China capable of massive DDoS attacks

China, being the world’s most populous country has a lot of potential when it comes to DDoS attacks. Craig Hockenberry, author of furbo.org was a recent victim of such an onslaught. When he found out that both of their mail servers were down, he naturally looked at the server traffic. This was his reaction:

There was only one thing I could say: “Holy shit.”

This was his network graph. Usually the megabits/sec for requests is really low compared to the responses, but in this case, the peak of the request graph hit 52 Mbps which is insanely high and definitely not normal network activity.

Let’s put that number in perspective: Daring Fireball is notorious for taking down sites by sending them about 500 Kbps of traffic. What we had just experienced was roughly the equivalent of 100 fireballs.

What is a DDoS attack?

Distributed Denial-of-Service or DDoS is a term which refers to an attack which generally consists of efforts to temporarily or indefinitely interrupt or suspend the services provided by a host over the internet.

The most common type of Denial-of-Service attack involves flooding the target resource with external communication requests. This overload prevents the resource/server from responding to legitimate traffic, or slows its response so significantly that it is rendered effectively unavailable.

China and DDoS

On closer inspection it appeared that most of the traffic was coming from China, more specifically from Chinese BitTorrent clients who apparently thought that this particular server was a tracker. In this case, the only solution was blocking out ip addresses from china using a firewall.

China has been a major source of DDoS attacks in the past, one of the notable ones being the massive attack on Blizzard servers in North America.

More details on this incident can be found here.

Have a nice (DDoS free) day!

 

  • There are some interesting characteristics in traffic patters:

    – list of affected IP addresses seem to be static
    – the traffic only comes in certain hours to the affected IPs
    – the affected IPs are typically hostings (i.e. no ADSL or otherwise home addresses)
    – different IPs get different shares of traffic
    – etc.

    I’m a security researcher writing an extended article about this.

    I’d be interested to speak with people who are affected by this kind of “bittorrent DDoS”. The magazine I’m writing the article for is willing to cover some of the costs related to this DDoS (your hosting cost, compensate for your time) if you help us track this attack – please contact me at tchm at virtall dot com for details.