Accidental DDoS? How China's Censorship Machine Can Cause Unintended Web Blackouts

On 20 January, Craig Hockenberry saw a graph that made him utter the words: Holy shit. The data he was looking at showed a massive spike in traffic hitting the email server of his software and graphic design company, Iconfactory. Because the data was coming in at such volume and at high speed, peaking at at 52 Mbps thanks tomillions of requests, the email server was rendered useless.

After the initial shock, an investigation revealed the massive influx was caused by a significant number of requests that were supposed to go to other sites, from Facebook to YouTube, but ended up being routed to Iconfactory. And those requests were all coming from China, home to the Great Firewall censorship machine that decides which pieces of the web the countrys citizens can visit.

Hockenberry wasnt the only one to have suffered as a result. Dynamic Internet Technology, a company that helps people view blocked content, was another victim (though the firms everyday operations might lead one to believe otherwise), the Wall Street Journalreported. According to aReddit post, in one case, Chinese mobile games were making requests for completely unrelated IP addresses, which are basically seeing a DDoS from Chinese mobile devices.

It would appear the Chinese governments use of the Domain Name System (DNS), which converts website nameslike Forbes.com to a numerical IP address so PCs and serverscan talk with one another, had gone awry. China carries out much of its censorship by tweaking DNS to stop people accessing non-approved websites. In security parlance, this is called DNS poisoning ashackers often use it to direct people to malicious sites. But throughout this month, something has gone wrong with Chinas own poisoning efforts. Instead of timing out users connections to banned sites, the DNS system took citizens to seemingly random websites, like those named above. Those online services that werent ready for what would amount to distributed denial of service (DDoS) attacks flatlined.

Heres whats concerning: if Chinas censorship machine either screws up, or is hacked, it could redirect hundreds of millions of connections to online services and subsequently wipe out bits of the web. Hockenberry said the national government could exploit this control over the DNS system to use every machine in China for a massive DDoS attack on innocent sites. As my colleague Sean quipped, They have weaponized their entire population.

But Roland Dobbins, senior analyst at anti-DDoS vendor Arbor Networks, told me it would be unwise to carry out such an attack. For starters, China would start to clog up some of its internet pipes out to the wider world. And such a brazen move would hardly bestealthy. Theres no deniability, Dobbins added. China has never admitted to carrying out any kind of online attack, despite claims it is one of the more active offensive players.

More worrisome, and possibly more likely, would be an attack following a compromise of Chinas censorship machine, Dobbins added. There were some indications this monthsblackouts were actually caused not by a glitch in the Great Firewall, but by an attack on the Domain Name System (DNS) in China, which converts URLs like Forbes.com to a numerical IP address so machines can talk with one another. DNSPod, a DNS provider, said it had suffered an attack, but little more has been forthcoming.

So opaque are Chinas technical efforts to block large chunks of the internet, its impossible to say how vulnerable the Great Firewall is, Dobbins noted. Sometimes the censorship systems themselves arent very secure. Is it possible that someone could find an exploit to do some DNS poisoning to use it as a botnet? We dont really know because those systems are not open to evaluation.

If the outages last week were caused by errors in updating the Great Firewall, it points to another possibility: human mistakes causing serious disruption to the internet. Any administrator of any large DNS service can make a mistake and it can cause significant collateral damage, Dobbins said. According to reports, the Firewall is currently getting a refresh to block VPNs, which offer a way around censorship by routing traffic through different servers and encrypting connections.

The power to cause epic attacks by using DNS poisoning is not unique to China, however. Any country or body with control over the DNS system could abuse their position to launch huge DDoS attacks. But they couldnt take advantage of as many connections as China, which invests vast sums on its web control mechanisms.

Go here to see the original:
Accidental DDoS? How China's Censorship Machine Can Cause Unintended Web Blackouts