1 L0rd \/ Netizen Death Star
Jun 10, 2015
1 L0rd \/
Netizen Death Star
2 L0rd \/
Netizen Death Star An Alternate Hypothesis for the Great China Internet Blackout of 2014
L0rd \/ [email protected]
3 L0rd \/
Presenter background: � Some cyber and hosting operation’ing � Some intel analyzing
� Some sys(eng)(admin)’ing
� Analyzing People's Republic of China (PRC) cyber activity for 10+ years
4 L0rd \/
Disclaimer: � This presentation is not under the auspices of my
employer or clients
� This presentation represents my own opinion(s) and does not reflect opinion(s) of my employer or clients
� This presentation is performed at my own expense
5 L0rd \/
This talk: � Examine Great China Blackout of 21 January
� They said this, others showed this
� Great Firewall (GFW) background
� Why this looks deliberate
� A usual target
� Plausible deniability
� Intelligence gaps
6 L0rd \/
The event:
� Tuesday afternoon, all queries for Internet domains and website names in mainland China suddenly began resolving to single IP address in Fremont, California.
� The redirection of nearly all Chinese netizen web traffic generated an unprecedented amount of traffic from PRC to the data center proximate to Silicon Valley.
� Problem did not completely clear until next day, until all PRC ISP’s had flushed their DNS server caches
21 January, 2014
7 L0rd \/
What happened According to official PRC-sanctioned sources
Google Translate
CNCERT
CNNIC
China Daily Xinhua
8 L0rd \/
What happened According to GFW trackers and PRC dissident
21 January 2014 Chinese Internet Outage (by GreatFire.org)
Timeline Event
15:15 GFW DNS poisoning begins. First recorded instance.
15:17 Local DNS servers began to cache incorrect responses. Some large websites in China began to be affected e.g Sina Weibo.
Incorrect DNS continue to spread through Chinese DNS servers. Major websites including Baidu, Sina affected.
15:39 DNS poisoning lifted by GFW. But local DNS resolvers cached incorrect responses. Users continued to experience outage.
16:00 ISPs around China were manually flushing DNS caches and connections were gradually restored.
9 L0rd \/
What happened According to PRC netizens whose Weibo posts were censored
10 L0rd \/
GFW background And why this doesn’t look like an accident
11 L0rd \/
Established 2002 “mankind’s largest information censorship project”
Golden Shield (金盾工程) AKA GFW (防火⻓长城)
TECHNICAL METHODS 1. IP address blocking
2. Packet & URL filtering
3. Session resets 4. DNS poisoning
China Internet Network Information Center (CNNIC) – Responsible for
“Internet Affairs” (AKA ISP Compliance with Government), DNS Security
A
Communications Security Bureau of Ministry of Industry and Information Technology
B
12 L0rd \/
Injection of false IP address(es) GFW DNS Poisoning
• GFW poisoned answer appears to be designed to beat valid “true” answer to requesting client
• Caching (resolving) DNS servers inside GFW will store first (poisoned) answer for some time
• Q: What does GFW answer with when it poisons a DNS query?
13 L0rd \/
Answers GFW DNS Poisoning
GFW DNS Poison Target IP Addresses 2010-2014 IP Address ISP Location Notes 159.106.121.75 US DoD No global route Outbound traffic would not leave PRC 243.185.187.39 N/A No global route Outbound traffic would not leave PRC 59.24.3.173 Korea Telecom South Korea Appears null-routed by target ISP 203.98.7.65 TelstraClear Auckland, NZ Appears null-routed by target ISP 8.7.198.45 Level 3 United States Does not appear internally routed by ISP 78.16.49.15 BT Ireland Dublin, Ireland Appears null-routed by target ISP 46.82.174.68 Deutsche Telekom Germany Appears null-routed by target ISP 93.46.8.89 Fastweb SpA Catania, Italy Appears null-routed by target ISP 37.61.54.158 Baktelekom Baku, Azerbaijan Larger subnet appears null-routed by target ISP
14 L0rd \/
Practical You try it!
• Doesn’t work on hotel Wi-Fi (which “poisons the poison”) • nslookup • server dns1.chinatelecom.com.cn (actual caching server ) • server 163.com, weibo.com, news.cn, etc. (not actual DNS servers) • Query for “www.facebook.com”, “dit-inc.us”, “twitter.com” • Bonus: capture your packets • Was there a DNS race to your system? Who won?
15 L0rd \/
Shows history of GFW poisoning on contributor inside PRC Farsight Passive DNS database
• (Spreadsheet screenshot) • VirusTotal also has a passive DNS record contributor inside GFW
16 L0rd \/
Which specific characteristics imply deliberate action rather than a blunder by careless administrator?
• If all domain queries were accidentally poisoned, the answers should have been from the nine usual IP addresses
• This time, the answer was a single IP address: 65.49.2.178 • What is the significance of 65.49.2.178?
17 L0rd \/
Associated with Freegate Proxy exit range 65.49.2.178
• Managed by Falun Gong-associated “Dynamic Internet Technologies”
• Freegate Proxy is free product designed specifically to tunnel through GFW and other nation-state firewalls
• “Five Poisons”- groups of people PRC considers the greatest danger to stability of its authoritarian regime
1. Tibetans 2. Uighurs 3. Democracy advocates 4. Taiwanese 5. Falun Gong
18 L0rd \/
Spiritual movement banned in PRC Falun Gong
• Repeatedly targeted via cyber attacks by presumed PRC government elements
Cyber troop “exercise” as featured on PRC state television
Target: Chinese Grad student and Falun Gong practitioner personal website hosted on US University server
19 L0rd \/
Websites attacked via DDoS Falun Gong
• Falun Gong-allied media organization Epoch Times reported that its websites experienced large-scale denial of service attacks on March 29 and April 1, 2012
• “Elements in Chinese Communist regime suspected”
20 L0rd \/
Why would the PRC government do that to itself? But wait…..
• Good question • Consider that PRC regime considers the Internet a threat • Controlling/severing Internet access to its populace probably always
part of its playbook to maintain regime stability • Still, outage like this would have had to be planned right?
21 L0rd \/
Official foreshadowing by CNNIC Evidence of information manipulation
22 L0rd \/
Official foreshadowing by CNNIC (continued) Evidence of information manipulation
23 L0rd \/
Official foreshadowing by CNNIC (continued) Evidence of information manipulation
24 L0rd \/
Official foreshadowing by CNNIC (the papers…) Evidence of information manipulation
25 L0rd \/
Official foreshadowing by CNNIC (the papers…) Evidence of information manipulation
2012 and 2013 DNS security in China compared: still not so good…danger, danger! eight days before “attack”
26 L0rd \/
GFW steady state DNS poisoning (GeoIP) Assessment summary
27 L0rd \/
21 January event Assessment summary
28 L0rd \/
21 January event (GeoIP) Assessment summary
29 L0rd \/
as purpose behind PRC’s Netizen Death Star What Lord \/ suspects
• This was a test of a “contingency option” cyber weapon by the PRC government • Contingency option: financial industry term for option that doesn’t cost the bearer anything until
actually exercised • The Netizen Death Star option has been available since 2002, so why not test it • Growing more powerful all the time • Liken it to going to a schoolyard fight, with one rock in back pocket
– Don’t have to use it – Can use it only once (no reloading) – But it could do some serious (short term) damage if aimed right
30 L0rd \/
What were they thinking? Intelligence gaps
• If the 21 January event was in fact an offensive cyber capability exercise, was it deemed a success by the PRC government?
• Were all networks in the PRC poisoned? How about “VIP” networks? • Why did the GFW engineers chose those nine steady state IP addresses over some other IP addresses? • The ISP behind the 65.49.2.178 IP address is Hurricane Electric. What kind of impact did the traffic generated by
the 21 January 2014 DNS poisoning of Netizen traffic by the GFW have on the Hurricane Electric backbone? • Was it really 3400Gbps as suggested by the “target” net owner, Bill Xia? • Alternate hypothesis to my alternate hypothesis: PRC used the event as an analysis “stimulus” on FreeGate
proxy network and its user base within China, whose tunneled traffic would not have been poisoned by GFW. • What do you think?