How The Great Firewall Of China Caused A DDOS Attack In France

from the global-village dept

Tue, Feb 10th 2015 9:15am — Glyn Moody

Many people outside China know about the country's Great Firewall, but probably assume it will have little, if any, impact on their own online activities. However, a fascinating post on Benjamin Sonntag's blog explains how one of the servers of La Quadrature du Net, the Paris-based digital freedom association he co-founded, and for which his company provides free hosting, was hit by distributed denial of service attacks (DDOS) caused directly by the Great Firewall's policies.

His blog post provides all the technical details: it turned out that the vast majority of the attacks were coming from Chinese IP addresses. Here's what seems to have happened:

China is censoring its Internet, that's well known

to do this, this country censors (among others) DNS [Domain Name System] queries in its network (and also censoring as a side effect, the rare Japanese, Korean or Taiwanese queries going through China)

when it answers a DNS query to a censored website, it answers with "any incorrect IP address" instead.

That is, instead of letting Chinese Net users access "forbidden" content, the Great Firewall generally re-directs them to some random, presumably harmless, site. But that wasn't happening here: we see spikes of requests to websites censored in China coming to IP addresses such as those of La Quadrature du Net. Other people had this same issue : http://furbo.org/2015/01/22/fear-china/

So, the end story is that we just saw censored websites requests coming to La Quadrature du Net's IP address from China, due to how the Chinese Internet censorship is working!
Rather than pushing limited traffic to lots of sites, the Great Firewall was sending lots of traffic to just a few. Among the possible explanations for this new behavior, Sonntag offers two that are equally worrying: Maybe one of the system administrator of the great firewall of China is gaining some small and quick money selling DDOS, selling Internet attacks to the highest bidder (in bitcoin? ;) ) and using that censorship system as a weapon

Maybe China chose a precise list of targets to send censored traffic to, adding to this technical "useful" process (the censorship) a "nice" one (putting down foreign opponents' websites)... La Quadrature du Net, as a digital freedom association, seems to be too nice a target (among others of course).
Neither is good news for sites in the West. Whatever the real reason for this DDOS attack on La Quadrature, it certainly shows that the operation of the Great Firewall of China can have very direct effects outside that country. Another reason, perhaps, for those in the West to pay closer attention to China's increasingly harsh approach to online censorship.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: china, ddos, france, great firewall
Companies: la quadrature du net

16 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Ninja (profile), 10 Feb 2015 @ 7:51am

Another reason, perhaps, for those in the West to pay closer attention to China's increasingly harsh approach to online censorship.

We are paying attention. We'd love to implement the same thing here. - Western Governments

Wither that or just be quiet, nobody has any high ground to criticize China.
[ link to this | view in chronology ]
- Ninja (profile), 10 Feb 2015 @ 7:51am
  
  Re:
  *Either that
  [ link to this | view in chronology ]
Anonymous Coward, 10 Feb 2015 @ 9:28am

I wonder if the french government has a bitcoin account
[ link to this | view in chronology ]
Anonymous Coward, 10 Feb 2015 @ 9:47am

They should redirect all traffic to US Government websites and then claim it's just network congestion maintenance and load balancing.
[ link to this | view in chronology ]
hij (profile), 10 Feb 2015 @ 9:49am

Does Google know?
As soon as the folks at google ads find out that they may be paying for ads to people who are on a site by "accident" they will likely focus their considerable talents to fix this. By fix, they will probably just not pay for those ad impressions.
[ link to this | view in chronology ]
Anonymous Coward, 10 Feb 2015 @ 9:50am

Set up a system to detect this traffic and redirect to TOR entry nodes...
[ link to this | view in chronology ]
Anonymous Coward, 10 Feb 2015 @ 9:50am

'China's increasingly harsh approach to online censorship'

it wont be alone for much longer. most of the so-called 'Democratic Countries' that supposedly support free speech and privacy are not just catching up, they are over taking China (and other countries!). in the race to stop 'the people' from finding out what governments and industries are up to, how they evade the law while making sure 'the people' dont, they are also preventing any action from being taken by the people by limiting the way people are able to communicate with each other and organise demonstrations.
[ link to this | view in chronology ]
Anonymous Coward, 10 Feb 2015 @ 10:28am

France may be complicit...
From a few articles below on the front page:
"French Government Declares Independence From Free Speech: Broad Internet Take-Down Powers Now In Place"

Seems to me this fits under French Internet Take-Down :)
[ link to this | view in chronology ]
Anonymous Coward, 10 Feb 2015 @ 12:11pm

A vaguely similar story...
About 2011 or so, my then employer got effectively DOSed due to the great firewall, by accident.

We had a large number of internal web resources (wiki, bug tracking, test systems in the office space, etc. etc.) under one Apache server. The resources were accessible from the Internet, with the entire site being HTTPS, password protected by AuthBasic, public indexing discouraged by robots.txt, and requiring a localhost file entry to actually access any resources unless one used the internal-only DNS server.

We then had a contractor come in to make extensive customizations to one resource. Over several weeks, he would regularly need tweaks to a resource config and Apache restarted, which I did for him. Unfortunately, both I and the other hands-on IT guy had to travel to conference for a week before he was done and couldn't baby sit him. Our supervisor said "OK, trust him" at the last minute, so we gave him sudo and strict written instructions to get permission from me if he needed to change anything outside of /[resource], which he acknowledged and I made him sign.

Monday morning after the conference, I get an early AM call that the internal web was inaccessible, even internally, and the public Internet was dog slow at the office too. Drove in, examined the .conf and the logs, and discovered that:
(1) idiot contractor had configured an open http proxy
(2) within about 6 hours, a scanner had found it
(3) within a day, a flood of Chinese-sourced IPs were using the proxy

Closing the open proxy was easy and got things back to usability, though the net remained sluggish for a week or so. We saw a trickle of proxy attempts for months afterwards.

It turns out that there is/was a popular browser add-on for evading the Great Firewall by dynamically using open proxies outside it. The flood had starved our little server for threads, and the traffic had nearly filled a T1. The idiot contractor was unapologetic, saying that config change was on his standard cheat-sheet and he didn't understand why it did that or why we were so upset. Fortunately he was nearly done by then and we saw the last of him within a week.
[ link to this | view in chronology ]
- beltorak (profile), 10 Feb 2015 @ 7:27pm
  
  Re: A vaguely similar story...
  > saying that config change was on his standard cheat-sheet and he didn't understand why it did that or why we were so upset.
  
  wow, not only is he clueless but he doesn't understand why you're upset that he's incompetent and taking your money.
  [ link to this | view in chronology ]
John Fenderson (profile), 10 Feb 2015 @ 1:58pm

Interesting choice
I find it fascinating that China chooses to reply to requests for blocked domains by returning falsified results. That alone should be ground to get their DNS servers banned from the system until they fix the problem.

I wonder why they don't reply to those requests in the correct way: by saying that they can't resolve the domain name? Or why they don't do it like the US does it: reply with the address to a server that displays a big ol' "you're breaking the law!" message?
[ link to this | view in chronology ]
- beltorak (profile), 10 Feb 2015 @ 7:38pm
  
  Re: Interesting choice
  > I find it fascinating that China chooses to reply to requests for blocked domains by returning falsified results. That alone should be ground to get their DNS servers banned from the system until they fix the problem.
  
  Wouldn't that mean that anyone from the outside would not be able to resolve hostnames that are theirs to point to? It also wouldn't help the fact that everyone on the inside is likely using those DNS servers by default.
  
  > I wonder why they don't reply to those requests in the correct way: by saying that they can't resolve the domain name? Or why they don't do it like the US does it: reply with the address to a server that displays a big ol' "you're breaking the law!" message?
  
  That would be too straight forward; by sending requestors to a wrong page, they sow confusion among the enemy. "Hey, did you check out that site?" "Yeah, they were selling cute kitten doilies!" It might be a while before they communicate that something is wrong.
  [ link to this | view in chronology ]
Anonymous, 10 Feb 2015 @ 4:33pm

Redirect
Just redirect that traffic to a 404 page not found and add
"Chinese Censorship Sucks, Doesn't It?"
[ link to this | view in chronology ]
- spodula, 11 Feb 2015 @ 1:48am
  
  Re: Redirect
  I have to admit i would be tempted to write me a quick Tienanmen square massacre website. I imagine that would get me off their list pretty quick...
  [ link to this | view in chronology ]
Anus Goldman, 10 Feb 2015 @ 7:09pm

Just get yourself banned!
The answer is simple. Just get your own website banned in China so they won't redirect traffic to you. To do that just detect if users are from China and then serve censored pictures and content!
[ link to this | view in chronology ]
Noah Vail, 10 Feb 2015 @ 7:20pm

Maybe similar situation happened to NC ISP
http://www.siliconrepublic.com/enterprise/item/40352-1-3-of-entire-internet-sear/

26.01.2015 A small software firm in North Carolina, USA, found itself the focus of more than one-third of the internet’s search traffic – with almost 13,000 requests per second – after a supposed glitch in China’s networks.

Further investigation into the bizarre error appeared to show that the culprit was the domain name system (DNS) for the whole of China which failed to look up the correct IP address when trying to connect to websites including Twitter Facebook and YouTube.
[ link to this | view in chronology ]