China’s Great Firewall had a massive and unexpected effect on sites all over the Internet upon the completion of its most recent upgrade. Apparently random sites experienced huge traffic spikes, sending them scrambling to figure out why as much as 52 Mbps of search traffic was pouring into their system.
To make that figure more meaningful consider that it represents about 13,000 requests per second, which is roughly a third of Google’s search traffic. All of that traffic came from China, and the vast majority of the traffic seems to be trying to find Bittorrents or Facebook.
How did this come about? And how can small sites and blogs deal with such a deluge of requests?
The Collateral Damage of Censorship
How did this apparent DDoS attack inflict such massive damage on so many unique sites and blogs? Reports from system administrators across the web have revealed that sites’ IP addresses suddenly found themselves targeted. Such targeting forces sysadmins to introduce blocking measures just to ensure that they can get back online.
Theories abound as to what was going on: foreign hackers, focussed DDoS attacks, something else? But one theory that has generated increasing interest in the technical community is that China’s Great Firewall has a bug. The bug causing the problem seems to be in how the firewall uses DNS cache poisoning to redirect users away from websites that the Chinese government censors.
China’s Great Firewall utilizes a weakness of the DNS system: it intercepts requests going both in and out of the country. If it finds something the Chinese government wishes to censor ( “twitter.com,” “facebook.com,” or “torrentz.com”) it redirects the request to a different IP address. In the past, those requests were sent to IP addresses that didn’t exist which simply caused the request to time out. However, China has begun sending those request to IP addresses used by real servers.
In effect, all these sites found themselves unluckily in the crosshairs of the machinery of the Chinese government’s censorship.
And this is how a server on the other side of the world can get hit with a full stream of millions upon millions of users requesting information the server simply doesn’t have. When million of users suddenly and without warning starting making requests, the server fails.
The Bigger Problem in the Making
While this particular problem may be attributed to human error, an even bigger and more frightening question must be asked: what happens if someone gains a foothold in the DNS system? Such a tactical advantage would allow a hacker to use DNS poisoning to cause unprecedented attacks. And if a single hacker could cause such damage, imagine what a hostile country or intelligence agency could do.
Whether accidental or intentional, any individual, agency, or government can knock out vast amounts of websites. If those sites were for critical services such as utilities infrastructure, emergency services, government agencies, and the like, the fallout could be immensely devastating.
Issues such as DNS poisoning or DDoS attacks are serious and, as we have seen, can happen on an extremely large scale, devastating your site and server. Luckily, you can prepare for and manage the risks of such an attack, and there are steps you can take to protect yourself today.
###
