back to article Great Firewall of China blasts DDoS attacks at random IP addresses

An upgrade to China's Great Firewall is having knock-on effects all over the internet, with seemingly random sites experiencing massive traffic spikes. One site owner in North Carolina, Craig Hockenberry, has written up how, after he looked into why his mail server was down, he found 52Mbps of search traffic piling into his …

  1. Anonymous Coward
    Anonymous Coward

    Article upvote.

    What weak spot of the DNS system are we talking about here? Enquiring minds want to know.

    1. Anonymous Coward
      Anonymous Coward

      Ability of web browser manufacturers to pay people to enable stuff like oculus rift 3d games in JavaScript, but seemingly unable to implement DNSSEC resolvers?

    2. Vic

      What weak spot of the DNS system are we talking about here?

      Most DNS lookups are simple UDP packets without even so much as a serial number. So a client asks the question, and accepts the answer with no way to know whether or not the response is trustworthy. Thus a bad actor can send incorrect responses and subvert the DNS system. To make matters worse, it can flood out such responses even before the question is asked...

      There are ways to improve on this - but they are very far from widespread.

      Vic.

  2. Anonymous Coward
    Anonymous Coward

    Simple Solution

    Ban all IP traffic to / from China.

    I can see many pluses and just a few minuses.

    Only (half) joking.

    1. Mark 85 Silver badge

      Re: Simple Solution

      You do that and it's a 2-for-1 win as the NORKS would probably be blocked also since their feed is through China.

      1. Allan George Dyer Silver badge
        Joke

        Re: Simple Solution

        3-for-1 win, Apple won't be able to contact their factories = no more iPhones.

    2. adrian727

      Re: Simple Solution

      Yeah, I guess the Chinese government want exactly that, that's a win-win situation

    3. Anonymous Coward
      Anonymous Coward

      Re: Simple Solution

      "Short version: he blocked all of China's IP blocks."

      I have been doing that for a few years on my mail server - and Taiwan, Korean etc. Why would I expect an e-mail from someone out there?

      1. Anonymous Coward
        Anonymous Coward

        Re: Simple Solution

        I don't know, maybe your not a multinational company?

    4. Just Enough

      Re: Simple Solution

      One minus would be that this would be exactly what the Chinese government would want. It would suit them down to the ground if the rest of the internet built their firewall for them, and cut off their citizens from the rest of the world.

      1. Joe Harrison

        Re: Simple Solution

        Not sure that is true and I don't think they really want to be completely isolated. If they did they could just pull the plug, end of. Of course this would severely damage the rest of the world's ability to buy stuff from China, which would presumably be seen as a bad thing. Really they want their cake and eat it with an internet that only does things they agree with.

    5. 404

      Re: Simple Solution

      heh - did that once for spam control, made life much easier since it cut back about 85%. Management made me unblock though, out of 9000 users, 1 needed to email China. Mind you, this was back in the late 90's at a small ISP.

  3. Anonymous Coward
    Anonymous Coward

    Wired/Wireless internet is to easy for governments to control. Quick someone invent zero width wormhole private networks! ZW-WPN or WPN for short. All the power needed could be siphoned off stars in other solar systems. Data centers could be moved anywhere. Users could connect to any other node/gateway on the internet without fear of censorship or filtering.

    Kidding.

  4. Anonymous Coward
    Anonymous Coward

    Best IDS tool out there

    Ahh, the venerable MRTG graph. That pattern will look familiar to a lot of readers. Next step was usually to look up the switch port to find out what colo box was converted into a warez site overnight. Or, for the more seasoned among us, what pattern do we need to add to the news server to drop the binaries groups.

    1. Anonymous Coward
      Anonymous Coward

      Re: Best IDS tool out there

      ... or figure out who plugged something in that created a loop between ports that is now busily forwarding a broadcast storm....

  5. akeane
    WTF?

    Is that why...

    ... me Demon Web hosted servers went "funny" over the weekend?

  6. Anonymous Coward
    Anonymous Coward

    Simple solution.

    If you get hit by this, set up a static webpage on your server at the URLs being targeted and fill it full of pictures of the Tiananmen square massacre. Watch how quickly they'll fix the GFW to send the traffic somewhere else instead when you do that!

  7. JakeMS
    Joke

    Compensation?

    So do businesses effected by these attacks in the rest of the world get financial compensation for any money lost during the outage directly caused by the Chinese government? or at least an apology?..

    Thought not!

  8. Anonymous Coward
    Anonymous Coward

    To Kieren McCarthy: Have you *personally* checked the technical details?

    I am a bit surprised, because I've been inside the GFW many times, and that was not how I saw them deal with forbidden connections.

    Last time I had fun with it, a bit less than one year ago, they did this: when a forbidden domain name appeared inside an HTTP connection to a specific IP address, they would send a reset to *any* connection to that IP address, lasting for a few minutes. The DNS would keep working and resolving to the right IP.

    Connecting using HTTPS, by hiding any mention of the domain, would not trigger the resets.

    Connecting to the same IP address, but using a different domain name, would not trigger the resets either.

    Of course, this was to a personal server, that had both a forbidden DynDns and a fixed domain name, but I don't remember seeing government tinkering with Internet big names using DNS either.

    1. Anonymous Coward
      Anonymous Coward

      To AC: Have you *personally* read the linked articles?

      What's so hard to believe about the suggestion that they're trying something new with the GFW? Check the linked articles, there are plenty of technical details there.

  9. Anonymous Coward
    Anonymous Coward

    Umm

    That picture indicates that he is sending out at 52Mb/s, not receiving it. Chances are, he has a outdated NTP or DNS server, and he is participating in an amplification attack. Not news.

  10. Anonymous Coward
    Anonymous Coward

    Bt and FB indicates open relay

    So Chinese users flocked to his site looking for bit torrent and Facebook? That's classic "escaping the wall" behavior. He probably had an open relay, or was hacked to relay. Not so random after all.

  11. Dr Dan Holdsworth

    Oh look, a glibc bug that can be exploited through gethostbyname()

    This may be a silly thing to say, but I am struck by the coincidence between a sudden onset of DNS-based problems in the Great Firewall of China, and the emergence of a buffer overflow that can best be exploited via gethostbyname().

    Might this problem not actually be anything to do with the GFoC admins or (in)competence thereof, but might it be related to some person or group inside China trying to break the firewall in some way, and succeeding in merely crippling its functionality in strange and annoying ways?

  12. Anonymous Coward
    Anonymous Coward

    Blocking China - My experience of the same issue

    I've finally got round to writing up my experience of the same issue and my methods used to mitigate it.

    http://defendagainstddos.wordpress.com/2015/02/06/preventing-a-ddos-from-china-a-great-firewall-of-china-gone-rogue/

    For those that cant be bothered reading and need a quick fix, just run this:

    sudo iptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET /announce.php" --algo bm --to 65535 -j DROP

    Though this article is a few weeks old, the issue is still ongoing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Xi Jinping himself weighs in on how Big Tech should deploy FinTech
    Beijing also outlines its GovTech vision and gets very excited about data

    China's government has outlined its vision for digital services, expected behavior standards at China's big tech companies, and how China will put data to work everywhere – with president Xi Jinping putting his imprimatur to some of the policies.

    Xi's remarks were made in his role as director of China’s Central Comprehensively Deepening Reforms Commission, which met earlier this week. The subsequent communiqué states that at the meeting Xi called for "financial technology platform enterprises to return to their core business" and "support platform enterprises in playing a bigger role in serving the real economy and smoothing positive interplay between domestic and international economic flows."

    The remarks outline an attempt to balance Big Tech's desire to create disruptive financial products that challenge monopolies, against efforts to ensure that only licensed and regulated entities offer financial services.

    Continue reading
  • Always read the comments: Beijing requires oversight of all reader-generated chat
    'Editing and review' teams will be required to read everything and report dissent

    The Cyberspace Administration of China has announced a policy requiring all comments made to websites to be approved before publication.

    Outlined in a document published last Friday and titled "Provisions on the Administration of Internet Thread Commenting Services", the policy is aimed at making China's internet safer, and better represent citizens' interests. The Administration believes this can only happen if comments are reviewed so that only posts that promote socialist values and do not stir dissent make it online.

    To stop the nasties being published, the policy outlines requirements for publishers to hire "a review and editing team suitable for the scale of services".

    Continue reading
  • Cloudflare says it thwarted record-breaking HTTPS DDoS flood
    26m requests a second? Not legit traffic, not even Bill Gates doing $1m giveaways could manage that

    Cloudflare said it this month staved off another record-breaking HTTPS-based distributed denial-of-service attack, this one significantly larger than the previous largest DDoS attack that occurred only two months ago.

    In April, the biz said it mitigated an HTTPS DDoS attack that reached a peak of 15.3 million requests-per-second (rps). The flood last week hit a peak of 26 million rps, with the target being the website of a company using Cloudflare's free plan, according to Omer Yoachimik, product manager at Cloudflare.

    Like the attack in April, the most recent one not only was unusual because of its size, but also because it involved using junk HTTPS requests to overwhelm a website, preventing it from servicing legit visitors and thus effectively falling off the 'net.

    Continue reading
  • China 'must seize TSMC' if the US were to impose sanctions
    So says Chinese economist, but it wouldn't achieve much if Taiwan destroyed its fabs first

    China should seize Taiwan to gain control of TSMC if the United States and its allies impose sanctions against the Middle Kingdom like those now in place against Russia, according to a prominent Chinese economist.

    The move follows the suggestion last year out of the US that Taiwan should be prepared to destroy its semiconductor factories if China were to invade.

    This latest development comes in a speech by Chen Wenling, chief economist for the China Center for International Economic Exchanges, delivered at the China-US Forum hosted by the Chongyang Institute for Financial Studies at Renmin University of China at the end of May. The text of the speech was posted to the Guancha (Observer) online news site.

    Continue reading
  • Chinese startup hires chip godfather and TSMC vet to break into DRAM biz
    They're putting a crew together, and Beijing's tossed in $750m to get things started

    A Chinese state-backed startup has hired legendary Japanese chip exec Yukio Sakamoto as part of a strategy to launch a local DRAM industry.

    Chinese press last week reported that Sakamoto has joined an outfit named SwaySure, also known as Shenzhen Sheng Weixu Technology Company or Sheng Weixu for brevity.

    Sakamoto's last gig was as senior vice president of Chinese company Tsinghua Unigroup, where he was hired to build up a 100-employee team in Japan with the aim of making DRAM products in Chongqing, China. That effort reportedly faced challenges along the way – some related to US sanctions, others from recruitment.

    Continue reading
  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – DownThem.org and AmpNode.com – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • Intel delivers first discrete Arc desktop GPUs ... in China
    Why not just ship it in Narnia and call it a win?

    Updated Intel has said its first discrete Arc desktop GPUs will, as planned, go on sale this month. But only in China.

    The x86 giant's foray into discrete graphics processors has been difficult. Intel has baked 2D and 3D acceleration into its chipsets for years but watched as AMD and Nvidia swept the market with more powerful discrete GPU cards.

    Intel announced it would offer discrete GPUs of its own in 2018 and promised shipments would start in 2020. But it was not until 2021 that Intel launched the Arc brand for its GPU efforts and promised discrete graphics silicon for desktops and laptops would appear in Q1 2022.

    Continue reading
  • ZTE intros 'cloud laptop' that draws just five watts of power
    The catch: It hooks up to desktop-as-a-service and runs Android – so while it looks like a laptop ...

    Chinese telecom equipment maker ZTE has announced what it claims is the first "cloud laptop" – an Android-powered device that the consumes just five watts and links to its cloud desktop-as-a-service.

    Announced this week at the partially state-owned company's 2022 Cloud Network Ecosystem Summit, the machine – model W600D – measures 325mm × 215mm × 14 mm, weighs 1.1kg and includes a 14-inch HD display, full-size keyboard, HD camera, and Bluetooth and Wi-Fi connectivity. An unspecified eight-core processors drives it, and a 40.42 watt-hour battery is claimed to last for eight hours.

    It seems the primary purpose of this thing is to access a cloud-hosted remote desktop in which you do all or most of your work. ZTE claimed its home-grown RAP protocol ensures these remote desktops will be usable even on connections of a mere 128Kbit/sec, or with latency of 300ms and packet loss of six percent. That's quite a brag.

    Continue reading
  • Former chip research professor jailed for not disclosing Chinese patents
    This is how Beijing illegally accesses US tech, say Feds

    The former director of the University of Arkansas’ High Density Electronics Center, a research facility that specialises in electronic packaging and multichip technology, has been jailed for a year for failing to disclose Chinese patents for his inventions.

    Professor Simon Saw-Teong Ang was in 2020 indicted for wire fraud and passport fraud, with the charges arising from what the US Department of Justice described as a failure to disclose “ties to companies and institutions in China” to the University of Arkansas or to the US government agencies for which the High Density Electronics Center conducted research under contract.

    At the time of the indictment, then assistant attorney general for national security John C. Demers described Ang’s actions as “a hallmark of the China’s targeting of research and academic collaborations within the United States in order to obtain U.S. technology illegally.” The DoJ statement about the indictment said Ang’s actions had negatively impacted NASA and the US Air Force.

    Continue reading
  • TikTok US traffic defaults to Oracle Cloud, Beijing can (allegedly) still have a look
    Alibaba hinted the gig was worth millions each year

    The US arm of Chinese social video app TikTok has revealed that it has changed the default location used to store users' creations to Oracle Cloud's stateside operations – a day after being accused of allowing its Chinese parent company to access American users' personal data.

    "Today, 100 percent of US user traffic is being routed to Oracle Cloud Infrastructure," the company stated in a post dated June 18.

    "For more than a year, we've been working with Oracle on several measures as part of our commercial relationship to better safeguard our app, systems, and the security of US user data," the post continues. "We still use our US and Singapore datacenters for backup, but as we continue our work we expect to delete US users' private data from our own datacenters and fully pivot to Oracle cloud servers located in the US."

    Continue reading

Biting the hand that feeds IT © 1998–2022