EEVblog Electronics Community Forum
General => General Technical Chat => Topic started by: SeanB on December 26, 2015, 05:07:10 pm
-
A rather interesting ( to say the least) discussion on how single bit errors in memory can have a very strange effect, and this is a pretty nasty bug that is really hard to fix by the end user.
https://www.youtube.com/watch?v=4b5disac9g4 (https://www.youtube.com/watch?v=4b5disac9g4)
-
I find it really hard to believe this is caused purely by incidental bit flipping. He even said that many of the flipped DNS requests had multiple errors in the following HTTP requests as well. How are those machines even running properly if their memory is so screwed? I smell malware infected machines, or maybe some "broken" man in the middle device (considering a large portion of traffic originated from China).
-
Ya know...
With all that traffic originating in China, it could be a side effect of their Great Firewall. All that extra packet inspection is bound to flip more bits, perhaps as many chances for flips as the originating systems.
I wouldn't think malware would be a viable explanation, since if it's willy-nilly flipping bits in various systems, the whole OS would crash and burn.
Another thought, is there any way to tell if it's related to row hammer, overclocking, etc.? Row hammer leads to multiple flips, as I recall.
All the likely cheap and antiquated hardware over there is probably a sufficient explanation. As for where the errors occur, if they're in main RAM or the CPU, the whole thing should pretty much crash and burn (again) -- but maybe it's in the NIC or routers or infrastructure (which maybe they have pressure to keep cheap, especially the firewall parts which have to filter so much sheer volume?).
Tim
-
I wouldn't think malware would be a viable explanation, since if it's willy-nilly flipping bits in various systems, the whole OS would crash and burn.
That's exactly why I think malware is a possible explanation. Something is specifically modifying network traffic. As you said, random bitflipping memory usually results in complete disaster.
-
I wouldn't think malware would be a viable explanation, since if it's willy-nilly flipping bits in various systems, the whole OS would crash and burn.
That's exactly why I think malware is a possible explanation. Something is specifically modifying network traffic. As you said, random bitflipping memory usually results in complete disaster.
Then why modify traffic to point to his server? If his is just a part of the mass modifications to hide the real servers surely this would cause the user's web performance to degrade sufficiently to get noticed.
Considering the degree of counterfeiting and general poor quality of hardware there I wouldn't jump to any malware based conclusions.
-
Random bit flipping will have very little effect on most internet data, you do not notice a small error in an image, a video or any audio file other than a brief spike or click. Things like programs it might only affect data structures or even built in constants, which is a subtle effect you might only notice only in a specific circumstance. That is why most download sites also include a MD5 or other hash, as this is quite good at detecting a single bit flip or even multiple ones. It will be an incredibly rare single bit error that will result in a hash collision. Memory that is not ECC will invariably have the odd bit flip, especially memory that is rarely read, or where rowhammer can flip a rarely read bit, or where the timing is just on the edge of working until you get the right conditions of access timing, data pattern and voltage spikes. That is why you run Memtest for a day on any new machine, or after moving or adding extra memory.
As to the need for a server, this was just to collect data of where the flipping was occurring. Note there were a few larger DNS resolvers doing this, along with a few other routers. most were machines though. Note as well just how many of these bit flips were already registered, you know that the ones doing that are not being altruistic and probably are serving a nice Javascript exploit as a return block, followed by a redirect ( silent and not noticed) to complete the action. A truly silent way to infect a machine, especially if you can redirect a login while doing so to grab a popular or important site ( like a bank) credentials.