[German]A short note/information for users, who use the DNS service of CloudFlare. The service was (possibly) hacked by China. Here is some information.
DNS service, what do I need it for?
A DNS service is contacted for each action on the Internet (e.g. retrieving an Internet page in the browser). This DNS service converts URLs in the form www.borncity.com into an IP address. Only this IP address enables the browser, the e-mail client, etc. to contact the relevant servers on the Internet.
The DNS service is the address book of the Internet, which provides the address (similar to street and city) of a name. If you control the DNS service, you can of course determine where Internet requests are redirected to.
There are various DNS services in use
As an ordinary user you don’t really care about DNS services. The DSL routers, Windows systems and mobile devices are pre-configured so that a DNS server is known. Internet requests are resolved via this DNS server.
In most cases, a DNS service of the provider is used. But whenever this DNS service is too slow, fails or cannot be used due to censorship, the some users will configure an alternative DNS service in the router or operating system. There is the Google DNS service under the IP address 22.214.171.124.
CloudFlare DNS service 126.96.36.199
But also CloudFlare offers a DNS service under the IP address 188.8.131.52 (see my blog post Cloudflare launches DNS Service with IP 184.108.40.206). Arguments for the offer included speed and above all the provision of privacy. CloudFlare assured to delete the data within 24 hours to ensure privacy.
(Cloudflare DNS address)
DNS service hijacked?
I don’t have a lot of information. Jake Williams (@MalwareJake) has posted the following tweet (now deleted, due to the fact, that it wasn’t Shanghai Telecom).
CloudFlare’s new DNS service at 220.127.116.11 was hijacked by (drum roll please)
I wish I could say I’m surprised. I’m not. While this might be anecdotal bias, I’m not surprised that it’s Shanghai Telecom either. https://t.co/okPZdjITeh
— Jake Williams (@MalwareJake) 29. Mai 2018
There was probably a BGP hijack of CloudFlare’s DNS service 18.104.22.168.1. Here is the message:
Possible BGP hijack
Beginning at 2018-05-29 08:09:45 UTC, we detected a possible BGP hijack.
Prefix 22.214.171.124/24, is normally announced by AS13335 Cloudflare Inc.
But beginning at 2018-05-29 08:09:45, the same prefix (126.96.36.199/24) was also announced by ASN 58879.
This was detected by 14 BGPMon peers.
Start time: 2018-05-29 08:09:45 UTC
Expected prefix: 188.8.131.52/24
Expected ASN: 13335 (Cloudflare Inc)
Detected advertisement: 184.108.40.206/24
Detected Origin ASN 58879 (Shanghai Anchang Network Security Technology Co.,Ltd.)
Detected AS Path 32764 11017 6939 58879
Detected by number of BGPMon peers: 14
The animation over the timeline (available via the buttons above the following graphic) of the page bgpstream.com shows how the DNS requests were redirected to another provider (probably a Chinese telecom provider) for a short time.
CloudFlare DNS hijack
The whole thing shows once again: The devil is often in the details. It’s great that CloudFlare offers the DNS service to ensure more privacy. But if a Chinese provider succeeds in compromising the service, that’s all puff pastry. At least such experiments are discovered. I don’t know what’s behind it. Maybe this was another Chinese test to prepare for certain cyber attacks in a crisis.