How The Great Firewall Of China Caused A DDOS Attack In France
from the global-village dept
Many people outside China know about the country's Great Firewall, but probably assume it will have little, if any, impact on their own online activities. However, a fascinating post on Benjamin Sonntag's blog explains how one of the servers of La Quadrature du Net, the Paris-based digital freedom association he co-founded, and for which his company provides free hosting, was hit by distributed denial of service attacks (DDOS) caused directly by the Great Firewall's policies.
His blog post provides all the technical details: it turned out that the vast majority of the attacks were coming from Chinese IP addresses. Here's what seems to have happened:
China is censoring its Internet, that's well known
That is, instead of letting Chinese Net users access "forbidden" content, the Great Firewall generally re-directs them to some random, presumably harmless, site. But that wasn't happening here:
to do this, this country censors (among others) DNS [Domain Name System] queries in its network (and also censoring as a side effect, the rare Japanese, Korean or Taiwanese queries going through China)
when it answers a DNS query to a censored website, it answers with "any incorrect IP address" instead.we see spikes of requests to websites censored in China coming to IP addresses such as those of La Quadrature du Net. Other people had this same issue : http://furbo.org/2015/01/22/fear-china/
Rather than pushing limited traffic to lots of sites, the Great Firewall was sending lots of traffic to just a few. Among the possible explanations for this new behavior, Sonntag offers two that are equally worrying:
So, the end story is that we just saw censored websites requests coming to La Quadrature du Net's IP address from China, due to how the Chinese Internet censorship is working!Maybe one of the system administrator of the great firewall of China is gaining some small and quick money selling DDOS, selling Internet attacks to the highest bidder (in bitcoin? ;) ) and using that censorship system as a weapon
Neither is good news for sites in the West. Whatever the real reason for this DDOS attack on La Quadrature, it certainly shows that the operation of the Great Firewall of China can have very direct effects outside that country. Another reason, perhaps, for those in the West to pay closer attention to China's increasingly harsh approach to online censorship.
Maybe China chose a precise list of targets to send censored traffic to, adding to this technical "useful" process (the censorship) a "nice" one (putting down foreign opponents' websites)... La Quadrature du Net, as a digital freedom association, seems to be too nice a target (among others of course).
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: china, ddos, france, great firewall
Companies: la quadrature du net
Reader Comments
Subscribe: RSS
View by: Time | Thread
We are paying attention. We'd love to implement the same thing here. - Western Governments
Wither that or just be quiet, nobody has any high ground to criticize China.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Does Google know?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
it wont be alone for much longer. most of the so-called 'Democratic Countries' that supposedly support free speech and privacy are not just catching up, they are over taking China (and other countries!). in the race to stop 'the people' from finding out what governments and industries are up to, how they evade the law while making sure 'the people' dont, they are also preventing any action from being taken by the people by limiting the way people are able to communicate with each other and organise demonstrations.
[ link to this | view in chronology ]
France may be complicit...
"French Government Declares Independence From Free Speech: Broad Internet Take-Down Powers Now In Place"
Seems to me this fits under French Internet Take-Down :)
[ link to this | view in chronology ]
A vaguely similar story...
We had a large number of internal web resources (wiki, bug tracking, test systems in the office space, etc. etc.) under one Apache server. The resources were accessible from the Internet, with the entire site being HTTPS, password protected by AuthBasic, public indexing discouraged by robots.txt, and requiring a localhost file entry to actually access any resources unless one used the internal-only DNS server.
We then had a contractor come in to make extensive customizations to one resource. Over several weeks, he would regularly need tweaks to a resource config and Apache restarted, which I did for him. Unfortunately, both I and the other hands-on IT guy had to travel to conference for a week before he was done and couldn't baby sit him. Our supervisor said "OK, trust him" at the last minute, so we gave him sudo and strict written instructions to get permission from me if he needed to change anything outside of /[resource], which he acknowledged and I made him sign.
Monday morning after the conference, I get an early AM call that the internal web was inaccessible, even internally, and the public Internet was dog slow at the office too. Drove in, examined the .conf and the logs, and discovered that:
(1) idiot contractor had configured an open http proxy
(2) within about 6 hours, a scanner had found it
(3) within a day, a flood of Chinese-sourced IPs were using the proxy
Closing the open proxy was easy and got things back to usability, though the net remained sluggish for a week or so. We saw a trickle of proxy attempts for months afterwards.
It turns out that there is/was a popular browser add-on for evading the Great Firewall by dynamically using open proxies outside it. The flood had starved our little server for threads, and the traffic had nearly filled a T1. The idiot contractor was unapologetic, saying that config change was on his standard cheat-sheet and he didn't understand why it did that or why we were so upset. Fortunately he was nearly done by then and we saw the last of him within a week.
[ link to this | view in chronology ]
Re: A vaguely similar story...
wow, not only is he clueless but he doesn't understand why you're upset that he's incompetent and taking your money.
[ link to this | view in chronology ]
Interesting choice
I wonder why they don't reply to those requests in the correct way: by saying that they can't resolve the domain name? Or why they don't do it like the US does it: reply with the address to a server that displays a big ol' "you're breaking the law!" message?
[ link to this | view in chronology ]
Re: Interesting choice
Wouldn't that mean that anyone from the outside would not be able to resolve hostnames that are theirs to point to? It also wouldn't help the fact that everyone on the inside is likely using those DNS servers by default.
> I wonder why they don't reply to those requests in the correct way: by saying that they can't resolve the domain name? Or why they don't do it like the US does it: reply with the address to a server that displays a big ol' "you're breaking the law!" message?
That would be too straight forward; by sending requestors to a wrong page, they sow confusion among the enemy. "Hey, did you check out that site?" "Yeah, they were selling cute kitten doilies!" It might be a while before they communicate that something is wrong.
[ link to this | view in chronology ]
Redirect
"Chinese Censorship Sucks, Doesn't It?"
[ link to this | view in chronology ]
Re: Redirect
[ link to this | view in chronology ]
Just get yourself banned!
[ link to this | view in chronology ]
Maybe similar situation happened to NC ISP
[ link to this | view in chronology ]