How The Great Firewall Of China Caused A DDOS Attack In France
from the global-village dept
Many people outside China know about the country’s Great Firewall, but probably assume it will have little, if any, impact on their own online activities. However, a fascinating post on Benjamin Sonntag’s blog explains how one of the servers of La Quadrature du Net, the Paris-based digital freedom association he co-founded, and for which his company provides free hosting, was hit by distributed denial of service attacks (DDOS) caused directly by the Great Firewall’s policies.
His blog post provides all the technical details: it turned out that the vast majority of the attacks were coming from Chinese IP addresses. Here’s what seems to have happened:
China is censoring its Internet, that’s well known
to do this, this country censors (among others) DNS [Domain Name System] queries in its network (and also censoring as a side effect, the rare Japanese, Korean or Taiwanese queries going through China)
when it answers a DNS query to a censored website, it answers with “any incorrect IP address” instead.
That is, instead of letting Chinese Net users access “forbidden” content, the Great Firewall generally re-directs them to some random, presumably harmless, site. But that wasn’t happening here:
we see spikes of requests to websites censored in China coming to IP addresses such as those of La Quadrature du Net. Other people had this same issue : http://furbo.org/2015/01/22/fear-china/
So, the end story is that we just saw censored websites requests coming to La Quadrature du Net’s IP address from China, due to how the Chinese Internet censorship is working!
Rather than pushing limited traffic to lots of sites, the Great Firewall was sending lots of traffic to just a few. Among the possible explanations for this new behavior, Sonntag offers two that are equally worrying:
Maybe one of the system administrator of the great firewall of China is gaining some small and quick money selling DDOS, selling Internet attacks to the highest bidder (in bitcoin? 😉 ) and using that censorship system as a weapon
Maybe China chose a precise list of targets to send censored traffic to, adding to this technical “useful” process (the censorship) a “nice” one (putting down foreign opponents’ websites)… La Quadrature du Net, as a digital freedom association, seems to be too nice a target (among others of course).
Neither is good news for sites in the West. Whatever the real reason for this DDOS attack on La Quadrature, it certainly shows that the operation of the Great Firewall of China can have very direct effects outside that country. Another reason, perhaps, for those in the West to pay closer attention to China’s increasingly harsh approach to online censorship.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: china, ddos, france, great firewall
Companies: la quadrature du net
Comments on “How The Great Firewall Of China Caused A DDOS Attack In France”
Another reason, perhaps, for those in the West to pay closer attention to China’s increasingly harsh approach to online censorship.
We are paying attention. We’d love to implement the same thing here. – Western Governments
Wither that or just be quiet, nobody has any high ground to criticize China.
Re: Re:
*Either that
I wonder if the french government has a bitcoin account
They should redirect all traffic to US Government websites and then claim it’s just network congestion maintenance and load balancing.
Does Google know?
As soon as the folks at google ads find out that they may be paying for ads to people who are on a site by “accident” they will likely focus their considerable talents to fix this. By fix, they will probably just not pay for those ad impressions.
Set up a system to detect this traffic and redirect to TOR entry nodes…
‘China’s increasingly harsh approach to online censorship’
it wont be alone for much longer. most of the so-called ‘Democratic Countries’ that supposedly support free speech and privacy are not just catching up, they are over taking China (and other countries!). in the race to stop ‘the people’ from finding out what governments and industries are up to, how they evade the law while making sure ‘the people’ dont, they are also preventing any action from being taken by the people by limiting the way people are able to communicate with each other and organise demonstrations.
France may be complicit...
From a few articles below on the front page:
“French Government Declares Independence From Free Speech: Broad Internet Take-Down Powers Now In Place”
Seems to me this fits under French Internet Take-Down 🙂
A vaguely similar story...
About 2011 or so, my then employer got effectively DOSed due to the great firewall, by accident.
We had a large number of internal web resources (wiki, bug tracking, test systems in the office space, etc. etc.) under one Apache server. The resources were accessible from the Internet, with the entire site being HTTPS, password protected by AuthBasic, public indexing discouraged by robots.txt, and requiring a localhost file entry to actually access any resources unless one used the internal-only DNS server.
We then had a contractor come in to make extensive customizations to one resource. Over several weeks, he would regularly need tweaks to a resource config and Apache restarted, which I did for him. Unfortunately, both I and the other hands-on IT guy had to travel to conference for a week before he was done and couldn’t baby sit him. Our supervisor said “OK, trust him” at the last minute, so we gave him sudo and strict written instructions to get permission from me if he needed to change anything outside of /[resource], which he acknowledged and I made him sign.
Monday morning after the conference, I get an early AM call that the internal web was inaccessible, even internally, and the public Internet was dog slow at the office too. Drove in, examined the .conf and the logs, and discovered that:
(1) idiot contractor had configured an open http proxy
(2) within about 6 hours, a scanner had found it
(3) within a day, a flood of Chinese-sourced IPs were using the proxy
Closing the open proxy was easy and got things back to usability, though the net remained sluggish for a week or so. We saw a trickle of proxy attempts for months afterwards.
It turns out that there is/was a popular browser add-on for evading the Great Firewall by dynamically using open proxies outside it. The flood had starved our little server for threads, and the traffic had nearly filled a T1. The idiot contractor was unapologetic, saying that config change was on his standard cheat-sheet and he didn’t understand why it did that or why we were so upset. Fortunately he was nearly done by then and we saw the last of him within a week.
Re: A vaguely similar story...
Interesting choice
I find it fascinating that China chooses to reply to requests for blocked domains by returning falsified results. That alone should be ground to get their DNS servers banned from the system until they fix the problem.
I wonder why they don’t reply to those requests in the correct way: by saying that they can’t resolve the domain name? Or why they don’t do it like the US does it: reply with the address to a server that displays a big ol’ “you’re breaking the law!” message?
Re: Interesting choice
Redirect
Just redirect that traffic to a 404 page not found and add
“Chinese Censorship Sucks, Doesn’t It?”
Re: Redirect
I have to admit i would be tempted to write me a quick Tienanmen square massacre website. I imagine that would get me off their list pretty quick…
Just get yourself banned!
The answer is simple. Just get your own website banned in China so they won’t redirect traffic to you. To do that just detect if users are from China and then serve censored pictures and content!
Maybe similar situation happened to NC ISP
http://www.siliconrepublic.com/enterprise/item/40352-1-3-of-entire-internet-sear/