The Great Firewall of China is a nickname given to the government controlled internet for the people of China, but when one part of the world wide web is being blocked off for a whole swathe of people, it has begun to create problems for the rest of the internet. What first looked like a simple DDoS attack being orchestrated by comedy group Lizard Squad, reveals a deeper issue that many sysadmins are facing that involve China’s DNS, abandoned parts of the internet, and bad traffic signals.
Initial reports of internet super sleuths came up with this graph showing a Distributed Denial of Service Attack coming from China provided by a DDoS Tracking Service
It looks pretty obvious that China was going all war games on US Servers, with most of the bad traffic (telnet requests) coming from that country. China is not an uncommon source for bad internet traffic, ask any belagured sysadmin and he will tell you that he gets most of his malicious traffic from Chinese and Russian IPs, but this is one case where the obvious answer is not the correct answer, and pirates are responsible.
In early January, Johannes Ullrich, CTO of SANS Internet Storm Center posted that he had been having problems with piratebay traffic flooding his server with bad requests. He reported:
David’s web server was hit with a sufficient number of requests like the one above to cause a denial of service. The requests originated from thousands of different IP addresses, all appear to be located in China. A quick Google search revealed that he wasn’t alone, but other web servers experienced similar attacks.
The tracker that he reports getting requests from (a.tracker.thepriatebay.org) was abandoned back in 2009:
Today marks the end of an era, as The Pirate Bay team announces that the world’s largest BitTorrent tracker is shutting down for good. Although the site will remain operational for now, millions of BitTorrent users will lose the use of its tracker and will instead have to rely on DHT and alternative trackers
So how is a dead torrent tracker coming back to haunt us? The answer lies in the configuration of the Great Firewall’s DNS. When a query comes in to the torrent tracker, the Chinese firewall sends it out to thousands of sites, some that are blocked by the firewall, and some that are not. The effort to censor the country’s internet is backfiring by sending bad GET requests (sometimes thousands per second) to erroneous servers and essentially mimicking a DDoS for the rest of us (mostly the US, it seems, according to that graph I posted at the beginning of the article).
At first it seemed as if it was only the zombified piratebay tracker, but as more reports began flooding in, request logs showed that more sites were the origins of this strange phenomena.
ManySysadminsreportgetting bad GET requests from sites that are known to be blocked in Mainland China (Facebook, Akamai, ThePirateBay, Tumblr, Instagram etc) due to some funny DNS routing and what appeared to be a DDoS at first glance, is actually a result of some going ons in China that sysadmins have been dealing with for weeks.
These bad requests mimic a DDoS in the effect that it plagues the server with connections asking for content that it does not have, tying up it’s memory in saying “No” repeatedly to every request for a facebook, an instagram, or gay porn. If you’re not looking past the fact that you’re getting assaulted from China, and see how they’re assaulting you, you’ll see that it’s not your average DDoS, but rather DNS routing issues.
Why is China’s Firewall doing this? Does China really hate everyone? Probably.
The answer? Blocking all requests from China seem to fix the temporary DDoS that many sysadmins have been facing, but the problem still remains for many of us who have to allow traffic around the world. China’s censorship is hurting more than their people, it is now putting a load on the internet’s infrastructure, and until they figure their DNS issues out, we’ll be seeing a lot of “DDoSes” originating from the people’s repbulic.
Edit: Facebook came out today (after I wrote this) saying that it was a server misconfiguration, but I think I’ll keep the clickbait title because I think this is a strange problem that warrants more attention.