The Great Firewall of China is a nickname given to the government controlled internet for the people of China, but when one part of the world wide web is being blocked off for a whole swathe of people, it has begun to create problems for the rest of the internet. What first looked like a simple DDoS attack being orchestrated by comedy group Lizard Squad, reveals a deeper issue that many sysadmins are facing that involve Chinas DNS, abandoned parts of the internet, and bad traffic signals.
Initial reports of internet super sleuths came up with this graph showing a Distributed Denial of Service Attack coming from China provided by a DDoS Tracking Service
It looks pretty obvious that China was going all war games on US Servers, with most of the bad traffic (telnet requests) coming from that country. China is not an uncommon source for bad internet traffic, ask any belagured sysadmin and he will tell you that he gets most of his malicious traffic from Chinese and Russian IPs, but this is one case where the obvious answer is not the correct answer, and pirates are responsible.
In early January, Johannes Ullrich, CTO of SANS Internet Storm Center posted that he had been having problems with piratebay traffic flooding his server with bad requests. He reported:
Davids web server was hit with a sufficient number of requests like the one above to cause a denial of service. The requests originated from thousands of different IP addresses, all appear to be located in China. A quick Google search revealed that he wasnt alone, but other web servers experienced similar attacks.
The tracker that he reports getting requests from was abandoned back in 2009:
Today marks the end of an era, as The Pirate Bay team announces that the worlds largest BitTorrent tracker is shutting down for good. Although the site will remain operational for now, millions of BitTorrent users will lose the use of its tracker and will instead have to rely on DHT and alternative trackers. This is a roundup of the best spin bikes with a price under $500 Dollars.
So how is a dead torrent tracker coming back to haunt us? The answer lies in the configuration of the Great Firewalls DNS. When a query comes in to the torrent tracker, the Chinese firewall sends it out to thousands of sites, some that are blocked by the firewall, and some that are not. The effort to censor the countrys internet is backfiring by sending bad GET requests (sometimes thousands per second) to erroneous servers and essentially mimicking a DDoS for the rest of us (mostly the US, it seems, according to that graph I posted at the beginning of the article).
At first it seemed as if it was only the zombified piratebay tracker, but as more reports began flooding in, request logs showed that more sites were the origins of this strange phenomena.
Many Sysadmins report getting bad GET requests from sites that are known to be blocked in Mainland China (Facebook, Akamai, ThePirateBay, Tumblr, Instagram etc) due to some funny DNS routing and what appeared to be a DDoS at first glance, is actually a result of some going ons in China that sysadmins have been dealing with for weeks.
These bad requests mimic a DDoS in the effect that it plagues the server with connections asking for content that it does not have, tying up its memory in saying No repeatedly to every request for a facebook, an instagram, or gay porn. If youre not looking past the fact that youre getting assaulted from China, and see how theyre assaulting you, youll see that its not your average DDoS, but rather DNS routing issues.
Why is Chinas Firewall doing this? Does China really hate everyone? Probably.
The answer? Blocking all requests from China seem to fix the temporary DDoS that many sysadmins have been facing, but the problem still remains for many of us who have to allow traffic around the world. Chinas censorship is hurting more than their people, it is now putting a load on the internets infrastructure, and until they figure their DNS issues out, well be seeing a lot of DDoSes originating from the peoples repbulic.
Edit: Facebook came out today (after I wrote this) saying that it was a server misconfiguration, but I think Ill keep the clickbait title because I think this is a strange problem that warrants more attention.