Software designer Craig Hockenberry noticed something very strange was happening to his small corporate website The Iconfactory one morning last month: traffic had suddenly spiked to extremely high levels—equivalent to more than double the amount of data transmitted when Kim Kardashian’s naked photos were published last year.
The reason, he quickly discovered, was that China’s Great Firewall—the elaborate machinery that China’s government uses to censor the internet—was redirecting enormous amounts of bogus traffic to his site, which designs online icons, quickly swamping his servers.
“When I looked at the server traffic, there was only one thing I could say,” he wrote on his blog. “Holy shit.”
Hockenberry was only the latest unfortunate site administrator to experience an ugly side effect of the Great Firewall, known as DNS poisoning. A brief explainer: When you type a URL into your web browser, it is converted into a numeric IP address by a domain name server (DNS). Often these are run by internet service providers or companies like Google, but in China they are run by the government—specifically the Ministry of State Security, which is responsible for operating the Great Firewall (often referred to as the GFW).
When a Chinese internet user attempts to visit a banned site such as Facebook, Google, or Twitter, the GFW reroutes the request. For a long time it sent users to non-existent IP addresses, but lately, for reasons unknown, it has been sending them to seemingly random sites like Iconfactory, which are quickly debilitated by the massive inflow of data.
The surge to Hockenberry’s site on Jan. 20 preceded a major internet disruption in China on Jan. 21 that was conclusively caused by GWF DNS poisoning, according to Greatfire.org, a group that fights Chinese internet censorship. Much of the internet was inaccessible to Chinese users for several hours as most of the country’s web requests—equivalent to hundreds of thousands per second—were redirected to a single IP address, used by Dynamic Internet Technology, a small US company that helps users circumvent the GFW. The company’s president speculated that DNS rerouting was not an intentional attack on his company, but rather the result of human error.
Other website administrators have reported similar incidents in the past. According to Greatfire, Chinese users attempting to access banned sites have been redirected to foreign porn sites, random sites in Russia, and to a site owned by the South Korean government. “In essence, GFW is sending Chinese users to DDOS the Korea government’s website,” the group wrote. DDOS stands for distributed denial of service, and is a common type of attack by hackers trying to take down a website by flooding it with traffic from virus-infested computers under their control.
Hockenberry concluded: ”Every machine in China has the potential be a part of a massive DDOS attack on innocent sites. As my colleague Sean quipped, ‘They have weaponized their entire population.'”