[dns-operations] The Sichuan pepper attack: turning a DNS censorship system into a dDoS vector

Stephane Bortzmeyer bortzmeyer at nic.fr
Sun Feb 1 19:33:52 UTC 2015

We all know that the chinese network intercepts DNS requests and
returns fake answers <http://cs.nyu.edu/~pcw216/work/nds/final.pdf>
Until recently, the addresses returned were non existing or even non
routable (class E addresses...) so there was little harm outside of
China even if, in a few cases, censorship leaked outside.

Now, it seems there is a change since many sites report being hit by
HTTP traffic coming from China and carrying Host: for censored sites
like www.facebook.com, turning every chinese citizen who wants to see
Facebook (sometimes indirectly, e.g. through a Like button) into an
involuntary accomplice of the dDoS attack.

Seen from the victim:


Seen from China:


PassiveDNS.cn (search by rdata) confirms that the IP address of the
small Web site appeared in the right-hand side of facebook.com,
youtube.com, and many others. A lot of HTTP traffic, 99 % coming from
China, was the result, with URL paths clearly intended for Facebook.

More information about the dns-operations mailing list