back to article Great Firewall of China blasts DDoS attacks at random IP addresses

An upgrade to China's Great Firewall is having knock-on effects all over the internet, with seemingly random sites experiencing massive traffic spikes. One site owner in North Carolina, Craig Hockenberry, has written up how, after he looked into why his mail server was down, he found 52Mbps of search traffic piling into his …

  1. Anonymous Coward
    Anonymous Coward

    Article upvote.

    What weak spot of the DNS system are we talking about here? Enquiring minds want to know.

    1. Anonymous Coward
      Anonymous Coward

      Ability of web browser manufacturers to pay people to enable stuff like oculus rift 3d games in JavaScript, but seemingly unable to implement DNSSEC resolvers?

    2. Vic

      What weak spot of the DNS system are we talking about here?

      Most DNS lookups are simple UDP packets without even so much as a serial number. So a client asks the question, and accepts the answer with no way to know whether or not the response is trustworthy. Thus a bad actor can send incorrect responses and subvert the DNS system. To make matters worse, it can flood out such responses even before the question is asked...

      There are ways to improve on this - but they are very far from widespread.

      Vic.

  2. Anonymous Coward
    Anonymous Coward

    Simple Solution

    Ban all IP traffic to / from China.

    I can see many pluses and just a few minuses.

    Only (half) joking.

    1. Mark 85

      Re: Simple Solution

      You do that and it's a 2-for-1 win as the NORKS would probably be blocked also since their feed is through China.

      1. Allan George Dyer
        Joke

        Re: Simple Solution

        3-for-1 win, Apple won't be able to contact their factories = no more iPhones.

    2. adrian727

      Re: Simple Solution

      Yeah, I guess the Chinese government want exactly that, that's a win-win situation

    3. Anonymous Coward
      Anonymous Coward

      Re: Simple Solution

      "Short version: he blocked all of China's IP blocks."

      I have been doing that for a few years on my mail server - and Taiwan, Korean etc. Why would I expect an e-mail from someone out there?

      1. Anonymous Coward
        Anonymous Coward

        Re: Simple Solution

        I don't know, maybe your not a multinational company?

    4. Just Enough

      Re: Simple Solution

      One minus would be that this would be exactly what the Chinese government would want. It would suit them down to the ground if the rest of the internet built their firewall for them, and cut off their citizens from the rest of the world.

      1. Joe Harrison

        Re: Simple Solution

        Not sure that is true and I don't think they really want to be completely isolated. If they did they could just pull the plug, end of. Of course this would severely damage the rest of the world's ability to buy stuff from China, which would presumably be seen as a bad thing. Really they want their cake and eat it with an internet that only does things they agree with.

    5. 404

      Re: Simple Solution

      heh - did that once for spam control, made life much easier since it cut back about 85%. Management made me unblock though, out of 9000 users, 1 needed to email China. Mind you, this was back in the late 90's at a small ISP.

  3. Anonymous Coward
    Anonymous Coward

    Wired/Wireless internet is to easy for governments to control. Quick someone invent zero width wormhole private networks! ZW-WPN or WPN for short. All the power needed could be siphoned off stars in other solar systems. Data centers could be moved anywhere. Users could connect to any other node/gateway on the internet without fear of censorship or filtering.

    Kidding.

  4. Anonymous Coward
    Anonymous Coward

    Best IDS tool out there

    Ahh, the venerable MRTG graph. That pattern will look familiar to a lot of readers. Next step was usually to look up the switch port to find out what colo box was converted into a warez site overnight. Or, for the more seasoned among us, what pattern do we need to add to the news server to drop the binaries groups.

    1. Anonymous Coward
      Anonymous Coward

      Re: Best IDS tool out there

      ... or figure out who plugged something in that created a loop between ports that is now busily forwarding a broadcast storm....

  5. akeane
    WTF?

    Is that why...

    ... me Demon Web hosted servers went "funny" over the weekend?

  6. Anonymous Coward
    Anonymous Coward

    Simple solution.

    If you get hit by this, set up a static webpage on your server at the URLs being targeted and fill it full of pictures of the Tiananmen square massacre. Watch how quickly they'll fix the GFW to send the traffic somewhere else instead when you do that!

  7. JakeMS
    Joke

    Compensation?

    So do businesses effected by these attacks in the rest of the world get financial compensation for any money lost during the outage directly caused by the Chinese government? or at least an apology?..

    Thought not!

  8. Anonymous Coward
    Anonymous Coward

    To Kieren McCarthy: Have you *personally* checked the technical details?

    I am a bit surprised, because I've been inside the GFW many times, and that was not how I saw them deal with forbidden connections.

    Last time I had fun with it, a bit less than one year ago, they did this: when a forbidden domain name appeared inside an HTTP connection to a specific IP address, they would send a reset to *any* connection to that IP address, lasting for a few minutes. The DNS would keep working and resolving to the right IP.

    Connecting using HTTPS, by hiding any mention of the domain, would not trigger the resets.

    Connecting to the same IP address, but using a different domain name, would not trigger the resets either.

    Of course, this was to a personal server, that had both a forbidden DynDns and a fixed domain name, but I don't remember seeing government tinkering with Internet big names using DNS either.

    1. Anonymous Coward
      Anonymous Coward

      To AC: Have you *personally* read the linked articles?

      What's so hard to believe about the suggestion that they're trying something new with the GFW? Check the linked articles, there are plenty of technical details there.

  9. Anonymous Coward
    Anonymous Coward

    Umm

    That picture indicates that he is sending out at 52Mb/s, not receiving it. Chances are, he has a outdated NTP or DNS server, and he is participating in an amplification attack. Not news.

  10. Anonymous Coward
    Anonymous Coward

    Bt and FB indicates open relay

    So Chinese users flocked to his site looking for bit torrent and Facebook? That's classic "escaping the wall" behavior. He probably had an open relay, or was hacked to relay. Not so random after all.

  11. Dr Dan Holdsworth

    Oh look, a glibc bug that can be exploited through gethostbyname()

    This may be a silly thing to say, but I am struck by the coincidence between a sudden onset of DNS-based problems in the Great Firewall of China, and the emergence of a buffer overflow that can best be exploited via gethostbyname().

    Might this problem not actually be anything to do with the GFoC admins or (in)competence thereof, but might it be related to some person or group inside China trying to break the firewall in some way, and succeeding in merely crippling its functionality in strange and annoying ways?

  12. Anonymous Coward
    Anonymous Coward

    Blocking China - My experience of the same issue

    I've finally got round to writing up my experience of the same issue and my methods used to mitigate it.

    http://defendagainstddos.wordpress.com/2015/02/06/preventing-a-ddos-from-china-a-great-firewall-of-china-gone-rogue/

    For those that cant be bothered reading and need a quick fix, just run this:

    sudo iptables -A INPUT -p tcp -m tcp --dport 80 -m string --string "GET /announce.php" --algo bm --to 65535 -j DROP

    Though this article is a few weeks old, the issue is still ongoing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like