Another reason to block China

There have been a number of reports in the last week or two of websites that are apparently being DDoSed from IP addresses in the PRC. This has caused a certain amount of confusion and pain to those affected because there seemed to be no reason for the attack, however the cause has now become clear. As Sucuri explain on their blog, the cause appears to be the so-called "Great Firewall of China":

It seemed as if the Great Chinese Firewall was mis-configured, instead of blocking the requests to certain sites, it was redirecting, to us at that.

So if a specific site was blocked, the requests to graph.facebook.com also got blocked and redirected to us. Same for Twitter, Zendesk or media.tumblr.com.

This explains why most of the requests were actually for CDN, images or API files.

The sites, like Sucuri, that are impacted are in fact just collateral damage, but that damage can be significant. Even generating a 404 error page or starting an SSL session before aborting can require a few kilobytes of traffic.

This requirement to reply with 10x or more data to a short request is a classic DDoS symptom and clearly if millions of Chinese users are redirected there then the aggregate volume of traffic and server load could easily cause the servers to be unavailable to legitimate traffic. Even if the web-servers do manage to survive the influx of traffic, it is highly likely that the upstream service provider will bill the server owner for bandwidth overage because millions of multi-kilobyte responses equates to gigabytes of data being transferred.

Of course if the servers were behind a firewall protected by ThreatSTOP, then the effects could be significantly reduced by adding China to the block policy. By doing so all these connection attempts would be dropped at the first TCP SYN packet with no reply sent so instead of kilobytes of data being sent, just a couple of hundred would be received (assuming 3x 64byte SYN packets per attempt). This would drastically reduce the bandwidth requirements and, because the packets are being dropped at the firewall, there would be no impact at all on the servers.

Share this: