tangent4ronpaul
12-09-2010, 03:03 AM
http://www.renesys.com/blog/2010/12/wikileaks-moving-target.shtml
This has been an exciting month for those of us who study the Internet's infrastructure and think about ways to keep it running (and growing). Did I say exciting? Maybe "exhausting" would be more accurate. From China, to Iran, to the US Congress, everyone seems to be wondering how best to control the Internet and bring it in line with local law.
And then came the latest iteration of the WikiLeaks drama.
Love them or hate them, you have to admit that these folks are effective at creating and sustaining an audience for their content. Their glacially slow release of secret information, a few tastes each day, is calculated to feed a media storm that could easily last for months.
If nothing else, the massive amounts of traffic they are attracting, and the efforts of actors unknown to shut them down, have created a unique laboratory for studying Internet resilience.
Consider their primary website: wikileaks.org. They lost their Web hosting, their payment services, and ultimately the use of the domain name itself, all while coming under withering DDoS attacks and intermittent nation-level blacklisting. And yet, WikiLeaks stays up, taunting their adversaries with their jaunty hourglass and hourly tweets of coming attractions.
How are they staying on the Internet? Why haven't their adversaries shut them down already?
I guess the short answer is that the harder you hit them, the bigger they get.
For the long answer, you need to examine their DNS and BGP configurations: the mapping from domain names (like wikileaks.ch) to IP addresses (like 178.21.20.8), and from IP addresses to the providers who host them. These are the protocols that make the Internet survivable, and after a somewhat shaky start, it's clear that WikiLeaks is exploiting them very effectively to stay alive.
Termination of Service
In recent months, wikileaks.org's content had lived happily in just a few IP address blocks, hosted by Bahnhof and PRQ (two Swedish ISPs with ... let's say ... liberal policies for the content they host), and French provider Cursys. Then, when the cables were first released at the end of November, WikiLeaks added additional hosting in Amazon's EC2 cloud (presumably to cope with the tremendous volumes of traffic being generated in the first days of the release).
It was not to last Amazon evicted them on December 1st for terms of service violations. In response, they diversified by hosting the wikileaks.org domain in two different IP blocks: one in France, hosted by OVH, and another in Sweden, hosted by Bahnhof.
A couple days later, on December 3rd, EveryDNS (their DNS provider) shut them off, refusing to supply a valid IP address to queries for wikileaks.org. Today, if you ask the .org root for the authoritative DNS servers for wikileaks.org, you still get back the same four EveryDNS servers ... but they won't answer.
Why didn't WikiLeaks just change DNS providers for the .org site? That's a bit of a mystery we'd note only that the sponsoring registrar is a California company, Dynadot, who apparently doesn't know what to do with the hot potato.
Thus endeth the first phase of WikiLeaks' "rustication."
Respawning Globally
Remember, when EveryDNS made their call to turn off DNS for the wikileaks.org domain on December 3rd, the WikiLeaks IP address space was still routed and their servers were still alive (though intermittently unavailable due to tremendous inbound DDoS attacks). When the wikileaks.org domain stopped resolving, WikiLeaks simply diversified into alternative ccTLDs (country code top level domains) and pointed those names towards existing IP addresses, or added new hosting.
The country-level domain for Germany (wikileaks.de) has Swedish hosting from PRQ in Sweden and 1&1 in Germany; the European Union (wikileaks.eu), Finland (wikileaks.fi), the Netherlands (wikileaks.nl), Poland (wikileaks.pl), Sweden (wikileaks.se), and Tonga (wikileaks.to) have been pointed at the existing 88.80.0.0/19 block, hosted by Bahnhof in Sweden. But just to make good and sure, additional country-level domains for Austria (wikileaks.at), the Cocos Islands (wikileaks.cc), and Switzerland (wikileaks.ch, held by the Swiss Pirate Party) came up on Bahnhof's 88.80.0.0/19 block over the weekend. Norwegian wikileaks.no has hosting from French OVH and Swedish Bahnhof, and Luxembourg (wikileaks.lu) marches to its own drum, getting hosting from local provider Root SA. (There are probably some I'm missing, and the set continues to mutate daily, adding additional hosting in different countries to continuously reduce vulnerability to takedown.)
To prevent a repeat performance of the EveryDNS experience, the Swiss site seems to have been selected for heavy reinforcement through DNS diversification. If you ask for the authoritative servers for wikileaks.ch today, you'll find no fewer than 14 different authoritative nameservers, spread across eleven different autonomous systems, in eight different countries, from Switzerland to Canada to Malaysia. And if you ask any of those 14 servers where to find wikileaks.ch, they'll point you to one of three differently routed IP blocks, containing web server IP addresses with diverse geolocation: 78.21.16.0/21 (originated by Serverius, in the Netherlands), 46.59.0.0/17 (originated by Bahnhof, in Sweden), and 213.251.128.0/18 (originated by OVH in France).
Are you getting the picture yet?
Taking away WikiLeaks' hosting, their DNS service, even their primary domain name, has had the net effect of increasing WikiLeaks' effective use of Internet diversity to stay connected. And it just keeps going. As long as you can still reach any one copy of WikiLeaks, you can read their mirror page, which lists over 1,000 additional volunteer sites (including several dozen on the alternative IPv6 Internet). None of those is going to be as hardened as wikileaks.ch against DNS takedown or local court order but they don't need to be.
Within a couple days' time, the WikiLeaks web content has been spread across enough independent parts of the Internet's DNS and routing space that they are, for all intents and purposes, now immune to takedown by any single legal authority. If pressure were applied, one imagines that the geographic diversity would simply double, and double again.
And we're only considering the website itself, not the torrented data files, which ensure that cryptographically signed copies of the website and its backing data are dispersed beyond all attempts to recall or suppress the information they contain. That's an Internet infrastructure subject for another day.
Diversification: Not Without Its Problems
If you think for a moment, you'll realize that this rapid growth does create some potential problems with trust when you click through to one of the myriad wikileak-look-alike sites out there, which ones are "real?" They all look pretty familiar, and share the same content at first glance. But there's no mechanism in place to allow you to know that you're looking at an unaltered, reasonably real-time mirroring of the official wikileaks.org website (which is, of course, no longer available for comparison). Is that incredible cable about the existence of alien bodies in New Mexico real, or is it a joke?
The torrents don't suffer from this problem, because they are signed, and the WikiLeaks public key was distributed long ago. But when I visit, to pick a random example from the WikiLeaks mirror page, http://nepaliwikileaks.org/, am I really reading the Real Deal? For that matter, which of the dozens of official WikiLeaks sites are the Real Deal?
We can already see that enterprising souls who care more about ad revenue than Internet freedom have 'parked' other WikiLeaks ccTLD domains. I'm looking at you, Belgium, Chile, Colombia, India, Spain, Japan, Russia, Slovakia, and Niue (.nu). The Wikia Inc folks are hanging onto wikileaks.us, wikileaks.com, and wikileaks.net.
My favorite example here would be wikileaks.ru, which looks like this:
http://www.renesys.com/blog/assets_c/2010/12/wikileaks_ru-thumb-600x555-177.jpg
Summary
This is a volatile conflict, with people who feel strongly about freedom on both sides, and who aren't hesitant to talk about this as a cyberwar. I'm not going to go there. From a more dispassionate infrastructure standpoint, though, we can make a few observations.
First, even without considering the possibility of alternatives to the current DNS infrastructure, it's evident that the country-level distribution of authority inherent in the ccTLD system has provided enough political cover to keep an extremely controversial site running. Everyone has laws that make certain kinds of content illegal, but there is no global agreement across jurisdictions about the definition of illegal content.
Second, it's apparent that search and social infrastructure (Google and Twitter) now play a key role in re-spawning content that gets blocked in any one place, and drawing even more attention to the surviving copies. If suppressed content automatically goes viral, the Internet's construction basically guarantees that that content will have a home for the rest of time. If you attack DNS support, people will tweet raw IP addresses. If you take down the BGP routes to web content, people will put up more mirrors, or switch to overlay networks to distribute the data. You can't burn down the Library of Alexandria any more it will respawn in someone's basement in Stockholm, or Denver, or Beijing.
Finally, we can predict that in the future, enforcement of local laws will take place almost exclusively at the consumer edge of the Internet. Providers of content can change jurisdictions, but consumers generally cannot and this asymmetry drives the creation of national domain blacklists and monitoring of access to illegal content within access networks. The day isn't far off, if it isn't here already, when your ISP will be set to work making lists of the naughty and nice. Get your proxies ready!
Update: An earlier version of this blog incorrectly identified the owners of the wikileaks.us, wikileaks.com, and wikileaks.net domains. We regret the error.
7 Comments
Christopher Kunz | December 8, 2010 3:26 AM | Reply
I'll take a wild guess here and suspect that wikileaks.org has not yet changed DNS providers because they don't have a way to receive the Authinfo. All contacts point to privacy(at)dynadot and I presume those guys are keeping a hold of the Authinfo.
That's the problem if you let your registrar handle contact anonymization for you...
dondilly | December 8, 2010 10:00 AM | Reply
One additional part of the wikileaks resilience you failed to mention is that they are simultaniously releasing the cables via Bittorrent with the torrent files posted on the master of network resilience, Piratebay.
There is also the insurance file available from wikileaks and bittorrent that is being hosted by thousands of supporters and anything happens to wikileaks or its staff, they go nuclear and release the encryption key.
Tolan Blundell | December 8, 2010 11:47 AM | Reply
Given that all their content is static I'm surprised they haven't simply written a script to PGP/GPG sign each page's body content and wrap it in the PGP header/footer then published their public key. They can then push the content to un-trusted third parties and everyone can verify there have been no modifications or additions.
Wesley Schwengle | December 8, 2010 12:00 PM | Reply
FYI, the machines in the Netherlands are maintained by the Dutch Pirate Party.
Adrian | December 8, 2010 2:32 PM | Reply
"Get your proxies ready"
Encrypted browsing FTW! How about an explanation of how to? My oh my, State institution dinosaurs vs. a loose collective of god-knows-how many young techies...
Oh the lulz to be had.
Pascal Gloor | December 8, 2010 4:45 PM | Reply
Nice report. I have just noticed one little mistake: Where the hell did you find "78.21.16.0/21". oh, I got it, probably a copy/paste issue, it's 178.21.... and that's what Wesley (above) said.
I'd like to comment on the everyDNS disconnection of service. They justified it due to "heavy dDoS attacks". Since friday, after the everyDNS disconnection, we have not noticed ANY attack on our DNS servers, interesting!?
Mark Jeftovic replied to comment from Christopher Kunz | December 8, 2010 7:54 PM | Reply
Indeed, I have always said "whois masking" adds more risk and doesn't add more privacy.
http://www.circleid.com/posts/20081120_whois_masking_considered_harmful/
This has been an exciting month for those of us who study the Internet's infrastructure and think about ways to keep it running (and growing). Did I say exciting? Maybe "exhausting" would be more accurate. From China, to Iran, to the US Congress, everyone seems to be wondering how best to control the Internet and bring it in line with local law.
And then came the latest iteration of the WikiLeaks drama.
Love them or hate them, you have to admit that these folks are effective at creating and sustaining an audience for their content. Their glacially slow release of secret information, a few tastes each day, is calculated to feed a media storm that could easily last for months.
If nothing else, the massive amounts of traffic they are attracting, and the efforts of actors unknown to shut them down, have created a unique laboratory for studying Internet resilience.
Consider their primary website: wikileaks.org. They lost their Web hosting, their payment services, and ultimately the use of the domain name itself, all while coming under withering DDoS attacks and intermittent nation-level blacklisting. And yet, WikiLeaks stays up, taunting their adversaries with their jaunty hourglass and hourly tweets of coming attractions.
How are they staying on the Internet? Why haven't their adversaries shut them down already?
I guess the short answer is that the harder you hit them, the bigger they get.
For the long answer, you need to examine their DNS and BGP configurations: the mapping from domain names (like wikileaks.ch) to IP addresses (like 178.21.20.8), and from IP addresses to the providers who host them. These are the protocols that make the Internet survivable, and after a somewhat shaky start, it's clear that WikiLeaks is exploiting them very effectively to stay alive.
Termination of Service
In recent months, wikileaks.org's content had lived happily in just a few IP address blocks, hosted by Bahnhof and PRQ (two Swedish ISPs with ... let's say ... liberal policies for the content they host), and French provider Cursys. Then, when the cables were first released at the end of November, WikiLeaks added additional hosting in Amazon's EC2 cloud (presumably to cope with the tremendous volumes of traffic being generated in the first days of the release).
It was not to last Amazon evicted them on December 1st for terms of service violations. In response, they diversified by hosting the wikileaks.org domain in two different IP blocks: one in France, hosted by OVH, and another in Sweden, hosted by Bahnhof.
A couple days later, on December 3rd, EveryDNS (their DNS provider) shut them off, refusing to supply a valid IP address to queries for wikileaks.org. Today, if you ask the .org root for the authoritative DNS servers for wikileaks.org, you still get back the same four EveryDNS servers ... but they won't answer.
Why didn't WikiLeaks just change DNS providers for the .org site? That's a bit of a mystery we'd note only that the sponsoring registrar is a California company, Dynadot, who apparently doesn't know what to do with the hot potato.
Thus endeth the first phase of WikiLeaks' "rustication."
Respawning Globally
Remember, when EveryDNS made their call to turn off DNS for the wikileaks.org domain on December 3rd, the WikiLeaks IP address space was still routed and their servers were still alive (though intermittently unavailable due to tremendous inbound DDoS attacks). When the wikileaks.org domain stopped resolving, WikiLeaks simply diversified into alternative ccTLDs (country code top level domains) and pointed those names towards existing IP addresses, or added new hosting.
The country-level domain for Germany (wikileaks.de) has Swedish hosting from PRQ in Sweden and 1&1 in Germany; the European Union (wikileaks.eu), Finland (wikileaks.fi), the Netherlands (wikileaks.nl), Poland (wikileaks.pl), Sweden (wikileaks.se), and Tonga (wikileaks.to) have been pointed at the existing 88.80.0.0/19 block, hosted by Bahnhof in Sweden. But just to make good and sure, additional country-level domains for Austria (wikileaks.at), the Cocos Islands (wikileaks.cc), and Switzerland (wikileaks.ch, held by the Swiss Pirate Party) came up on Bahnhof's 88.80.0.0/19 block over the weekend. Norwegian wikileaks.no has hosting from French OVH and Swedish Bahnhof, and Luxembourg (wikileaks.lu) marches to its own drum, getting hosting from local provider Root SA. (There are probably some I'm missing, and the set continues to mutate daily, adding additional hosting in different countries to continuously reduce vulnerability to takedown.)
To prevent a repeat performance of the EveryDNS experience, the Swiss site seems to have been selected for heavy reinforcement through DNS diversification. If you ask for the authoritative servers for wikileaks.ch today, you'll find no fewer than 14 different authoritative nameservers, spread across eleven different autonomous systems, in eight different countries, from Switzerland to Canada to Malaysia. And if you ask any of those 14 servers where to find wikileaks.ch, they'll point you to one of three differently routed IP blocks, containing web server IP addresses with diverse geolocation: 78.21.16.0/21 (originated by Serverius, in the Netherlands), 46.59.0.0/17 (originated by Bahnhof, in Sweden), and 213.251.128.0/18 (originated by OVH in France).
Are you getting the picture yet?
Taking away WikiLeaks' hosting, their DNS service, even their primary domain name, has had the net effect of increasing WikiLeaks' effective use of Internet diversity to stay connected. And it just keeps going. As long as you can still reach any one copy of WikiLeaks, you can read their mirror page, which lists over 1,000 additional volunteer sites (including several dozen on the alternative IPv6 Internet). None of those is going to be as hardened as wikileaks.ch against DNS takedown or local court order but they don't need to be.
Within a couple days' time, the WikiLeaks web content has been spread across enough independent parts of the Internet's DNS and routing space that they are, for all intents and purposes, now immune to takedown by any single legal authority. If pressure were applied, one imagines that the geographic diversity would simply double, and double again.
And we're only considering the website itself, not the torrented data files, which ensure that cryptographically signed copies of the website and its backing data are dispersed beyond all attempts to recall or suppress the information they contain. That's an Internet infrastructure subject for another day.
Diversification: Not Without Its Problems
If you think for a moment, you'll realize that this rapid growth does create some potential problems with trust when you click through to one of the myriad wikileak-look-alike sites out there, which ones are "real?" They all look pretty familiar, and share the same content at first glance. But there's no mechanism in place to allow you to know that you're looking at an unaltered, reasonably real-time mirroring of the official wikileaks.org website (which is, of course, no longer available for comparison). Is that incredible cable about the existence of alien bodies in New Mexico real, or is it a joke?
The torrents don't suffer from this problem, because they are signed, and the WikiLeaks public key was distributed long ago. But when I visit, to pick a random example from the WikiLeaks mirror page, http://nepaliwikileaks.org/, am I really reading the Real Deal? For that matter, which of the dozens of official WikiLeaks sites are the Real Deal?
We can already see that enterprising souls who care more about ad revenue than Internet freedom have 'parked' other WikiLeaks ccTLD domains. I'm looking at you, Belgium, Chile, Colombia, India, Spain, Japan, Russia, Slovakia, and Niue (.nu). The Wikia Inc folks are hanging onto wikileaks.us, wikileaks.com, and wikileaks.net.
My favorite example here would be wikileaks.ru, which looks like this:
http://www.renesys.com/blog/assets_c/2010/12/wikileaks_ru-thumb-600x555-177.jpg
Summary
This is a volatile conflict, with people who feel strongly about freedom on both sides, and who aren't hesitant to talk about this as a cyberwar. I'm not going to go there. From a more dispassionate infrastructure standpoint, though, we can make a few observations.
First, even without considering the possibility of alternatives to the current DNS infrastructure, it's evident that the country-level distribution of authority inherent in the ccTLD system has provided enough political cover to keep an extremely controversial site running. Everyone has laws that make certain kinds of content illegal, but there is no global agreement across jurisdictions about the definition of illegal content.
Second, it's apparent that search and social infrastructure (Google and Twitter) now play a key role in re-spawning content that gets blocked in any one place, and drawing even more attention to the surviving copies. If suppressed content automatically goes viral, the Internet's construction basically guarantees that that content will have a home for the rest of time. If you attack DNS support, people will tweet raw IP addresses. If you take down the BGP routes to web content, people will put up more mirrors, or switch to overlay networks to distribute the data. You can't burn down the Library of Alexandria any more it will respawn in someone's basement in Stockholm, or Denver, or Beijing.
Finally, we can predict that in the future, enforcement of local laws will take place almost exclusively at the consumer edge of the Internet. Providers of content can change jurisdictions, but consumers generally cannot and this asymmetry drives the creation of national domain blacklists and monitoring of access to illegal content within access networks. The day isn't far off, if it isn't here already, when your ISP will be set to work making lists of the naughty and nice. Get your proxies ready!
Update: An earlier version of this blog incorrectly identified the owners of the wikileaks.us, wikileaks.com, and wikileaks.net domains. We regret the error.
7 Comments
Christopher Kunz | December 8, 2010 3:26 AM | Reply
I'll take a wild guess here and suspect that wikileaks.org has not yet changed DNS providers because they don't have a way to receive the Authinfo. All contacts point to privacy(at)dynadot and I presume those guys are keeping a hold of the Authinfo.
That's the problem if you let your registrar handle contact anonymization for you...
dondilly | December 8, 2010 10:00 AM | Reply
One additional part of the wikileaks resilience you failed to mention is that they are simultaniously releasing the cables via Bittorrent with the torrent files posted on the master of network resilience, Piratebay.
There is also the insurance file available from wikileaks and bittorrent that is being hosted by thousands of supporters and anything happens to wikileaks or its staff, they go nuclear and release the encryption key.
Tolan Blundell | December 8, 2010 11:47 AM | Reply
Given that all their content is static I'm surprised they haven't simply written a script to PGP/GPG sign each page's body content and wrap it in the PGP header/footer then published their public key. They can then push the content to un-trusted third parties and everyone can verify there have been no modifications or additions.
Wesley Schwengle | December 8, 2010 12:00 PM | Reply
FYI, the machines in the Netherlands are maintained by the Dutch Pirate Party.
Adrian | December 8, 2010 2:32 PM | Reply
"Get your proxies ready"
Encrypted browsing FTW! How about an explanation of how to? My oh my, State institution dinosaurs vs. a loose collective of god-knows-how many young techies...
Oh the lulz to be had.
Pascal Gloor | December 8, 2010 4:45 PM | Reply
Nice report. I have just noticed one little mistake: Where the hell did you find "78.21.16.0/21". oh, I got it, probably a copy/paste issue, it's 178.21.... and that's what Wesley (above) said.
I'd like to comment on the everyDNS disconnection of service. They justified it due to "heavy dDoS attacks". Since friday, after the everyDNS disconnection, we have not noticed ANY attack on our DNS servers, interesting!?
Mark Jeftovic replied to comment from Christopher Kunz | December 8, 2010 7:54 PM | Reply
Indeed, I have always said "whois masking" adds more risk and doesn't add more privacy.
http://www.circleid.com/posts/20081120_whois_masking_considered_harmful/