Internet anomalies in mainland China in 2014

From Wikipedia the free encyclopedia

In the afternoon of January 21, 2014, the Chinese internet suffered a major failure. The country's DNS infrastructure, which is responsible for translating domain names into IP addresses, started directing unrelated domains from various TLDs to the completely unresponsive IP address 65.49.2.178 at 15:10 (UTC+8). As a result, two-thirds of all domestic websites became non-functional,[1] including such high-traffic sites as Baidu and Sina.[2]

It is debated what caused this incident. Chinese officials point to the fact that the IP address is owned by Dynamic Internet Technology, an American Falun Gong-affiliated corporation most known for developing the Great Firewall circumvention tool Freegate, and argue that it was caused by external hacking.[3] Independent researchers, however, argue that the incident is more likely caused by a misconfiguration in Great Firewall's DNS poisoning mechanism.[2]

Incident timeline[edit]

At 09:00 on January 21, many of Tencent's online services failed.[4][5] Tencent later clarified that this failure had nothing to do with the subsequent nationwide incident.[6]

At 15:15,[2] China's DNS servers started malfunctioning. Many sites ending in .com, .org, and .net were resolved to a wrong IP address, 65.49.2.178, affecting about two-thirds of the country's websites, while the .cn top level domain was not affected.[6][7] GreatFire reports that the malfunctioning stopped by 15:39, and by 16:00 the various internet service providers have started manual flushes of the DNS cache to remove the poisoned entries.[2] By 16:50, most sites were back to normal, although it could take up to 12 hours for the DNS cache to completely flush.[8]

n.baidu.com, a sub-domain under Baidu, was found to show "catch me if you can" when visited via a browser, although it's unclear whether this was connected to the incident.[7] The source code on the front page of DNS service provider DNSPod's official website was found to include snide content, but DNSPod said via the official Weibo that it was an Easter Egg.[9]

Theories[edit]

The IP address 65.49.2.178 is owned by DIT, as aforementioned in the lead. WooYun, a now-defunct internet security platform, claimed on Weibo to have evidence of the said address sending out spam and carrying out other politically motivated hacking operations.[6] Researchers of Kingsoft Antivirus similarly believe that the IP has carried out attacks.[10] Bill Xia of DIT denied any allegations of hacking.[11][12]

The hacking theory is widely questioned. Dong Fang of Qihoo (China),[13] Ye Xuhui of Hong Kong ISP Association,[14] and two other Chinese experts[15] point out that any attack to cause a simultaneous dysfunction must be enormous in scale, as it needs to cover all the high-level DNS servers in China. Such an attack would be beyond the ability of most hackers. The power, however, is available to the ISPs, and a misconfiguration could have caused this issue.[14]

Reuters and Bloomberg report that the attack was caused by a misconfiguration of the Great Firewall.[3] Prof Xiao Qiang of UC Berkeley concurs.[3] GreatFire.org, which specializes in monitoring the Great Firewall, shows "decisive evidence" that the incident was caused by the said firewall. GF.org argues that if such a problem was truly caused by an upstream DNS error, a non-Chinese DNS should return the correct IP address. However, during the incident, queries to Google's 8.8.8.8 DNS service are similarly incorrect, indicating a GFW involvement.[2]

See also[edit]

References[edit]

  1. ^ Leyden, John. "DNS poisoning slams web traffic from millions in China into the wrong hole". www.theregister.com.
  2. ^ a b c d e "Internet outage in China on Jan 21". GreatFire.org. Retrieved 22 Jan 2014.
  3. ^ a b c Paul Carsten, Pete Sweeney (2014-01-22). "Massive Internet mishap sparks Great Firewall scrutiny in China". Reuters. Archived from the original on 2014-02-26. Retrieved 2014-01-23.
  4. ^ "腾讯QQ邮箱等出现故障 网友调侃年终奖发少了". 光明网. 2014-01-21. Archived from the original on 2014-01-28. Retrieved 2014-01-23.
  5. ^ 腾讯客服团队 (2014-01-21). "关于网络故障造成部分业务无法正常使用的通知". 腾讯. Archived from the original on 2016-03-05. Retrieved 2014-01-23.
  6. ^ a b c "域名解析故障 全国网站挂了大半". 新京报. 2014-01-22. Archived from the original on 2014-02-01. Retrieved 2014-01-23.
  7. ^ a b "国内顶级域名根服务器故障". 南方都市报. 2014-01-22. Archived from the original on 2014-02-01. Retrieved 2014-01-23.
  8. ^ "中国顶级域名根服务器故障 大部分网站受影响". 新浪科技. 2014-01-21. Archived from the original on 2014-01-27. Retrieved 2014-01-21.
  9. ^ "@DNSPod" (page archive backup, stored in the Internet Archive)". Weibo. Retrieved 21 Jan 2014.
  10. ^ "全国大面积网络"瘫痪"". 羊城晚报. 2014-01-22. Archived from the original on 2014-01-23. Retrieved 2014-01-23.
  11. ^ Matthew Hilburn (2014-01-22). "More Questions than Answers About China Internet Outage". Voice of America. Archived from the original on 2016-08-02. Retrieved 2014-01-23.
  12. ^ "中國網路癱瘓 疑內部作業失誤". 自由時報. 2014-01-23. Archived from the original on 2014-01-23. Retrieved 2014-01-23.
  13. ^ "全国多数网页出现登录故障 专家:黑客攻击嫌疑最大". 央广网. 2014-01-22. Archived from the original on 2014-08-07. Retrieved 2014-01-23.
  14. ^ a b Chen, Lulu Yilun. ""Chinese Internet Outage May Be the Result of Censorship Changes"". Bloomberg News. Retrieved 23 Jan 2014.
  15. ^ "惊魂一小时:全国域名解析首遭大规模污染". 新浪科技. 2014-01-22. Archived from the original on 2020-02-11. Retrieved 2014-01-23.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Internet_anomalies_in_mainland_China_in_2014&oldid=1175611475"