Not sure where Narus.com gets their info, but they seem to have the scoop on the details of the CNN DDOS attack last week.

Multiple sites of CNN (www.cnn.com, www4.cnn.com, edition.cnn.com) were the target of these attacks. NarusInsight Secure Suite (NSS) reported 2 different kinds of attacks going towards CNN - ICMP flood attacks and TCP SYN flood attacks. Interestingly the attacks had very similar signatures, e.g. an instance of a SYN flood involved the attacker distributing his packets across multiple source ports while sending exactly the same number of packets per source port). This can be expected given that the hacker group had made it easy for the novice who could download a script to launch the attack. The highest bandwidth attack seen by NSS was an 80 Mbps SYN flood attack, while the others were much less than that.

They seem to think that the DDOS attack was not successful, saying, “Fortunately, there were no large scale attacks and CNN.com was very much up and running.”

However there was widespread news of flakiness for a whole day, with China and US users finding timeouts and unreachable servers.

Not known for their sense of humor, the Chinese authorities chose April Fools day to unblock Wikipedia and Blogspot and netizens in the PRC are rejoicing. Danwei, Kaiser Kuo and CNET had the scoop. This past month saw both YouTube and BBC News unblocked as well. Ironic, considering the recent unrest in T%bet.

The downside is that Chinese Wikipedia (zh.wikipedia.org) is still blocked, through the filtering of its “host header.” For the tech inclined, here are examples of the block in action showing how de: (German Wikipedia) works fine, but zh: does not:

SUCCESS

$ wget –header “Host: de.wikipedia.org” http://203.212.189.253
–2008-04-03 01:22:54–  http://203.212.189.253/
Connecting to 203.212.189.253:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: http://de.wikipedia.org/wiki/Hauptseite [following]
–2008-04-03 01:22:55–  http://de.wikipedia.org/wiki/Hauptseite
Resolving de.wikipedia.org… 203.212.189.253
Reusing existing connection to 203.212.189.253:80.
HTTP request sent, awaiting response… 200 OK
Length: 34452 (34K) [text/html]
Saving to: `Hauptseite’

100%[=======================================>] 34,452      38.0K/s   in 0.9s

2008-04-03 01:22:57 (38.0 KB/s) - `Hauptseite’ saved [34452/34452]

FAILURE

$ wget –header “Host: zh.wikipedia.org” http://203.212.189.253
–2008-04-03 01:23:02–  http://203.212.189.253/
Connecting to 203.212.189.253:80… connected.
HTTP request sent, awaiting response… Read error (Connection reset by peer) in headers.
Retrying.

James Fallows has a new piece in The Atlantic about the Great Firewall, and is largely on target. I particularly like the analysis in the kicker:

It would be wrong to portray China as a tightly buttoned mind-control state. It is too wide-open in too many ways for that. “Most people in China feel freer than any Chinese people have been in the country’s history, ever,” a Chinese software engineer who earned a doctorate in the United States told me. “There has never been a space for any kind of discussion before, and the government is clever about continuing to expand space for anything that doesn’t threaten its survival.” But it would also be wrong to ignore the cumulative effect of topics people are not allowed to discuss.

It’s pretty tough to relate all the tech details in a literary magazine and I spent some time with Fallows in  Beijing Starbucks going over the nitty gritty. Hope to post the entire details sometime soon.

There are many independent reports coming in that as of last night, YouTube is accessible again in China via the big providers China Netcom and China Telecom. I can confirm Beijing China Netcom can access it.

It may be that blocks are unwinding after the CPC 17th National Congress, or it could be a hiccup. Thomas Crampton, who has been unable to do video blogs from Beijing, will be happy to hear the good news.

Congratulations to the Chinese Wikipedia, which just hit 150,000 articles, despite being blocked in China.

The latest stats showed that Hong Kong and Taiwan contributors make up over 50% of the contributors. Dedicated PRC users who can get to zh.wikipedia.org by proxy and overseas Chinese make up the rest. A quick spot check also shows lots of the activity in zh: relates to pop culture and current events, such as Harry Potter (哈利波特－死神的聖物), Rain Man (雨人), Heart of Greed (溏心风暴), GiGi Lai (黎姿). This does not seem so different than English Wikipedia, and may well be what gets folks introduced to Wikipedia first.

Welcome Comcast USA users to the club of Internet blocking. You now share a bond with millions of Internet users in China! It may seem annoying, but with the right tools and some perseverance, you too can keep downloading without any hiccups.

The story

It seems the US Internet service provider has been using Great Firewall-style tactics to prevent customers from running P2P protocols like BitTorrent. Some sleuthing by the EFF found that TCP reset packets (RST) are sent to kill connections related to P2P file transfers by Comcast customers. This clandestine connection sniping is pretty hard to diagnose without geeky tools like Wireshark or ethereal, but the shutdown technique is used by more and more ISPs. It’s what the Great Firewall here in China depends on for blocks triggered by keywords.

This revelation comes at a particularly bad time for ISPs in the US, when the network neutrality debate had died down. But this will re-energize the Internet purists, as it directly hurts the credibility of ISPs who say the US does not need regulation of “neutrality.” If Comcast had given fair notice to customers via service agreements about proper and improper use of their connections, that would be one thing. But users had their IP connections shut down mysteriously for unstated reasons. That’s something that usually happens in other places. Like China.

There is a solution

While there is widespread piracy over P2P networks, there are absolutely legitimate uses for them. Comcast seems to have classified any BT P2P file transfers as something that should be shuttered for copyright infringement. That would be a bad assumption.

The other day I downloaded NeoOffice (open source) for the Mac at 140 Mbytes using BitTorrent because it’s much faster than FTP. I was able to get 120 kilobytes/second on P2P versus 15 kilobytes/second via straight download. Many folks download Linux distributions and operating system patches via BT for exactly this reason.

Is there a solution for customers? Well EFF is considering a legal challenge, as this seems ripe for a class action lawsuit. In the meantime, there are ways to circumvent RST-based tactics of firms like Comcast.

Here, China Netcom also frowns on P2P by slamming shut transfers and tracker communication. A combination of techniques, like using BT clients supporting encrypted connections, can solve the problem. The following is what works for me, and it should work for most nearly anyone that has to deal with a firewall/fitlering system with BT.

BACKGROUND: There are two different “channels” that BitTorrent uses — tracker communication and peer communication. Tracker communication is basically what the BT client needs to connect to a tracker server, which has the particulars of the transfer: what file is being transferred, which peers have it, and the progress of the client. It’s basically the coordination center for the entire session and is the only real vulnerable hub of a P2P system, becoming a single point of failure/blocking. The other part is peer communication. This is what takes place between your computer and the multitude of other computers on the Internet. This makes up the big bulk of traffic on P2P, when your computer is perhaps chatting with 100+ other clients to transfer little chunks of the file you want.

So the tactic of ISPs is to block either or both of these types of communication. In days of old, when BitTorrent was new (or ISPs didn’t care or notice) all peer communication happened on port 6881 and tracker communication happened on 6969. For a long time this worked fine. But since these port numbers are well known, to block BT the ISP could simply block all packets to those ports. Game over for the client.
So people started changing port numbers to high numbered random values (37412 for example) used for peer communication and to less known port number for tracker communication. That worked for a while. But in this escalating game of cat and mouse, ISPs started putting in systems to actually inspect packets across all ports to see if they had telltale BitTorrent “headers,” and shutting down those connections. Thus high numbered, randomly selected ports were not good enough. The power swung back to the ISPs.

SOLUTION. What’s fascinating is the furious software arms race the P2P open source community engaged in to solve this problem. Programmers have upped the ante by using encryption and de-centralizing the tracker function to the point where BT is now nearly unblockable. But it’s not for the average user, since you do need some special configuration with the right clients.

The basic solution is to use encrypted peer communication, and a proxy server for the tracker communication.

Newer clients like uTorrent (Windows) and Azureus (nearly every platform), now support encrypting all traffic between peers using RC4 encryption, and setting an arbitrary port number. The only thing ISPs see then are IP packets with encrypted gibberish going from one random port number to another computer’s random port number. They cannot tell whether it is VoIP traffic, a file transfer, VPN, MMORPG data, or anything else. It is completely opaque to them, and filtering cannot work on the packets. Because the two peers do a handshake to establish a unique session key that no one else knows, the ISP is out of luck.

The RC4 encryption used by clients, while not the state of the art, is hard enough to crack that it isn’t practical to inspect those packets without major horsepower (like supercomputer horsepower). Comcast, China Netcom, or anyone else as intermediary ISP have no real options but to pass it along as an ordinary IP packet.

Tracker communication needs a different treatment. It’s much easier for ISPs to block this, because there are only a few dozen popular BitTorrent trackers in the world. By simply blocking all traffic to them, or watching each packet, they can just shut down those connections. The simplest way to circumvent this is to use a proxy. Azureus supports the use of a SOCKS proxy server. As a China Internet user, I always have an SSH tunnel open and in use for my proxy communication. It’s just a normal part of my day to get to blocked sites like BBC, Blogger, YouTube, etc.

However, SSH is not something everyone has. I happen to have it as part of a hosting plan, but it’s fairly easy to get one as part of a $5.95/month plan like on BlueHost. There are also sites that give free SSH accounts, like silenceisdefeat.org. In the Azureus options, you can simply instruct the client to use a proxy for tracker communication. That way, the ISP you are using cannot even tell any P2P is happening since your proxy server is doing all the tracker communication on your behalf, and it’s encrypted in the SSH tunnel. (There is a full tutorial about this technique for Windows here and here).

With this whole thing setup — high numbered random ports, encrypted peer communication and proxy tracker communication — your local ISP is none the wiser to what’s going on, even when employing basic surveillance techniques like packet inspection. I’ve been able to max-out my connection speed using this arrangement for torrents that have lots of peers. There are some small caveats — not all clients support RC4 encryption, so not all the seeds/leechers listed will be available to you. Also, if your SSH connection breaks off for some reason, it will likely stall your transfer. (I use a command line tool like “autossh” to keep a persistent SSH connection.)

As I warned though, this is not for the average person. The most exotic part of the solution is an SSH tunnel, which only real hard-core Internet users would have.

The final tally

What this arms race means in the long run is more interesting. If the US government will not regulate the maintenance of “neutrality” into the operation of ISPs, users can demand it in part by encrypting everything and preventing operators from discriminating against (or currying favor towards) certain types of traffic.

This has always been the problem with the perennial hope of ISP-supported Quality of Service (QoS) because it depends on the operator being a relatively fair or accommodating intermediary. This assumes there is a telco/ISP being purely a “common carrier” whose job is to expeditiously relay traffic efficiently and for the benefit of the customer. The problem is one side of the connection is the ISP’s customer, the other end is usually not. Also, more and more ISPs have a vested interested in pushing their own VoD, VoIP or walled garden product over the exact same lines that Google, Facebook and Joost are using for their multibillion dollar ambitions.

It is natural, though problematic, for a “common carrier” to mix its own product’s fortunes into its relaying policy. And that’s where the heart of the debate is.

This past Sunday marked the first-ever Barcamp held in Beijing, which turned out to be an upbeat gathering showcasing the potential of a grassroots tech community here.

Some of the themes discussed at the “unconference” included business planning, startup advice, translation, Web 2.0 applications (like twitter), China’s economic position, Wikipedia (yours truly), the Great Firewall, T-shirts 2.0, gaming industry in China and Creative Commons in China.

What exactly is Barcamp? Even those attending may not know the origins, so here’s the 30 second summary. Publisher Tim O’Reilly has an exclusive “Foo Camp” for Friends Of O’Reilly in Northern California each year, where he invites a select techno elite to meet and create a conference agenda on the spot and hang out. He calls it the “wiki of conferences.” After the second year of FOO Camp, some tech folks were annoyed that it was so closed a group. Even invitees from one year were not always invited the next year’s event, which caused some angst. So geeks in the San Francisco area decided to have an alternative “Barcamp” at the same time (See [[Foobar]] in Wikipedia for the techie cultural significance of this) where anyone could come and have an unconference of their own. The idea became viral, and now there are Barcamps around the world, as an adhoc gathering of techies with the common interest of sharing knowhow and ideas.

Typically how Barcamp works is folks arrive ready to discuss, present or demonstrate something. You write your idea on a yellow PostIt note, and stick it on the board. After all interested folks have put up their proposals, they are either voted on or just organized by the conveners into 30 minute time slots throughout the day. At Barcamp Beijing there were slightly fewer proposals than slots, so each one got a slot.

In reality, many presentations are really just an excuse to get conversation going as the most useful learning happens in the hallways and side discussions.

In China, Shanghai has always been the more progressive city for business and technology, so last year they hosted the first Barcamp in China. This year marked the first one in Beijing, and there was an average of 60 or so people at any one time, with a total attendance of around 100 in all. Held at the slick facility of Orange Labs/France Telecom in Haidian, northwest Beijing, it’s right in the heart of the university and technology park district. This is where you’ll find Tsinghua, Peking, Renming and other universities and the offices of Microsoft, Google and other tech companies.

Hopefully this marks the advent of more ad hoc gatherings in the tech community here.

The grassroots, unpredictible nature of these plan-on-the-spot unconferences make them uncomfortable for the authorities here, but perhaps they’ll see these do much more good than harm. The free flow of ideas and contacts are absolutely necessary if China wants to be competitive in the software world with Bangalore, if not Silicon Valley. Otherwise, the PRC will be continue to be stuck at the bottom of the value chain, simply being a cheap source for hardware manufacturing and assembly.

Great job by Kris Krug, Robert Scales, Orange Labs and the rest of the folks who helped out. I hope this can be replicated more.

I’ll post shortly with some session summaries and reflections, but in the meantime you can find some good summaries with MeMedia and Jodi Xu.

A report from the University of Colorado describe a weakness in Tor, a popular anonymity system and tool for getting around the Great Firewall. While it does take a fair amount of resources to compromise the anonymity, it is a cause for concern because it is significantly more feasable than previously thought. From their paper:

We show that an attacker can infiltrate the Tor network and can fully compromise the anonymity of a large percentage of users…

In our experiments conducted on our isolated Tor deployment consisting of 60 nodes, our attack was able to correlate over 46% of circuit-building requests through the entire network. This is a significant increase over the 0.70% analytical expectation assumed by many anonymity systems analysts… our attack performed far above expectations.

Here’s a summary and link to the Slashdot posting that brought attention to this.

Tor Open To Attack

“A group of researchers have written a paper that lays out an attack against Tor (PDF) in enough detail to cause Roger Dingledine a fair amount of heartburn. The essential avenue of attack is that Tor doesn’t verify claims of uptime or bandwidth, allowing an attacker to advertise more than it need deliver, and thus draw traffic. If the attacker controls the entry and exit node and has decent clocks, then the attacker can link these together and trace someone through the network.”

UPDATE (Feb 26 08:03:36 UTC): After just talking to the folks at the Tor project, it seems the threat is not as large as the paper has declared. Roger Dingledine and Shava Nerad of the project are incredibly sharp folks and promise to come out with an official response soon.

I was also concerned the paper was only a CS department report from the U of Colorado, and not an accepted conference or journal paper, meaning that no fellow researchers or folks in the field have endorsed their analysis. Some of the comments on Slashdot also agree that these are not brand new issues.

A new site called GreatFirewallofChina.net tries to bring attention to Internet blocking in the PRC by allowing folks to check sites for reachability within China. While there are a number of flaws to their methodology (a single test cannot give the full picture) it will be interesting to see what their results are.

Happy Chinese New Year, all.

Day two of the Internet restoration in China, and connections remain very fast. Seems most everyone in the PRC is getting good speeds to sites outside the country.

Just two weeks ago, roundtrip times to Google.com and other California-based ISPs were around 600 milliseconds with significant packet loss. A test yesterday showed that those times are now much lower, at around 250 milliseconds. Downloads of podcasts audio files have been very fast. Where last week some podcasts would not even start downloading, today 25 Mbyte audio files were downloaded in about 10-15 minutes.

There is, however, some weirdness with some sites. Flickr.com now fails to load correctly, with some of the visual Web 2.0 components breaking. Seems that Flickr images being supplied from “yimg.com” are not making it through.

UPDATE: Flickr.com seems to have started working OK again on Tuesday.