[dns-operations] The Sichuan pepper attack: turning a DNS censorship system into a dDoS vector

Stephane Bortzmeyer bortzmeyer at nic.fr
Sun Feb 1 19:33:52 UTC 2015


We all know that the chinese network intercepts DNS requests and
returns fake answers <http://cs.nyu.edu/~pcw216/work/nds/final.pdf>
<http://research.dyn.com/2010/03/fouling-the-global-nest/>
<https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005340.html>
<http://arstechnica.com/tech-policy/2010/03/china-censorship-leaks-outside-great-firewall-via-root-server/>.
Until recently, the addresses returned were non existing or even non
routable (class E addresses...) so there was little harm outside of
China even if, in a few cases, censorship leaked outside.

Now, it seems there is a change since many sites report being hit by
HTTP traffic coming from China and carrying Host: for censored sites
like www.facebook.com, turning every chinese citizen who wants to see
Facebook (sometimes indirectly, e.g. through a Like button) into an
involuntary accomplice of the dDoS attack.

Seen from the victim:

http://furbo.org/2015/01/22/fear-china/
https://benjamin.sonntag.fr/DDOS-on-La-Quadrature-du-Net-analysis
http://blog.sucuri.net/2015/01/ddos-from-china-facebook-wordpress-and-twitter-users-receiving-sucuri-error-pages.html

Seen from China:

https://en.greatfire.org/blog/2015/jan/gfw-upgrade-fail-visitors-blocked-sites-redirected-porn

PassiveDNS.cn (search by rdata) confirms that the IP address of the
small Web site appeared in the right-hand side of facebook.com,
youtube.com, and many others. A lot of HTTP traffic, 99 % coming from
China, was the result, with URL paths clearly intended for Facebook.




More information about the dns-operations mailing list