Long fingered as the source of denial-of-service attacks and other hacks against foreign interests, China’s .cn domain was targeted on Sunday and approximately one-third of the sites registered to that domain were kept offline for a period of time. A statement from the China Internet Network Information Center blamed the outage on the largest ever denial of service attack the country has faced.
Service was reportedly returned to normal Sunday hours after the attack began. The CINIC apologized to its users for slow and interrupted access to the Internet and said that DNS security specific contingency plans were under way. The center also condemned the attack, which began at 4 a.m. UTC and intensified two hours later, though the source of the attack was not identified.
Security services company Cloudflare was quoted in a Wall Street Journal article that the attack targeted a registry for the .cn top-level domain. The company said during the peak of the attack that traffic to thousands of domains dropped more than 30 percent compared to the previous 24 hours.
Initially, Cloudflare CEO Matthew Prince blamed the outage on a technical error.
“What could have happened is that an attacker likely found a bottleneck in the registry infrastructure overwhelmed it with traffic to make it unavailable,” Prince told Threatpost.
Prince said the attacks lasted upwards of four hours before they were mitigated.
“The DNS system has a series of caches with a time-to-live on them, so any recursive DNS provider upstream, if they had the entry cached and it didn’t expire during that four-hour window, it wouldn’t be a problem,” Prince said. “Otherwise, the DNS lookup would have failed. So it’s not that one-third of the domains were not available, it’s that one-third of the visitors to the .cn domain were not able to access those sites.”
Arbor Networks director of research Dan Holden said his company’s ATLAS research team also monitored the attacks and witnessed approximately a 4x increase over average traffic.
“The number of attacks more than doubled and ATLAS traffic statistics show a significant increase in attack size, indicating a serious attack was carried out,” Holden said in an email.
Banks and other financial institutions in the United States have been targeted by large distributed denial of service attacks since September. Unprecedented levels of traffic have been pointed at high profile organizations such as Bank of America, PNC, JP Morgan and others, keeping online banking services unavailable for periods of time and forcing banks to spend significant money on mitigation.
While a hacktivist group known as the Izz ad-Din al-Qassam Cyber Fighters claimed responsibility for at least three phases of these attacks in numerous Pastebin posts, the size and funding of the attacks left some in the security and political communities skeptical as to the source. Some blamed the Iranian government while others pointed toward China. Whoever was behind the banking DDoS attacks set a high bar using automated toolkits, including Brobot, to carry out high-volume attacks of upwards of 70-100 GBps against simultaneous targets. The bank attackers also used compromised web servers to fire off these requests, using first simple Google searches to find vulnerable servers that were easily exploitable.
“DDoS attacks are the equivalent of a caveman with a club,” Prince said. “These often don’t take masterminds to execute. All that’s necessary is ability to generate more traffic than some part of the infrastructure they’re attacking can withstand.
“What is unknown is how much infrastructure .cn had backing it up,” Prince said. “Some TLD with liminted resources could be vulnerable to attack like that. What this demonstrates is this race to have cute domain names shows you have to verify whether the domain you’re registering for has the infrastructure to withstand attacks.”