Analytics // Security Monitoring
1/23/2014
09:45 AM
Connect Directly
RSS
E-Mail
50%
50%

China Blames Massive Internet Blackout On Hackers

Evidence about the 45-minute outage points to botched censorship operation, not hackers, security experts say.

Chinese officials Wednesday blamed a country-wide Internet outage on a hack attack. But security and networking experts suspect that the country's Internet infrastructure was compromised when Chinese government censors inadvertently blocked every website in the world.

What's Chinese for schadenfreude?

The official story from China didn't involve stifling freedom of expression. Instead, government officials blamed a domain name system (DNS) malfunction Tuesday for leaving the country's nearly 600 million Internet users without access to websites for 45 minutes. "We have tracked and analyzed the DNS and found that at least two of the 13 root name servers around the world were affected," said Dong Fang, an Internet engineer at Chinese security product vendor Qihoo 360, according to the Xinhua News Agency, which is the Chinese government's official press agency.

DNS converts website names into IP addresses. Thus, during the supposed DNS outage, anyone who typed in the IP address for a website -- provided it wasn't being blocked by Chinese censors operating the so-called Great Firewall of China -- should have still been able to reach their desired site.

[Hacktivists have new tools in their arsenal. See Politically Motivated Cyberattackers Adopt New Tactics.]

Xinhua spun the apparent hack attack and resulting outage as a reason why China could no longer trust other countries to handle the DNS infrastructure. "All the root name servers are located in the United States, Japan, and European countries. A problem with them would affect all the domain name processes and website visits in China," Fang said. "Building root domain name servers in China should be completed as soon as possible."

But researchers at GreatFire.org, an anticensorship organization, disputed that version of events, saying in a blog post that the outage appeared to be caused by a government-initiated DNS poisoning attempt that went wrong. DNS poisoning refers to rerouting requests for certain websites to a different website, and is actively used by Chinese censors.

"We have conclusive evidence that this outage was caused by the Great Firewall," the researchers said. During the outage, notably, "we see that a lookup to 8.8.8.8, a public DNS operated by Google, returned bogus results if the lookup was done from China." Since that DNS wasn't one of the root name servers that was supposedly hacked, it should have resolved to the actual address.

Instead, even lookups to the Google-operated DNS resolved -- along with every other DNS attempt from inside China -- to 65.49.2.178, which is owned by Dynamic Internet Technology, which makes a censorship-circumvention tool called FreeGate. The site also contains a mirror of a news portal for practitioners of Falun Gong, which is banned in China.

"One hypothesis is that [the Great Firewall] might have intended to block the IP but accidentally used that IP to poison all domains," the GreatFire.org researchers said. According to the Pew Research Center, China has more Internet users than nearly all other countries -- baring India -- have people.

(Source: Pew Research.)
(Source: Pew Research.)

The result of the apparent DNS poisoning gone wrong was that the Dynamic Internet Technology site suffered the equivalent of a denial-of-service attack, as the site was flooded with access requests by every one of China's 591 million Internet users who attempted to access a website during the 45-minute Great Firewall meltdown.

That blip underscores the Chinese government's longstanding campaign to block access to any sites that it deems to be subversive, as well as sometimes even hacking into the systems of journalists to track their activities. Last year, for example, the Chinese government was cited as the culprit behind hacks into the email accounts of journalists at The New York Times and The Wall Street Journal who were covering China.

When it comes to blocking websites, Chinese censors typically only restrict access to Chinese-language sites, or else individual articles on foreign news sites. But this week, the government's censors took the unusual step of blocking access to some foreign news sites in their entirety, including the International Consortium of Investigative Journalists in Washington, D.C., and Britain's Guardian -- as well as a handful of sites in France, Germany, and Spain -- after they published a report into offshore tax havens created by the wealthy relatives of some of China's top leaders, including the brother-in-law of Chinese president Xi Jinping. Some of those news sites posted Chinese-language versions of their stories.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Perimeter defense isn't rocket science, which may be the reason security pros often take it for granted. Without thoughtful and robust perimeter security measures, higher-level systems such as online security and application intelligence will be rendered almost worthless. This Dark Reading report, Building And Maintaining Effective Firewall Configurations report, recommends best practices for rooting out perimeter security issues and for configuring firewalls effectively in the first place. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Whoopty
50%
50%
Whoopty,
User Rank: Moderator
1/23/2014 | 10:04:18 AM
UK
What's scary, is that the British Prime Minister, David Cameron, praises Chinese filter companies and wants to enact similar censorship here. It's already started with some ISPs, but they're so bad at it that they've been blocking sex education websites along with the pornography. 


Drew Conry-Murray
100%
0%
Drew Conry-Murray,
User Rank: Ninja
1/23/2014 | 10:27:49 AM
Burned
I guess if you build a Great Firewall, sometimes you're going to get burned.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/23/2014 | 10:31:18 AM
Re: Burned
Nice. Very nice.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/23/2014 | 10:40:19 AM
Re: Burned
I'll be here all week. Remember to tip your waitress.
RobPreston
100%
0%
RobPreston,
User Rank: Apprentice
1/23/2014 | 11:34:58 AM
Re: Burned
Mat, this line's a keeper: What's Chinese for schadenfreude?
HCHENG085
50%
50%
HCHENG085,
User Rank: Apprentice
1/23/2014 | 10:10:17 PM
Why DIT
All messages have been redirected back to DIT. That indicated that incidence was caused by the overthrowing-censorship tool by DIT. Perhaps, some freedom fighters were using DIT tools but failed to achieve its goal. 
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/24/2014 | 6:11:00 AM
Re: Why DIT
HCHENG085, Do you mean that DIT may have hacked the Great Firewall? That's also a possibility, but technically speaking probably would have been much more challenging. "User error" seems more likely.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.