Great Firewall of China blasts DDoS attacks at random IP addresses An upgrade to China's Great Firewall is having knock-on effects all over the internet, with seemingly random sites experiencing massive traffic spikes. One site owner in North Carolina, Craig Hockenberry, has written up how, after he looked into why his mail server was down, he found 52Mbps of search traffic piling into his …
What weak spot of the DNS system are we talking about here?
Most DNS lookups are simple UDP packets without even so much as a serial number. So a client asks the question, and accepts the answer with no way to know whether or not the response is trustworthy. Thus a bad actor can send incorrect responses and subvert the DNS system. To make matters worse, it can flood out such responses even before the question is asked...
There are ways to improve on this - but they are very far from widespread.
Vic.
Not sure that is true and I don't think they really want to be completely isolated. If they did they could just pull the plug, end of. Of course this would severely damage the rest of the world's ability to buy stuff from China, which would presumably be seen as a bad thing. Really they want their cake and eat it with an internet that only does things they agree with.
Wired/Wireless internet is to easy for governments to control. Quick someone invent zero width wormhole private networks! ZW-WPN or WPN for short. All the power needed could be siphoned off stars in other solar systems. Data centers could be moved anywhere. Users could connect to any other node/gateway on the internet without fear of censorship or filtering.
Kidding.
Ahh, the venerable MRTG graph. That pattern will look familiar to a lot of readers. Next step was usually to look up the switch port to find out what colo box was converted into a warez site overnight. Or, for the more seasoned among us, what pattern do we need to add to the news server to drop the binaries groups.
I am a bit surprised, because I've been inside the GFW many times, and that was not how I saw them deal with forbidden connections.
Last time I had fun with it, a bit less than one year ago, they did this: when a forbidden domain name appeared inside an HTTP connection to a specific IP address, they would send a reset to *any* connection to that IP address, lasting for a few minutes. The DNS would keep working and resolving to the right IP.
Connecting using HTTPS, by hiding any mention of the domain, would not trigger the resets.
Connecting to the same IP address, but using a different domain name, would not trigger the resets either.
Of course, this was to a personal server, that had both a forbidden DynDns and a fixed domain name, but I don't remember seeing government tinkering with Internet big names using DNS either.
This may be a silly thing to say, but I am struck by the coincidence between a sudden onset of DNS-based problems in the Great Firewall of China, and the emergence of a buffer overflow that can best be exploited via gethostbyname().
Might this problem not actually be anything to do with the GFoC admins or (in)competence thereof, but might it be related to some person or group inside China trying to break the firewall in some way, and succeeding in merely crippling its functionality in strange and annoying ways?
I've finally got round to writing up my experience of the same issue and my methods used to mitigate it.
http://defendagainstddos.wordpress.com/2015/02/06/preventing-a-ddos-from-china-a-great-firewall-of-china-gone-rogue/
For those that cant be bothered reading and need a quick fix, just run this:
sudo iptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET /announce.php" --algo bm --to 65535 -j DROP
Though this article is a few weeks old, the issue is still ongoing.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
