship

With advancements in hardware and software, sophisticated filtering technologies are increasingly being applied to restrict access to the Internet. This happens at the level of both governments and corporations. Renesys is headquartered in the “Live Free or Die” US state of New Hampshire. In our Hanover small town of roughly 10,000 folks, we know of a local company who tries to restrict non-work related (eg, shopping) websites from their employees. Unfortunately, someone who works there can't read about Amazon's cloud computing as a result — a small bit of collateral damage. Entire countries act in much the same way. The OpenNet Initiative keeps track of such state-sponsored restrictions and publishes interesting maps based on the level of filtering by topic. But given the open nature of the trust-based Internet, one country's restrictions, if not handled very carefully, can easily foul the global Internet nest we all live in. This blog is about one such story of Internet restrictions in China becoming visible (seemingly at random) from other parts of the world and going undetected for 3 weeks . Given the increasing complexity of this technology, the difficulty in controlling a very open Internet, and the strong desire of some to do just that, this could be a harbinger of things to come.

Background
To understand this problem, one needs to consider Internet routing, the behavior of DNS and the root nameservers, and the economics of Internet transit. So let's briefly review a few basics before we describe the incident. When you type

www.facebook.com

into your browser, your computer must first contact a DNS server to convert this name into an IP address in order to contact the host serving this content. Answers to DNS requests are cached on both your machine and the various servers involved to reduce the load of subsequent identical queries. Now suppose for the moment that the caches on your machine and your DNS server are both empty and you make the above query. Your DNS server first contacts a root nameserver with your request. If configured according to convention, the root nameserver will not provide the answer to your query, but instead direct your DNS server to the .com nameservers. In turn, those will direct your DNS server to the Facebook nameserver, which will ultimately provide an IP address to one of Facebook's web servers. At least that is how it is supposed to work.
Now suppose organization C runs a root nameserver and C doesn't want you going to Facebook. Nothing requires C to direct you to the .com nameservers. Since C sees your complete request, it could just answer you directly. If C gave you the wrong answer, it would effectively block your access to Facebook, assuming you didn't know enough to pick a different server. Since the Internet runs on trust, you'll also end up caching C's invalid response (known as cache poisoning ) with C being the one who tells you how long to cache the result! (Alternatively, C could actually provide the correct answer, but a firewall in front of C could alter the result on its way back to you. Either way, you lose.)
Incident Details
While this scenario might seem very unlikely, it in fact just happened with the I-root instance run out of China, as first reported by Mauricio Vergara Ereche in Chile and subsequently blogged on here . In fact, the problem existed from March 3 ^rd until March 25 ^th , before it was reported on and corrected. Despite the fact that a lot of people could have been impacted, the chances of any one of them having gotten the incorrect DNS response are extremely remote, as we'll explain later. This is thanks again to the way DNS operates and the overall resiliency of the Internet.
So let's review exactly what happened here. First, as is well known, China censors the Internet in a variety of ways. One way is to return invalid answers to DNS requests to Chinese users. For example, at this moment, a Chinese DNS server is returning 46.82.174.68 as an IP address for www.facebook.com, when in fact, all legitimate Facebook IPs are of the form 66.220.xy or 69.63.xy Seemingly random, but often unrouted, IPs are also returned for www.twitter.com, www.youtube.com and many other domains. This is normal and expected behavior inside of China.
However, China also happens to house an instance of a root nameserver, the I-root, and when this server became visible outside of China on March 3 ^rd , anyone who happened to query it could have gotten bogus responses. Keep in mind that there are 13 different root nameserver IP addresses (associated with the A-root, B-root, …, M-root) and the I-root is just one of these, namely, 192.36.148.17. In addition, there are dozens of instances of the I-root housed in many locations around the world. To get a bogus DNS response outside of China, you not only had to query the I-root, you had to query the Chinese version of it. The countries with the most number of network prefixes that could have queried the Chinese I-root during this time are given in the following graphic. Not surprisingly, the most exposed countries were all in Asia, but some some prefixes in the US were also vulnerable, more than half of which geo-locate to California.

So let's review the unlikely series of events that would have been required to observe a bogus answer to www.facebook.com.

You attempt to go to www.facebook.com.
You don't have this entry in your DNS cache, nor does your DNS server.
Your DNS server does not have the .com servers cached either.
Your DNS server happens to choose the I-root (as opposed to A-root, B-root, C-root, etc).
Due to current Internet routing in place at your location, your DNS server happens to be directed to China's instance.

Since Facebook is blocked in China, your DNS server does not get the expected list of .com servers, but rather a bogus response to your original request, either from the I-root itself or a firewall in between. You cache the result and can't “friend” anyone for a while.
Think for a moment about how unlikely all of this is. Responses for .com nameservers are set to expire only after 48 hours. So to have any chance of seeing a bogus response, the first request into your DNS server after its cached .com entries expire must be for a blocked domain in China and your DNS server has to query the I-root, one of 13 possibilities. (Once the .com servers are cached, there is no need to query to the root servers for them.) In addition, of the many instances of the I-root, you have to somehow end up selecting the Chinese one. But with 1.7 billion Internet users surfing the web for 3 weeks, it was bound to happen and be reported.
Of course, you don't really have any control over which I-root instance you see from your location. That is determined by Internet routing. Many of the root nameservers are anycast from multiple locations around the world. This means that the associated IP prefixes are announced from multiple locations, all of which house servers with copies of the appropriate data. BGP, the Internet routing protocol, is then used to sort out who sees which instance of the root servers from which locations. In general, the Chinese I-root instance is only visible from within China, but for 3 weeks these routes leaked out to the global Internet. This announcement exited China when it was leaked by the China Internet Network Information Center (AS 24151).
The careful reader might wonder how anyone in the US could have selected the Chinese I-root. Isn't there a closer one? Well, that's the thing about Internet routing. It's driven more by economics than by physical distance, although the two are often related. For example, suppose two smaller providers, call them A and B, agree to exchange traffic with each other for free. This common arrangement on the Internet is known as peering and allows A and B to save money, specifically, transit costs to larger providers. Suppose further that A (or one of its customers) is running the I-root. If B needs to get to the I-root, it should pick its settlement-free peering link with A, rather than its link to a larger carrier for whom they have to pay. China Telecom, by far the largest carrier in China, peers with nearly 100 other providers. If those providers or their customers aren't running an instance of the I-root themselves, they might use their peering link to China Telecom to reach their instance. This is how countries far from China could end up selecting the Chinese I-root as the “best” of many possibilities.
Conclusions
This story illustrates both the fragility and the resiliency of the global Internet. It's fragile because it is ultimately trust-based and almost anyone can violate that trust, deliberately or by accident (and there is no reason to think this wasn't an innocent mistake). It's resilient because there are often many alternatives or workarounds for any screw-ups or attempts at control. The Internet is a big place full of very clever people — making it tough to wall off.

================
http://www.arbornetworks.com/asert/2010/11/china-hijacks-15-of-internet-traffic/

China Hijacks 15% of Internet Traffic?

By: Craig Labovitz - 11/19/2010

On Wednesday, the US China Economic and Security Review Commission released a wide-ranging report on China trade, capital markets, human rights, WTO compliance, and other topics. If you have time to spare, here is a link to the 324 page report.
Tucked away in the hundreds of pages of China analysis is a section on the Chinese Internet, including the well-documented April 8, 2010 BGP hijack of several thousand routes (starting on page 244).
To review, shortly around 4am GMT on April 8th a Chinese Internet provider announced 40,000 routes belonging to other ISPs / enterprises around the world (though many were for China based companies). During a subsequent roughly 15 minute window, a small percentage of Internet providers around the world redirected traffic for a small percentage of these routes to Chinese address space. RIPE provides a link to a list of some of these prefixes (as well as indicating the impact on European carriers was minimal) and Andree Toonk and his colleagues at BGPmon have a nice synopsis at the BGPMon blog.
Following shortly on the heels of the China hijack of DNS addresses in March, the April BGP incident generated a significant amount of discussion in the Internet engineering community.

panic

Any corruption of DNS or global routing data (whatever the motive) is a cause of significant concern and reiterates the need for routing and DNS security. But in an industry crowded with security marketing and hype, it is important we limit the hyperbole and keep the discussion focused around the legitimate long-term infrastructure security threats and technical realities.
So, it was with a bit of a surprise that I watched an alarmed Wolf Blitzer report on prime time CNN about the China hijack of “15% of the Internet” last night. A bit less diplomatic, a discussion thread on the North American Network Operator Group (NANOG) mailing list called media reports an exaggeration or “complete FUD”. Also on the NANOG mailing list, Bob Poortinga writes “This article … is full of false data. I assert that much less than 15%, probably on the order of 1% to 2% (much less in the US) was actually diverted.”
If you read the USCESRC report, the committee only claims China hijacked “massive volumes” of Internet traffic but never get as specific as an exact percentage. The relevant excerpt from the report below:

The USCESRC cites the BGPMon blog as the source of data on “massive traffic volumes”. But curiously, the BGPMon blog makes no reference to traffic — only the number of routes.
You have to go to a National Defense interview with Dmitri Alperovitch, vice president of threat research at McAfee, to first come up with the 15% number. Several hundred media outlets, including CNN, the Wall Street Journal, Time Magazine and many more picked up this interview and eagerly reported on China’s hijack of “massive Internet traffic volumes of 15% or more”.
Now certainly, diverting 15% of the Internet even for just 15 minutes would be a major event. But as earlier analysis by Internet researchers suggested, this hijack had limited impact on the Internet routing infrastructure — most of the Internet ignored the hijack for various technical reasons.
And indeed, ATLAS data from 80 carriers around the world graphed below shows little statistically significant increase due to the hijack on April 8, 2010. I highlight April 8th in yellow and each bar shows the maximum five minute traffic volume observed each day in April going to the Chinese provider at the center of the route hijack.

china hijack

While traffic may have exhibited a modest increase to the Chinese Internet provider (AS23724), I’d estimate diverted traffic never topped a handful of Gbps. And in an Internet quickly approaching 80-100 Tbps, 1-3 Gbps of traffic is far from 15% (it is much closer to 0.015%).
In fairness, I should note that I don’t know how Mr. Alperovitch obtained his 15% number (the article does not say) and a hijack of 40k routes out of a default-free table of ~340K is not far from fifteen percent. But of course, routes are different from traffic. I also add that both China denied the hijack and some Internet researchers suspect the incident was likely accidental.
The global BGP Internet routing system is incredibly insecure. Fifteen years ago, I wrote a PhD thesis (link available here) using experiments in part capitalizing on the lack of routing security. My research injected hundreds of thousands fake routes (harmless!) into the Internet and redirected test traffic over the course of two years. A decade or more later, none of the many BGP security proposals'' have seen significant adoption due to a lack of market incentives and non-legitimate routes still regularly get announced and propagated by accident or otherwise. Overall, the Internet routing system still relies primarily on trust (or “routing by rumor” if you are more cynical).
We need to fix Internet infrastructure security, but we also need to be precise in our analysis of the problems.

UPDATE: Additional discussion and statistics on the incident are now available in a follow-up blog at /asert/2010/11/additional-discussion-of-the-april-china-bgp-hijack-incident.

====================
Hurricane Electric公司

http://he.net/

前綴起源（全部）：811
前綴起源（V4）：811
前綴起源（V6）：0

前綴公佈（全部）：811
前綴公佈（V4）：811
前綴公佈（V6）：0

觀察BGP對等（全部）：12
BGP對等觀察（V4）：12
BGP對等觀察（V6）：0

起源IP地址（V4）：3731712
AS路徑觀察（V4）：406
AS路徑觀察（V6）：0

平均AS路徑長度（全部）：4.374
平均AS路徑長度（V4）：4.374
平均AS路徑長度（V6）：0.000

ASN	名字
AS4134	中國電信骨幹網
AS37958	北京藍IT科技有限公司。

Internet Backbone and Colocation Provider

Hurricane Electric

Hurricane Electric IP Transit Our Global Internet Backbone provides IP Transit with low latency, access to thousands of networks, and dual-stack native IPv6+IPv4. Global IPv6 & IPv4 Internet Transit	Free IPv6 Certifications! This tool will allow you to certify your ability to configure IPv6. http://ipv6.he.net/certification

Tunnel Broker "Our free tunnel broker service enables you to reach the IPv6 Internet by tunneling over existing IPv4 connections from your IPv6 enabled host or router to one of our IPv6 routers. Try it now!" http://tunnelbroker.net	Colocation

Hurricane Electric
760 Mission Court
Fremont, CA 94539

Voice +1 510.580.4100
Fax +1 510.580.4151
Comments? info@he.net

=========================
http://www.bgpmon.net/chinese-isp-hijacked-10-of-the-internet/

Chinese ISP hijacks the Internet

Posted by Andree Toonk - April 8, 2010 - Hijack - 25 Comments

his morning many BGPmon.net users received an alert regarding a possible prefix hijack by a Chinese network. AS23724 is one of the Data Centers operated by China Telecom, China's largest ISP. Normally AS23724 CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation only originates about 40 prefixes, however today for about 15 minutes they originated about ~37,000 unique prefixes that are not assigned to them. This is what we typically call a prefix hijack.
This incident follows another concerning incident from China 2 weeks ago.
Although it seems they have leaked a whole table, only about 10% of these prefixes propagated outside of the Chinese network. These include prefixes for popular websites such as dell.com, cnn.com, www.amazon.de, www.rapidshare.com and www.geocities.jp.
A large number of networks impacted this morning were actually Chinese networks. These include some popular Chinese website such as
www.joy.cn , www.pconline.com.cn , www.huanqiu.com, www.tianya.cn and www.chinaz.com
A list of all prefixes that were announced/hijacked can be found here
The event has been detected globally by peers in The Netherland, UK, Rusia, Italy, Sweded USA, Japan and Brazil. However not all individual prefix 'hijacks' were detected globally, many only by a few peers, in one or 2 countries, but some by more.
Some details
All announcement had part of the AS path in common. The common part in the ASpath is (note the prepend).
4134 23724 23724
Which are:
AS4134 CHINANET-BACKBONE No.31,Jin-rong Street
AS23724 CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation
ASns peering with AS4134 seem to have picked this up and propagated that to their customers.
Some of these ASns include:
AS9002 RETN-AS ReTN.net Autonomous System
AS12956 TELEFONICA Telefonica Backbone Autonomous System
AS209 ASN-QWEST – Qwest Communications Company, LLC
AS3320 DTAG Deutsche Telekom AG
AS3356 LEVEL3 Level 3 Communications
AS7018 ATT-INTERNET4 – AT&T WorldNet Services
All RIS peers that detected this where behind (transit/peer) one of those ANS's.
AS2914 NTT-COMMUNICATIONS-2914 – NTT America, Inc. customers
Looking at more routing information it seems that AS2914 saw more then just the 10% mentioned above. So the impact for NTT America customers might have been bigger.
Impact
28% of the RIS collectors used by BGPmon.net have detected these events. This means that quite a number of networks were impacted by this. The first announcement was detected at 2010-04-08 17:54:31 (UTC), the last 'hijack' announcement was at 2010-04-08 18:10:14.
Most 'alerts' have now been cleared, they typically lasted a few minutes.
Probably more then the 51 peers mention above would have detected the prefix, but not have chosen this as the best path. Most likely due to the ASpath length or other policies. I believe it's fair to assume that the impact in China and probably Asia was far bigger then the rest of the world.
Possible Cause
I have not spoken with engineers from AS23724, so I can only speculate. Given the large number of prefixes and short interval I don't believe this is an intentional hijack.
Most likely it's because of configuration issue, ie fat fingers. But again, this is just speculation.
Prefix distribution
Most prefixes impacted by this were prefixes from the US and China. Below you'll find the top countries impacted:

Country => number of prefixes hijacked by AS23724
US => 10547
CN => 10298
KR => 2857
AU => 1650
MX => 885
IN => 719
JP => 604
BR => 592
FR => 508
RU => 471
CA => 425
TH => 372
ID => 369
IT => 338
CO => 328
GB => 322
CL => 302
SE => 281
HK => 276
EC => 272
DE => 227
Example alert message


 ==================================================================== 
 Possible Prefix Hijack (Code: 10) 
 ==================================================================== 
 Your prefix: 203.190.56.0/21: 
 Prefix Description: www.infoseek.co.jp 
 Update time: 2010-04-08 16:09 (UTC) 
 Detected by #peers: 4 
 Detected prefix: 203.190.56.0/21 
 Announced by: AS23724 (CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation) 
 Upstream AS: AS4134 (CHINANET-BACKBONE No.31,Jin-rong Street) 
 ASpath: 8331 9002 9002 4134 23724 23724 
 Alert details: http://bgpmon.net/alerts.php?details&alert_id=6617721 
 Mark as false alert: http://bgpmon.net/fp.php?aid=6617721

=========================

Is China testing cyber-nukes?

Posted on May 31st, 2010 in Vpn

China has been in the cross hairs of Google and the US State Department recently thanks to the discovery that hackers had used extremely clever espionage techniques to get access to Google's networks (and at least 30 other major corporations.) Infiltrating target networks is one thing. What about bringing out the big guns? BGP route announcements.
While resilient, the Internet suffers from a glaring vulnerability: the impact of spurious BGP route announcements. Anyone can issue instructions to the basic building blocks of the Internet, the backbone routers, that, if accepted, will seriously disrupt the function of the Internet. This was dramatically demonstrated in the mid-90's when a neophyte engineer at an ISP in Florida entered a new route in his routers that was picked up by his upstream provider and shared with the rest of Internet. For most of a day anyone who attempted to go to AOL.com was routed to his network. This pretty much shut down the Internet in the South East US.
Similarly, Pakistan took YouTube off the Internet in early 2008, which led to Pakistan being taken off the Internet as well. Now we discover that in March one of China's ISPs leaked routes to it's one of the top level domain name server that is maintained within their borders. This had the globally minor, but real, impact of imposing China's censorship of Twitter, FaceBook, etc. on those affected. (Inside China, people are redirected to other sites if they attempt to use these services.) For a complete description of this incident see the excellent report from the network watchdogs at Renesys.
The malicious announcement of BGP routes could temporarily completely disrupt Internet traffic for any network and could have spillover effects that could take an entire country offline, as happened in the Pakistan-YouTube incident. Using BGP route announcements to cause damage is the most powerful cyber-weapon available. ( In a blatant attempt to get Wired Magazine to froth at the mouth let's call it a cyber-nuke attack.)
Yesterday, the folks at BGPMon, who monitor such things, discovered that IDC-China Telecom had leaked spurious route announcements for such popular sites as dell.com, cnn.com, www.amazon.de, www.rapidshare.com causing them to be unreachable for some users.
Thousands of network routes where essentially hijacked yesterday by Chinese ISPs. Was this intentional? BGPMon speculates that it was an accident, which is reasonable since there are no documented cases of anyone ever issuing malicious route announcements. They are always user-errors. But if one were to contemplate developing offensive cyber weapons wouldn't you test them occasionally to see if they worked?

========================

1981年9月
 RFC 792



目的地不可達消息

     0 1 2 3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  - +  -  +  -  +  -  +  -  +  -  +  -  +  -  +
    |類型|碼|校驗|
    +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  - +  -  +  -  +  -  +  -  +  -  +  -  +  -  +
    |未使用|
    +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  - +  -  +  -  +  -  +  -  +  -  +  -  +  -  +
    |原始數據數據報的互聯網頭+ 64位|
    +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  -  +  - +  -  +  -  +  -  +  -  +  -  +  -  +  -  +

    IP字段：

   目標地址

      從原始數據報的數據源網絡和地址。

    ICMP字段：

   類型

       3

   代碼

       0 =淨利潤可達;

       1 =主機不可達;

       2 =網絡不可達;

       3 =端口不可達;

       4 =碎片需要和DF設置;

       5 =源路由失敗。

   校驗

      該校驗和是一個人的的16位的人的補
      補充ICMP消息首先是ICMP類型的總和。
      對於計算校驗，校驗碼域應該為零。
      該校驗和可以被取代的未來。

   互聯網頭+ 64位數據的數據報

      互聯網頭加上前64位原

================================================
http://research.dyn.com/2014/11/use-protection-if-peering-promiscuously/
Dyn Research

November 12, 2014Economics , Engineering Doug Madory
Share on Google+

Use Protection if Peering Promiscuously

Last week, I wrote a blog post discussing the dangers of BGP routing leaks between peers, illustrating the problem using examples of recent snafus between China Telecom and Russia's Vimpelcom. This follow-up blog post provides three additional examples of misbehaving peers and further demonstrates the impact unmonitored routes can have on Internet performance and security. Without monitoring, you are essentially trusting everyone on the Internet to route your traffic appropriately.
In the first two cases, an ISP globally announced routes from one of its peers, effectively inserting itself into the path of the peer's international communications (ie, becoming a transit provider rather than remaining a peer) for days on end . The third example looks back at the China Telecom routing leak of April 2010 to see how a US academic backbone network prioritized bogus routes from one of its peers, China Telecom, to (briefly) redirect traffic from many US universities through China.
Recap: How this works
To recap the explanation from the previous blog (and to reuse the neat animations our graphics folks made), we first note that ISPs form settlement-free direct connections ( peering ) in order to save on the cost of sending traffic through a transit provider. Suppose that ISP A and ISP B establish such a private link between their networks. At the BGP routing level, ISP A will then send routes from its customers to its peer ISP B, who will in turn send these routes on to its customers. As a result, the customers of ISP B will send traffic destined for ISP A through the newly established peering link, saving ISP B from having to pay its transit providers to carry the traffic. This flow of routes and traffic is illustrated below.

The first way this can go wrong is for ISP B to announce the routes received from ISP A out to the global Internet (through its transit providers) or to ISP B's other peers . By doing this, ISP B inserts itself onto the path of incoming traffic to ISP A from outside ISP B's own network , something ISP A certainly didn't expect when it took on ISP B as a peer.

ISP B can also mess up by sending routes learned either from its transit providers or peers to ISP A. If these routes are accepted by ISP A (and they typically will be), such errors put ISP B onto the path of outgoing traffic from ISP A to the networks erroneously announced along this peering link.

These two scenarios can happen independently. As shown in our last blog , China Telecom leaked routes to and from Vimpelcom numerous times throughout the year. Most of these incidents involved China Telecom leaking routes it learned from Vimpelcom out to the global Internet (scenario 1); however, on a few occasions, China Telecom also passed a full or partial routing table to Vimpelcom (scenario 2), altering how traffic flowed out of Vimpelcom.
Additional recent examples of peering leaks
Beltelecom-Yandex

Yandex is essentially the Russian version of Google. It is the dominant Russian-language search engine and, like Google, Yandex has established a lot of peering links — although, for obvious reasons, with a greater emphasis on the Russian-speaking world. Beltelecom is the incumbent telecom of Belarus and has become a recurring character in this blog (either for globally routing RFC6598 address space'' or MITM hijacks ). Beltelecom and Yandex have a peering relationship, as it makes a lot of sense for eyeball networks (Beltelecom) and content providers (Yandex) to try to save on transit costs by interconnecting. However, for twelve days this year, Beltelecom announced routes it learned from Yandex to its transit provider Telecom Italia (ie, leak scenario 1 from above).
The AS paths of the impacted routes took the following form:
… 6762 6697 13238 …
This AS path shows that routes from Yandex (AS13238) shared with its peer Beltelecom (AS6697) who leaked them to Telecom Italia (AS6762), a global Tier 1 provider'' . Normally no provider outside of Belarus would use Beltelecom to reach Yandex.
The result was that traffic destined for Yandex from customers around the world in Telecom Italia's downstream cone was misdirected first to Beltelecom. For Yandex's networks in Russia (which shares a border with Belarus), the impact on latency was minor. However, Yandex has networks outside of Russia (including some in the Netherlands and the United States) and, for those networks, the latency and paths were dramatically altered. For those receiving Yandex routes via Telecom Italia, Beltelecom inserted itself into Yandex-destined traffic from 22 May through 3 June of this year.
Consider the following example traceroute from Brazil to Yandex's presence in Palo Alto, California before Beltelecom started leaking Yandex routes. The trace illustrates a typical traffic path, namely from Brazil to Miami and then on to New York and finally California.

trace from João Pessoa, Brazil to Yandex-Palo Alto at 05:46 May 20, 2014 
 1  * 
 2  187.45.183.254 (HostDime.com.br Data Center, João Pessoa, Brazil) 0.259ms 
 3  179.124.137.14 (SITECNET INFORMÁTICA LTDA, João Pessoa, Brazil)   8.122ms 
 4  189.125.24.13  13.24.125.189.static.impsat.net.br                54.263ms 
 5  67.16.139.18   po3-20G.ar2.MIA2.gblx.net (Miami, US)            165.525ms 
 6  213.200.84.37  xe-0-3-0.mia10.ip4.tinet.net                     119.060ms 
 7  141.136.110.241 (GTT, New York)                                 179.928ms 
 8  216.221.156.210 servicenow-gw.ip4.gtt.net (New York, US)        199.109ms 
 9  199.21.98.202   poker-vlan801.yndx.net (Las Vegas, US)          187.579ms 
 10 130.193.60.70   (Yandex, Palo Alto, US)                         179.933ms 
 11 199.21.99.96    spider-199-21-99-96.yandex.com (Palo Alto, US)  187.462ms

However, during the leak, traffic from the same server in Brazil to the same Yandex location in California was redirected to Beltelecom in Minsk, Belarus and then on to Yandex in Moscow, after which Yandex took the traffic to California on its internal backbone.

trace from João Pessoa, Brazil to Yandex-Palo Alto at 00:57 May 23, 2014 
 1  * 
 2  187.45.183.254 (HostDime.com.br Data Center, João Pessoa, Brazil) 0.249ms 
 3  179.124.137.14 (SITECNET INFORMÁTICA LTDA, João Pessoa, Brazil)  54.175ms 
 4  189.125.24.13   13.24.125.189.static.impsat.net.br               54.932ms 
 5  67.16.148.10    ae1-100G.ar4.GRU1.gblx.net (São Paulo, BR)       70.403ms 
 6  208.51.134.118  telecomitalia2.ar4.GRU1.gblx.net (São Paulo, BR) 54.192ms 
 7  195.22.214.85   xe-3-3-2.franco71.fra.seabone.net (Frankfurt)   220.925ms 
 8  89.221.34.253   beltelekom.franco71.fra.seabone.net (Frankfurt) 404.091ms 
 9  93.85.80.69     ie1.net.belpak.by (Minsk, BY)                   252.911ms 
 10 93.85.80.37     core1.net.belpak.by (Minsk, BY)                 254.373ms 
 11 93.85.80.178    100ge.core.belpak.by (Minsk, BY)                251.801ms 
 12 86.57.253.1     stat.byfly.by (Minsk, BY)                       295.233ms 
 13 87.250.239.0    ugr-p3-te0-3-0-18.yndx.net (Moscow, RU)         266.851ms 
 14 87.250.239.79   ugr-p1-be1.yndx.net (Moscow, RU)                266.571ms 
 15 87.250.239.154  dante-ae3.yndx.net (Moscow, RU)                 266.611ms 
 16 213.180.213.119 panas-xe-0-0-1-984.yndx.net (Moscow, RU)        276.847ms 
 17 213.180.213.122 (Yandex, Moscow, RU)                            309.937ms 
 18 87.250.239.55   gretchen-xe-1-1-0.yndx.net (Germany)            281.413ms 
 19 213.180.213.184 ash1-c1-xe-0-0-1-985.yndx.net (Asheville, US)   356.142ms 
 20 199.21.98.195   whist-vlan801.yndx.net (Las Vegas, US)          356.994ms 
 21 130.193.60.70   (Yandex, Palo Alto, US)                         346.466ms 
 22 199.21.99.96    spider-199-21-99-96.yandex.com (Palo Alto, US)  356.994ms

Did Yandex finally notice this after nearly two weeks of poor performance due to misdirected traffic? Did Beltelecom ultimately catch the error, after perhaps noticing a surge in traffic along its peering link with Yandex? We may never know the answers to these questions, but we easily quantified the impact to Yandex's Internet performance using our continuous global measurement and monitoring platform .
Rascom-Telma

Our next example of a peering relationship gone bad concerns Rascom's leak of Telma's routes this summer. Telma is the incumbent telecom of the African island-nation of Madagascar , and Rascom is a Russian fixed-line operator with a network that extends throughout Europe. While the previous example involved a very common type of peering relationship, between a content producer (Yandex) and a content consumer (Beltelecom), why on earth would a Russian ISP peer with an ISP from Madagascar? How much traffic could possibly be passing between these two networks? Could that traffic really justify a private connection to help to reduce transit costs? Probably not. The reason for this arrangement is likely due to the fact that both entities happen to be present at London Internet Exchange'' and decided to peer because … why not?
When a provider from a faraway place like Africa or the Middle East establishes a presence at one of the European IXes, it often will establish peering relationships with anyone and everyone. Once present at an IX, each additional connection carries little marginal cost, so you might as well connect with everybody there in the hopes of reducing your transit costs, if only slightly. But as we'll see in this example, each of your peers has the potential to screw up and alter the flow of your Internet traffic. In other words, every relationship, no matter how seemingly insignificant, carries real risks. There is no free lunch on the Internet.
Consider the following example of a normal traffic path from New York to Telma in Madagascar, the day before the routing leak. Level 3 carries the traffic to London, where Telma picks it up and takes it first to Paris and then Madagascar.


 trace from New York to Telma, Madagascar at 08:42 Aug 11, 2014 
 1  * 
 2  4.53.90.149      vlan725.car3.NewYork1.Level3.net             0.602ms 
 3  4.69.155.126     vlan70.csw2.NewYork1.Level3.net             69.191ms 
 4  4.69.134.69      ae-71-71.ebr1.NewYork1.Level3.net           69.274ms 
 5  4.69.137.65      ae-41-41.ebr2.London1.Level3.net            70.905ms 
 6  4.69.153.130     ae-56-221.csw2.London1.Level3.net           69.265ms 
 7  4.69.139.102     ae-25-52.car5.London1.Level3.net           181.282ms 
 8  212.113.0.18     TELMA.car5.London1.Level3.net               75.363ms 
 9  41.188.51.129    mx-480-lon-ae0-0-to-divinetwork.dts.mg      87.635ms 
 10 * 
 11 41.188.60.208    mx-480-par-ge-0-0-9-to-7710src12-th2.tgn.mg 93.228ms 
 12 41.188.9.41      mx-10-2-tul-so-1-2-3-to-mx-480-par.tgn.mg  280.859ms 
 13 41.188.60.133    p-galaxy-lag-10-to-mx-10-2-tul.tgn.mg      294.419ms 
 14 * 
 15 * 
 16 196.192.38.86    ademalinux.adema.mg (Madagascar)           296.248ms

This next trace illustrates the impact of the routing leak on the path and latency between New York and Madagascar. In this case, Tata takes the traffic to London and then Frankfurt before handing it off to Golden Telecom (Vimpelcom). Golden takes the traffic to Moscow and delivers it to Rascom, who takes it straight back to London (at LINX), handing it off to Telma so it can continue its journey to Madagascar. Wow!


 trace from New York to Telma, Madagascar at 12:30 Aug 12, 2014 
 1  * 
 2  209.58.26.53    ix-11-3-5-0.tcore1.NTO-New-York.as6453.net   0.791ms 
 3  63.243.128.38   (Tata Communications, London)               85.475ms 
 4  80.231.131.2    if-2-2.tcore1.L78-London.as6453.net         85.733ms 
 5  * 
 6  80.231.154.17   if-2-2.tcore1.PVU-Paris.as6453.net          85.654ms 
 7  80.231.153.54   if-3-2.tcore1.FR0-Frankfurt.as6453.net      85.369ms 
 8  195.219.50.2    if-7-2.tcore1.FNM-Frankfurt.as6453.net      85.666ms 
 9  195.219.156.130 if-2-2.thar1.F2C-Frankfurt.as6453.net       85.332ms 
 10 195.219.148.42  (Tata Communications, Frankfurt, DE)        85.792ms 
 11 79.104.225.14   cat08.Moscow.gldn.net                      130.005ms 
 12 62.231.1.139    HostLine2-gw.Moscow.gldn.net               131.454ms 
 13 80.64.102.205   (Rascom, Vyborg, RU)                       129.323ms 
 14 * 
 15 80.64.96.70     ams-equ-cr1-to-stk.rascom.as20764.net      128.012ms 
 16 195.66.226.21   (London Internet Exchange (LINX))          126.734ms 
 17 41.188.51.129   mx-480-lon-ae0-0-to-divinetwork.dts.mg     133.410ms 
 18 * 
 19 41.188.60.208   mx-480-par-ge-0-0-9-to-7710src12-th2.tgn.mg 153.67ms 
 20 41.188.9.41     mx-10-2-tul-so-1-2-3-to-mx-480-par.tgn.mg  356.605ms 
 21 41.188.60.133   p-galaxy-lag-10-to-mx-10-2-tul.tgn.mg      348.541ms 
 22 * 
 23 * 
 24 196.192.38.86   ademalinux.adema.mg (Madagascar)           350.924ms

We wouldn't be surprised if the network engineers at both Rascom and Telma were completely unaware of this circuitous routing. This level of monitoring is often overlooked.
China Telecom—National LambdaRail
Although our final example isn't recent, it is worth mentioning in this discussion. During the big China Telecom routing leak of April 2010 that caused an international stir , it is interesting to note where the bogus routes announced by China Telecom (AS23724) propagated the farthest. Before it ceased operations'' earlier this year, National LambdaRail'' (NLR) was a “high-speed national computer network owned and operated by the US research and education community.” NLR also had a peering relationship with China Telecom , the state telecom of China. When NLR received the bogus origination announcements from its Chinese peer, it accepted them and routed traffic to China that was intended for numerous other locations around the world.
This is what can be most pernicious about routes received across peering links. Routes from peers are typically prioritized over routes from providers to avoid transit costs. While many, but certainly not all, transit providers filter the routes they receive from their customers in some manner, it is far less common for peers to do any filtering on the routes they exchange, largely due to the difficulty of determining appropriate routing behavior for an independent entity. These prioritized and unfiltered peer routes have the potential to cause the performance and security problems we've outlined here.
In a 2012 paper entitled “A Case Study of the China Telecom Incident”, I assisted the authors by searching and analyzing traceroute data from the iPlane'' project for examples of traceroutes that were sucked into China Telecom during the routing leak. Since much of iPlane's data is generated using the networks of universities in the US and many universities had a connection to NLR, there were many US universities that had traffic redirected through China Telecom. As is standard practice, NLR had prioritized routes from its peers—including China Telecom. US universities may have also prioritized routes from NLR over commercial transit links because NLR might have been a subsidized and therefore cheaper option. This provided a vector for those bogus routes to briefly (the entire incident lasted only 18 minutes) redirect traffic through China.
Here is an example traceroute pulled from iPlane traceroute data that illustrated the impact of the routing leak. Starting in Norman, Oklahoma this trace goes out to to Internet2 and onto NLR's routers on the west coast of the US. There it hands the traffic off to China Telecom before returning it back to the US; it next appears in Cogent's network in Chicago (ord) before making its way over to Boston.


 0  129.15.78.1      (University of Oklahoma, Norman, US)        0.384ms 
 1  192.168.255.50   (RFC 1918)                                  0.287ms 
 2  192.168.255.233  (RFC 1918)                                158.051ms 
 3  164.58.10.97     (OneNet, Oklahoma City, US)                 0.364ms 
 4  164.58.10.82     (OneNet, Oklahoma City, US)                 0.875ms 
 5  164.58.10.86     (OneNet, Oklahoma City, US)                 3.025ms 
 6  164.58.10.173    (OneNet, Oklahoma City, US)                 3.057ms 
 7  164.58.10.194    (OneNet, Oklahoma City, US)                40.005ms 
 8  156.110.203.2    (Oklahoma Regents, Oklahoma City, US)      18.231ms 
 9  137.164.131.81   ae-3.210.chic0.tr-cps.internet2.edu        18.699ms 
 10 137.164.129.2    (National LambdaRail, Los Angeles, US)     71.529ms 
 11 137.164.129.34   (National LambdaRail, Los Angeles, US)     71.614ms 
 12 137.164.130.254  (National LambdaRail, Los Angeles, US)     71.606ms 
 13 * 
 14 202.97.51.241    (China Telecom, Guangzhou, CN)            280.357ms 
 15 * 
 16 154.54.12.133    te0-7-0-6.ccr21.ord03.atlas.cogentco.com  296.328ms 
 17 154.54.6.241     te0-0-0-30.ccr22.yyz02.atlas.cogentco.com 294.124ms 
 18 154.54.27.18     be2242.ccr22.jfk05.atlas.cogentco.com     298.383ms 
 19 154.54.24.21     te0-7-0-5.ccr22.atl01.atlas.cogentco.com  315.434ms 
 20 154.54.1.34      te0-2-0-3.ccr22.dca01.atlas.cogentco.com  328.007ms 
 21 66.28.4.81       te0-7-0-35.ccr21.atl01.atlas.cogentco.com 335.061ms 
 22 154.54.6.9       te0-1-0-4.ccr22.bos01.atlas.cogentco.com  340.852ms 
 23 66.28.5.38       vl3808.na01.0.bos01.atlas.cogentco.com    339.829ms 
 24 12.0.33.1        (TA ASSOCIATES, Boston, US)               341.378ms

Next we provide a few examples of AS-level traceroutes (also based on the iPlane data) from US universities impacted by the China Telecom routing leak, presented in a sequence-alignment style. In each sequence, there is a trace that was redirected through China Telecom (AS4134) by way of NLR (AS11164) on 8 April 2010. To illustrate the normal paths at that time, the errant one is sandwiched by AS-level traces seen on the previous and successive days.
Purdue University


 AS path for 128.10.19.53 (planetlab2.cs.purdue.edu) to 216.240.94.76 (Advertinet, US) 
 [04/07/10] 17 ----- ----- 209 12067 (19.18 ms) 
 [04/08/10] 17 11164  4134 209 12067 (106.47 ms) 
 [04/09/10] 17 ----- ----- 209 12067 (22.04 ms)

University of California, Santa Cruz


 AS path for 128.114.63.16 (planetslug3.cse.ucsc.edu) to 155.110.168.1 (Spartan Stores Inc., US) 
 [04/07/10] 5739 2152 11164  286 19151 26554 33372 (67.57 ms) 
 [04/08/10] 5739 2152 11164 4134  3356 26554 33372 (237.99 ms) 
 [04/09/10] 5739 2152 11164  286 19151 26554 33372 (66.35 ms)

University of Massachusetts


 AS path for 128.119.41.210 (planetlab1.cs.umass.edu) to 12.144.145.1 (SCOTTRADE, US) 
 [04/07/10] 1249 ----- -----  1239 3561 12221 (33.06 ms) 
 [04/08/10] 1249 22742 11164  4134 7018 12221 (247.83 ms) 
 [04/09/10] 1249 ----- -----  1239 3561 12221 (44.78 ms)

University of Florida


 AS path for 128.227.150.12 (planetlab2.acis.ufl.edu) to 72.175.8.1 (Bresnan Communications, LLC., US) 
 [04/07/10] 6356 ----- ----- 3356 7018 33588 (101.12 ms) 
 [04/08/10] 6356 11164  4134  174 7018 33588 (280.64 ms) 
 [04/09/10] 6356 ----- ----- 3356 7018 33588 (101.53 ms)

Oregon State

AS path for 128.193.33.8 (planetlab2.een.orst.edu) to 212.162.56.81 (Secure-Netz, DE) 
 [04/07/10 00:00:00]  4201 -----  3701  3356 25074 (222.03 ms) 
 [04/08/10 00:00:00]  4201 11164  4134  3320 25074 (287.73 ms) 
 [04/09/10 00:00:00]  4201 -----  3701  3356 25074 (170.01 ms)

Northwestern

AS path for 129.105.15.37 (planetlab2.eecs.northwestern.edu) to 201.218.212.1 (Copa Airlines, PA) 
 [04/07/10 00:00:00] 103 22335  3549 11556 26105 28031 (83.89 ms) 
 [04/08/10 00:00:00] 103 22335 11164  4134 26105 28031 (148.91 ms) 
 [04/09/10 00:00:00] 103 22335  3549 11556 26105 28031 (84.89 ms)

There were literally thousands more examples like these in the iPlane'' data.
Conclusion
In this blog post (and the last one ), we don't want to suggest we are somehow against peering. Peering is an essential feature of Internet connectivity and will continue to be in the future.
The main takeaway is that if your network is going to prioritize routes from a peer over a transit provider, then your network engineers should also take the time to set up appropriate filtering and monitoring of these links to ensure you don't accept and act on bogus routes. As far as the routes you share with your peers, you need to monitor the paths traffic is taking to reach your network to determine if a peer is leaking your routes. Additionally, if you don't exchange much traffic with another entity, it may not be worth peering with them just because you are both present at the same Internet exchange point'' . But if you must be promiscuous when peering, please use protection .

http://research.dyn.com/2014/11/use-protection-if-peering-promiscuously/

==========================================================