How The Great Firewall Of China Caused A DDOS Attack In France

from the global-village dept

Many people outside China know about the country's Great Firewall, but probably assume it will have little, if any, impact on their own online activities. However, a fascinating post on Benjamin Sonntag's blog explains how one of the servers of La Quadrature du Net, the Paris-based digital freedom association he co-founded, and for which his company provides free hosting, was hit by distributed denial of service attacks (DDOS) caused directly by the Great Firewall's policies.

His blog post provides all the technical details: it turned out that the vast majority of the attacks were coming from Chinese IP addresses. Here's what seems to have happened:

China is censoring its Internet, that's well known

to do this, this country censors (among others) DNS [Domain Name System] queries in its network (and also censoring as a side effect, the rare Japanese, Korean or Taiwanese queries going through China)

when it answers a DNS query to a censored website, it answers with "any incorrect IP address" instead.
That is, instead of letting Chinese Net users access "forbidden" content, the Great Firewall generally re-directs them to some random, presumably harmless, site. But that wasn't happening here:
we see spikes of requests to websites censored in China coming to IP addresses such as those of La Quadrature du Net. Other people had this same issue : http://furbo.org/2015/01/22/fear-china/

So, the end story is that we just saw censored websites requests coming to La Quadrature du Net's IP address from China, due to how the Chinese Internet censorship is working!
Rather than pushing limited traffic to lots of sites, the Great Firewall was sending lots of traffic to just a few. Among the possible explanations for this new behavior, Sonntag offers two that are equally worrying:
Maybe one of the system administrator of the great firewall of China is gaining some small and quick money selling DDOS, selling Internet attacks to the highest bidder (in bitcoin? ;) ) and using that censorship system as a weapon

Maybe China chose a precise list of targets to send censored traffic to, adding to this technical "useful" process (the censorship) a "nice" one (putting down foreign opponents' websites)... La Quadrature du Net, as a digital freedom association, seems to be too nice a target (among others of course).
Neither is good news for sites in the West. Whatever the real reason for this DDOS attack on La Quadrature, it certainly shows that the operation of the Great Firewall of China can have very direct effects outside that country. Another reason, perhaps, for those in the West to pay closer attention to China's increasingly harsh approach to online censorship.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: china, ddos, france, great firewall
Companies: la quadrature du net


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 10 Feb 2015 @ 7:51am

    Another reason, perhaps, for those in the West to pay closer attention to China's increasingly harsh approach to online censorship.

    We are paying attention. We'd love to implement the same thing here. - Western Governments

    Wither that or just be quiet, nobody has any high ground to criticize China.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Feb 2015 @ 9:28am

    I wonder if the french government has a bitcoin account

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Feb 2015 @ 9:47am

    They should redirect all traffic to US Government websites and then claim it's just network congestion maintenance and load balancing.

    reply to this | link to this | view in chronology ]

  • icon
    hij (profile), 10 Feb 2015 @ 9:49am

    Does Google know?

    As soon as the folks at google ads find out that they may be paying for ads to people who are on a site by "accident" they will likely focus their considerable talents to fix this. By fix, they will probably just not pay for those ad impressions.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Feb 2015 @ 9:50am

    Set up a system to detect this traffic and redirect to TOR entry nodes...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Feb 2015 @ 9:50am

    'China's increasingly harsh approach to online censorship'

    it wont be alone for much longer. most of the so-called 'Democratic Countries' that supposedly support free speech and privacy are not just catching up, they are over taking China (and other countries!). in the race to stop 'the people' from finding out what governments and industries are up to, how they evade the law while making sure 'the people' dont, they are also preventing any action from being taken by the people by limiting the way people are able to communicate with each other and organise demonstrations.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Feb 2015 @ 10:28am

    France may be complicit...

    From a few articles below on the front page:
    "French Government Declares Independence From Free Speech: Broad Internet Take-Down Powers Now In Place"

    Seems to me this fits under French Internet Take-Down :)

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Feb 2015 @ 12:11pm

    A vaguely similar story...

    About 2011 or so, my then employer got effectively DOSed due to the great firewall, by accident.

    We had a large number of internal web resources (wiki, bug tracking, test systems in the office space, etc. etc.) under one Apache server. The resources were accessible from the Internet, with the entire site being HTTPS, password protected by AuthBasic, public indexing discouraged by robots.txt, and requiring a localhost file entry to actually access any resources unless one used the internal-only DNS server.

    We then had a contractor come in to make extensive customizations to one resource. Over several weeks, he would regularly need tweaks to a resource config and Apache restarted, which I did for him. Unfortunately, both I and the other hands-on IT guy had to travel to conference for a week before he was done and couldn't baby sit him. Our supervisor said "OK, trust him" at the last minute, so we gave him sudo and strict written instructions to get permission from me if he needed to change anything outside of /[resource], which he acknowledged and I made him sign.

    Monday morning after the conference, I get an early AM call that the internal web was inaccessible, even internally, and the public Internet was dog slow at the office too. Drove in, examined the .conf and the logs, and discovered that:
    (1) idiot contractor had configured an open http proxy
    (2) within about 6 hours, a scanner had found it
    (3) within a day, a flood of Chinese-sourced IPs were using the proxy

    Closing the open proxy was easy and got things back to usability, though the net remained sluggish for a week or so. We saw a trickle of proxy attempts for months afterwards.

    It turns out that there is/was a popular browser add-on for evading the Great Firewall by dynamically using open proxies outside it. The flood had starved our little server for threads, and the traffic had nearly filled a T1. The idiot contractor was unapologetic, saying that config change was on his standard cheat-sheet and he didn't understand why it did that or why we were so upset. Fortunately he was nearly done by then and we saw the last of him within a week.

    reply to this | link to this | view in chronology ]

    • icon
      beltorak (profile), 10 Feb 2015 @ 7:27pm

      Re: A vaguely similar story...

      > saying that config change was on his standard cheat-sheet and he didn't understand why it did that or why we were so upset.

      wow, not only is he clueless but he doesn't understand why you're upset that he's incompetent and taking your money.

      reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), 10 Feb 2015 @ 1:58pm

    Interesting choice

    I find it fascinating that China chooses to reply to requests for blocked domains by returning falsified results. That alone should be ground to get their DNS servers banned from the system until they fix the problem.

    I wonder why they don't reply to those requests in the correct way: by saying that they can't resolve the domain name? Or why they don't do it like the US does it: reply with the address to a server that displays a big ol' "you're breaking the law!" message?

    reply to this | link to this | view in chronology ]

    • icon
      beltorak (profile), 10 Feb 2015 @ 7:38pm

      Re: Interesting choice

      > I find it fascinating that China chooses to reply to requests for blocked domains by returning falsified results. That alone should be ground to get their DNS servers banned from the system until they fix the problem.

      Wouldn't that mean that anyone from the outside would not be able to resolve hostnames that are theirs to point to? It also wouldn't help the fact that everyone on the inside is likely using those DNS servers by default.

      > I wonder why they don't reply to those requests in the correct way: by saying that they can't resolve the domain name? Or why they don't do it like the US does it: reply with the address to a server that displays a big ol' "you're breaking the law!" message?

      That would be too straight forward; by sending requestors to a wrong page, they sow confusion among the enemy. "Hey, did you check out that site?" "Yeah, they were selling cute kitten doilies!" It might be a while before they communicate that something is wrong.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous, 10 Feb 2015 @ 4:33pm

    Redirect

    Just redirect that traffic to a 404 page not found and add
    "Chinese Censorship Sucks, Doesn't It?"

    reply to this | link to this | view in chronology ]

    • identicon
      spodula, 11 Feb 2015 @ 1:48am

      Re: Redirect

      I have to admit i would be tempted to write me a quick Tienanmen square massacre website. I imagine that would get me off their list pretty quick...

      reply to this | link to this | view in chronology ]

  • identicon
    Anus Goldman, 10 Feb 2015 @ 7:09pm

    Just get yourself banned!

    The answer is simple. Just get your own website banned in China so they won't redirect traffic to you. To do that just detect if users are from China and then serve censored pictures and content!

    reply to this | link to this | view in chronology ]

  • identicon
    Noah Vail, 10 Feb 2015 @ 7:20pm

    Maybe similar situation happened to NC ISP

    http://www.siliconrepublic.com/enterprise/item/40352-1-3-of-entire-internet-sear/

    26.01.2015 A small software firm in North Carolina, USA, found itself the focus of more than one-third of the internet’s search traffic – with almost 13,000 requests per second – after a supposed glitch in China’s networks.

    Further investigation into the bizarre error appeared to show that the culprit was the domain name system (DNS) for the whole of China which failed to look up the correct IP address when trying to connect to websites including Twitter Facebook and YouTube.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.