China’s Golden Shield Project, also known as the Great Firewall of China (GFW), is a government controlled network firewall that monitors every bit of internet traffic generated inside of China. The political and ideological background of the Golden Shield Project is considered to be one of Deng Xiaoping’s favorite sayings in the early 1980s: “If you open the window for fresh air, you have to expect some flies to blow in.” . So what does any of this have to do with DDoS?
A few weeks ago, according to the Chinese government, the GFW went through an upgrade that introduced some bugs into it. As a result of this, it basically acted as a reflector that attacked IPs at random. A Reddit post explains that Chinese mobile devices were participation in random DDoS attacks, albeit unwillingly, while users were attempting to play games on their phones. Basically, the population of China, whilst trying to use the internet, were being redirected to places that they were not trying to get to. When you have millions of these web requests being sent out and being redirected to specific IPs, you get DDoS. Except in this case, it may not be intentional.
The method used by the Great Firewall to control the traffic to unapproved websites is a method known as DNS poisoning. DNS poisoning operates by taking an incoming DNS request and resolving it to a different IP address than the one requested. So in layman’s terms, if you were to enter the URL to go to Facebook, your network would go to make a request for that page and instead might land on a random webpage if DNS requests to access Facebook had been poisoned. The increase in traffic to this different webpage triggers a flood of connections, beginning a DDoS attack on that site for all intents and purposes.
So what does this mean? China could essentially turn their censorship system into a very large DDoS tool. This isn’t to say that the Chinese government would intentionally use their system to DDoS web presences, but if the system was somehow compromised, we could potentially see massive DDoS attacks originating from China. The other issue is that if we are to believe what the Chinese government says, these issues were due to a bug in their system. This means that there is a chance that any future configuration changes or upgrades could result in similar incidents.
The Usual Workaround
China’s censorship system has been circumvented for a long time by companies selling VPN services to the general population. Use of a VPN allows the Chinese citizen to reach websites that would otherwise be restricted by funneling their traffic into another country’s network, then using the new connection to reach the sites that were blocked before. The VPNs are not subject to the GFW due to not being located in China. It’s a very quick and simple solution for users and quite lucrative for the companies that sell it. It’s a service that everyone in the most populated country in the world would want to use. The update that caused the DNS glitches in their system was at least partially intended to block VPN services.
What This Means Going Forward
DDoS attacks utilizing DNS reflection are not uncommon. They’re actually very common as far as volumetric DDoS attacks go due to the relative ease of generating them. The danger specifically with China’s GFW is the sheer magnitude of users. Anyone who figures out how to take control or exploit the system can force hundreds of millions of connections to be sent to anyone they want to target. Just looking at the unintentional spikes in traffic caused by the firewall is indicator that we’d be looking at a massive threat.
DDoS attacks are very common. They come in all shapes and sizes. Some are simple, some are complex, and can be generated using some very clever methods. With the reality of anything from configuration changes to an external network forcing traffic to your website, or deliberate abuse from a cyber criminal taking your network down, DDoS protection is extremely important in this day and age. With the proper mitigation in place, the threat of random attacks dissipates as businesses have a means to stop the problem at any time. Staminus continues to help our clients with 24-hour support, 7 days a week. Whether or not the attack is random, we keep you connected.