NANOG,
Looking for anyone from XO or Legacy Concentric web hosting services (now VDMS). I have a mutual customer that is getting caught at some form of Web App firewall coming from a specific IP range.
Thank you!
James W. Breeden
Managing Partner
[logo_transparent_background]
Arenal Group: Arenal Consulting Group | Atheral | Ceteris Coin | Acilis Telecom | Pines Events and Media | BlueNinja
Corporate: PO Box 1063 | Smithville, TX 78957
Email: james(a)arenalgroup.co<mailto:james@arenalgroup.co> | office 512.360.0000 | www.arenalgroup.co<http://www.arenalgroup.co/>
In fact, Great Canon (GC) [55] is such an in-path system. But it
is known for intercepting a subset of traffic (based on protocol
type) only. What’s more, GC has been activated only twice in
history (the last one in 2015 [55]).
-----------------------------------
AT&T security says otherwise:
https://cybersecurity.att.com/blogs/labs-research/the-great-cannon-has-been…
The Great Cannon is a distributed denial of service tool (“DDoS”)
that operates by injecting malicious Javascript into pages served
from behind the Great Firewall."
"The Great Cannon was the subject of intense research after it was
used to disrupt access to the website Github.com in 2015. Little
has been seen of the Great Cannon since 2015. However, we’ve
recently observed new attacks..."
"On August 31, 2019, the Great Cannon initiated an attack
against a website (lihkg.com) used by members of the Hong
Kong democracy movement to plan protests."
scott
In fact, the three large carriers provide 98.5% of China’s total
transnational bandwidth. We observe this across all the three large
carriers, as well as one smaller carrier, CERNET(China Education and
Research Network).
Best,
Pengxiong Zhu
Department of Computer Science and Engineering
University of California, Riverside
On Mon, Mar 2, 2020 at 12:12 PM Ben Cannon <ben(a)6by7.net> wrote:
>
> On Mar 2, 2020, at 11:38 AM, Pengxiong Zhu <pzhu011(a)ucr.edu> wrote:
>
> Those are good insights. Our first guess is censorship too, and we
> discussed the possibilities of censorship side effects in Section 5.1
> *Censorship*.
>
> It’s the Government doing mandatory content filtering at the border.
>> Their hardware is either deliberately or accidentally poor-performing.
>>
>
> However, GFW operates as an on-path system [72], which only processes
> copies of existing packets without the ability to discard existing packets.
> Evidently, prior work has shown that GFW fails to inject RST packets during
> busy hours while the packets containing sensitive keywords are still
> delivered successfully [34]. However, we are unable to rule out the
> possibility that GFW has evolved to acquire the capability to discard
> packets.
>
> Maybe... I dunno.... get rid of the Great Firewall of China?
>
>
> We designed a small experiment to locate the hops with GFW presence, and
> then try to match them with the bottleneck hops. We found only in 34.45% of
> the cases, the GFW hops match the bottleneck hops.
>
> My guess is that it’s all the DDoS traffic coming from China saturating
>> the links.
>>
>
> In fact, Great Canon (GC) [55] is such an in-path system. But it is known
> for intercepting a subset of traffic (based on protocol type) only. What’s
> more, GC has been activated only twice in history (the last one in 2015
> [55]). However, it might be the case that the in-path capability is
> re-purposed to perform general traffic throttling. If that is the case,
> they have done a good job because the throttling resembles natural
> congestion from the loss rate and latency point of view.
>
>
> I believe this is what’s happening, and I believe they are rate-limiting
> and causing actual congestion, as opposed to simulating it. The losses
> would be real, actual saturation, on simply rate-limited flows. Unclear if
> this is being done on a per-flow basis or per-source or what. You might be
> able to find out. I’m curious if you see this across all carriers or only
> the larger ones?
>
> -Ben.
>
> The asymmetric performance between downstream and upstream traffic can be
> explained by the natural imbalance of transnational traffic (where the
> upstream traffic from China to outside is not significant enough to
> throttle).
>
>
> Best,
> Pengxiong Zhu
> Department of Computer Science and Engineering
> University of California, Riverside
>
>
> On Mon, Mar 2, 2020 at 8:11 AM Compton, Rich A <Rich.Compton(a)charter.com>
> wrote:
>
>> My guess is that it’s all the DDoS traffic coming from China saturating
>> the links.
>>
>>
>>
>> *From: *NANOG Email List <nanog-bounces(a)nanog.org> on behalf of
>> Pengxiong Zhu <pzhu011(a)ucr.edu>
>> *Date: *Monday, March 2, 2020 at 8:58 AM
>> *To: *NANOG list <nanog(a)nanog.org>
>> *Cc: *Zhiyun Qian <zhiyunq(a)cs.ucr.edu>
>> *Subject: *China’s Slow Transnational Network
>>
>>
>>
>> Hi all,
>>
>>
>>
>> We are a group of researchers at University of California, Riverside who
>> have been working on measuring the transnational network performance (and
>> have previously asked questions on the mailing list). Our work has now led
>> to a publication in Sigmetrics 2020 and we are eager to share some
>>
>> interesting findings.
>>
>>
>>
>> We find China's transnational networks have extremely poor performance
>> when accessing foreign sites, where the throughput is often persistently
>>
>> low (e.g., for the majority of the daytime). Compared to other countries
>> we measured including both developed and developing, China's transnational
>> network performance is among the worst (comparable and even worse than some
>> African countries).
>>
>>
>>
>> Measuring from more than 400 pairs of mainland China and foreign nodes
>> over more than 53 days, our result shows when data transferring from
>> foreign nodes to China, 79% of measured connections has throughput lower
>> than the 1Mbps, sometimes it is even much lower. The slow speed occurs only
>> during certain times and forms a diurnal pattern that resembles congestion
>> (irrespective of network protocol and content), please see the following
>> figure. The diurnal pattern is fairly stable, 80% to 95% of the
>> transnational connections have a less than 3 hours standard deviation of
>> the slowdown hours each day over the entire duration. However, the speed
>> rises up from 1Mbps to 4Mbps in about half an hour.
>>
>>
>>
>> [image: blob:null/71cf5a6a-3841-41ce-a1d4-207b59182189]
>>
>>
>>
>> We are able to confirm that high packet loss rates and delays are
>> incurred in the foreign-to-China direction only. Moreover, the end-to-end
>> loss rate could rise up to 40% during the slow period, with ~15% on average.
>>
>>
>>
>> There are a few things noteworthy regarding the phenomenon. First of all,
>> all traffic types are treated equally, HTTP(S), VPN, etc., which means it
>> is discriminating or differentiating any specific kinds of traffic. Second,
>> we found for 71% of connections, the bottleneck is located inside China
>> (the second hop after entering China or further), which means that it is
>> mostly unrelated to the transnational link itself (e.g., submarine cable).
>> Yet we never observed any such domestic traffic slowdowns within China.
>>
>> Assuming this is due to congestion, it is unclear why the infrastructures
>> within China that handles transnational traffic is not even capable to
>> handle the capacity of transnational links, e.g., submarine cable, which
>> maybe the most expensive investment themselves.
>>
>>
>>
>> Here is the link to our paper:
>>
>> https://www.cs.ucr.edu/~zhiyunq/pub/sigmetrics20_slowdown.pdf
>>
>>
>> We appreciate any comments or feedback.
>>
>> --
>>
>>
>> Best,
>> Pengxiong Zhu
>> Department of Computer Science and Engineering
>> University of California, Riverside
>> The contents of this e-mail message and
>> any attachments are intended solely for the
>> addressee(s) and may contain confidential
>> and/or legally privileged information. If you
>> are not the intended recipient of this message
>> or if this message has been addressed to you
>> in error, please immediately alert the sender
>> by reply e-mail and then delete this message
>> and any attachments. If you are not the
>> intended recipient, you are notified that
>> any use, dissemination, distribution, copying,
>> or storage of this message or any attachment
>> is strictly prohibited.
>>
>
>
Those are good insights. Our first guess is censorship too, and we
discussed the possibilities of censorship side effects in Section 5.1
*Censorship*.
My guess is that it’s all the DDoS traffic coming from China saturating the
> links.
>
In fact, Great Canon (GC) [55] is such an in-path system. But it is known
for intercepting a subset of traffic (based on protocol type) only. What’s
more, GC has been activated only twice in history (the last one in 2015
[55]). However, it might be the case that the in-path capability is
re-purposed to perform general traffic throttling. If that is the case,
they have done a good job because the throttling resembles natural
congestion from the loss rate and latency point of view. The asymmetric
performance between downstream and upstream traffic can be explained by the
natural imbalance of transnational traffic (where the upstream traffic from
China to outside is not significant enough to throttle).
Maybe... I dunno.... get rid of the Great Firewall of China?
>
What do you mean? Do you mean the slow traffic is to bypass the GFW or the
slow traffic is caused by GFW?
Best,
Pengxiong Zhu
Department of Computer Science and Engineering
University of California, Riverside
On Mon, Mar 2, 2020 at 11:38 AM Pengxiong Zhu <pzhu011(a)ucr.edu> wrote:
> Those are good insights. Our first guess is censorship too, and we
> discussed the possibilities of censorship side effects in Section 5.1
> *Censorship*.
>
> It’s the Government doing mandatory content filtering at the border.
>> Their hardware is either deliberately or accidentally poor-performing.
>>
>
> However, GFW operates as an on-path system [72], which only processes
> copies of existing packets without the ability to discard existing packets.
> Evidently, prior work has shown that GFW fails to inject RST packets during
> busy hours while the packets containing sensitive keywords are still
> delivered successfully [34]. However, we are unable to rule out the
> possibility that GFW has evolved to acquire the capability to discard
> packets.
>
> Maybe... I dunno.... get rid of the Great Firewall of China?
>
>
> We designed a small experiment to locate the hops with GFW presence, and
> then try to match them with the bottleneck hops. We found only in 34.45% of
> the cases, the GFW hops match the bottleneck hops.
>
> My guess is that it’s all the DDoS traffic coming from China saturating
>> the links.
>>
>
> In fact, Great Canon (GC) [55] is such an in-path system. But it is known
> for intercepting a subset of traffic (based on protocol type) only. What’s
> more, GC has been activated only twice in history (the last one in 2015
> [55]). However, it might be the case that the in-path capability is
> re-purposed to perform general traffic throttling. If that is the case,
> they have done a good job because the throttling resembles natural
> congestion from the loss rate and latency point of view. The asymmetric
> performance between downstream and upstream traffic can be explained by the
> natural imbalance of transnational traffic (where the upstream traffic from
> China to outside is not significant enough to throttle).
>
>
> Best,
> Pengxiong Zhu
> Department of Computer Science and Engineering
> University of California, Riverside
>
>
> On Mon, Mar 2, 2020 at 8:11 AM Compton, Rich A <Rich.Compton(a)charter.com>
> wrote:
>
>> My guess is that it’s all the DDoS traffic coming from China saturating
>> the links.
>>
>>
>>
>> *From: *NANOG Email List <nanog-bounces(a)nanog.org> on behalf of
>> Pengxiong Zhu <pzhu011(a)ucr.edu>
>> *Date: *Monday, March 2, 2020 at 8:58 AM
>> *To: *NANOG list <nanog(a)nanog.org>
>> *Cc: *Zhiyun Qian <zhiyunq(a)cs.ucr.edu>
>> *Subject: *China’s Slow Transnational Network
>>
>>
>>
>> Hi all,
>>
>>
>>
>> We are a group of researchers at University of California, Riverside who
>> have been working on measuring the transnational network performance (and
>> have previously asked questions on the mailing list). Our work has now led
>> to a publication in Sigmetrics 2020 and we are eager to share some
>>
>> interesting findings.
>>
>>
>>
>> We find China's transnational networks have extremely poor performance
>> when accessing foreign sites, where the throughput is often persistently
>>
>> low (e.g., for the majority of the daytime). Compared to other countries
>> we measured including both developed and developing, China's transnational
>> network performance is among the worst (comparable and even worse than some
>> African countries).
>>
>>
>>
>> Measuring from more than 400 pairs of mainland China and foreign nodes
>> over more than 53 days, our result shows when data transferring from
>> foreign nodes to China, 79% of measured connections has throughput lower
>> than the 1Mbps, sometimes it is even much lower. The slow speed occurs only
>> during certain times and forms a diurnal pattern that resembles congestion
>> (irrespective of network protocol and content), please see the following
>> figure. The diurnal pattern is fairly stable, 80% to 95% of the
>> transnational connections have a less than 3 hours standard deviation of
>> the slowdown hours each day over the entire duration. However, the speed
>> rises up from 1Mbps to 4Mbps in about half an hour.
>>
>>
>>
>> [image: blob:null/71cf5a6a-3841-41ce-a1d4-207b59182189]
>>
>>
>>
>> We are able to confirm that high packet loss rates and delays are
>> incurred in the foreign-to-China direction only. Moreover, the end-to-end
>> loss rate could rise up to 40% during the slow period, with ~15% on average.
>>
>>
>>
>> There are a few things noteworthy regarding the phenomenon. First of all,
>> all traffic types are treated equally, HTTP(S), VPN, etc., which means it
>> is discriminating or differentiating any specific kinds of traffic. Second,
>> we found for 71% of connections, the bottleneck is located inside China
>> (the second hop after entering China or further), which means that it is
>> mostly unrelated to the transnational link itself (e.g., submarine cable).
>> Yet we never observed any such domestic traffic slowdowns within China.
>>
>> Assuming this is due to congestion, it is unclear why the infrastructures
>> within China that handles transnational traffic is not even capable to
>> handle the capacity of transnational links, e.g., submarine cable, which
>> maybe the most expensive investment themselves.
>>
>>
>>
>> Here is the link to our paper:
>>
>> https://www.cs.ucr.edu/~zhiyunq/pub/sigmetrics20_slowdown.pdf
>>
>>
>> We appreciate any comments or feedback.
>>
>> --
>>
>>
>> Best,
>> Pengxiong Zhu
>> Department of Computer Science and Engineering
>> University of California, Riverside
>> The contents of this e-mail message and
>> any attachments are intended solely for the
>> addressee(s) and may contain confidential
>> and/or legally privileged information. If you
>> are not the intended recipient of this message
>> or if this message has been addressed to you
>> in error, please immediately alert the sender
>> by reply e-mail and then delete this message
>> and any attachments. If you are not the
>> intended recipient, you are notified that
>> any use, dissemination, distribution, copying,
>> or storage of this message or any attachment
>> is strictly prohibited.
>>
>