China has recently reported what it seems to be one of the largest DDoS attacks in history, with the attack targeting all .cn domain names. The CNNIC or China Internet Network Information Centre is the government body which is responsible for Chinese domain names and this weekend, it published very sketchy details of a distributed denial of service attack.
The attack was well coordinated and it managed to slow down and disrupt the access of users to millions of websites. Some of them were major properties, like the Bank of China’s website, Weibo (social networking website) and Amazon.cn.
Based on information supplied by the CNNIC, the attack began at 2 AM on Sunday and it targeted China’s .cn servers. There were 2 intensities of the attack distinguished, with the first attack being milder and the second ranking as the most aggressive phase, which took place 2 hours after the initial attack. Since then, the service has been gradually restored.
Even though many internet users are expecting official details to be made public so that they are informed about what actually happened and if there are future risks of it happening again or at a much higher scale, official details are currently very scarce.
Matthew Prince, who is the Chief Executive Officer of CloudFlare, said in an interview to the WSJ that the company noticed a massive drop in traffic from China. Compared to the regular average, traffic suddenly decreased by 32%.
Matthew said that on Sunday the 25th around 12 AM, China experienced a denial of service attack that began at 2 AM and disrupted the ability to connect to .cn domains for everyone in the country. It was without a doubt the biggest attack of its kind in history and even though the attack got harsher at 4 AM, after that, the service has been gradually restored.
As a result of this attack, China’s MIIT has taken important steps into ensuring that something like this will never happen again. Launching specific contingency plans for the security of domain names, he hopes that these attacks will be deferred in the future and that people won’t have to go through a similar experience anytime soon.
Soon after the attack ended, the CNNIC condemned it and apologized to all of its users, promising that it will continue to make efforts with the sector for improving the service capabilities.
At the current time, the origins of the attacks are not known, but various sources believe that they are coming from inside the country. Even though China is known for being the only country in the world to have the highest number of internet users, the bad news is that the majority of its internet infrastructure is very weak.
According to Matthew Prince, those who have managed to carry out such an attack may not actually imply there would be an extreme level of planning, resources and sophistication behind it, because it may very well be that a single individual is responsible for all of this.
Understanding DDoS attacks
As previously mentioned, DDoS stands for distributed denial of service and it’s a type of denial of service attack where multiple Trojan infected systems, are used for targeting a single system. The result is a DoS or a denial of service attack.
However, when it comes to the victims of a DDoS attack, they consist of both the maliciously controlled and used systems by the hacker in the distributed attack and the end targeted system.
On the other hand, in a DDoS attack, the incoming traffic that floods the target machine originates from various sources. The sources may be dozens, a few hundreds or even thousands or even beyond that.
As a result, these attacks are very effective, because they cannot be stopped by blocking a single IP address. On top of that, distinguishing legitimate user data from attack traffic is very hard when spread across so many points of origin.
What happens in a typical distributed denial of service attack is that the assailant will begin to exploit a vulnerability in one machine and eventually make it the DDoS master.
The botmaster or attack master identifies and then uses malware to infect other vulnerable systems. Lastly, the assailant will get in control of the infected machines and it will control them to launch a DDoS attack against any target it wants.
More on the subject:
- GlobalDots’ Knowledge Base on DDoS:
- Cloudflare DDoS info page:
In total, there are 2 types of distributed denial of service attacks, which include an application layer attack, which overloads a database or service with application calls and a network centric attack, which uses up bandwidth to overload a service.
Because what follows is an inundation of packets, the target machine is practically flooded with data and fails.
Even though the media will generally focus on the targeted of a distributed denial of service attack as being the single victim, there are basically many other victims. They include the targeted machine and also the machines that are already controlled by the botmaster.
The owners of the controlled machines are not aware of their implication in the DDoS attack and they will also eventually experience a degradation of service and not work well.
Machines that fall under the control of an intruder are known as a bot or zombie and a group of these machines are known as a zombie army or a botnet.
Denial of service attacks are practically very cheap and without the right tools, they are very hard to counter. As a result, they are very popular, especially with people who have a low technical knowledge. In fact, there are even certain websites that offer DoS services for rates starting as low as 50 dollars.
After the recent attack that took down most of China’s .cn domains, the country will have to heavily rethink their infrastructure and make sure to take some steps to improve security.
During the attack this weekend, the potential losses may very well amount to millions of dollars, so it’s only in the country’s interest to do everything it can to ensure such attacks will never happen again.