14 DAY TRIAL // Requests to certain online services that are blocked by the Great Firewall of China were redirected over the past weeks to servers belonging to a website security company.
With thousands of requests per seconds banging their infrastructure, the company grew suspicious of a distributed denial-of-service (DDoS) attack.
All requests were legitimate
Daniel Cid, co-founder of Sucuri, says that the requests came for domains belonging among others to Facebook, Twitter, WordPress, Zendesk, Tumblr, 4Shared or Flickr, and he observed that they all originated from China.
Upon realizing this, the first thought that crossed Cid’s mind was that the company’s servers were targeted by a new type of DDoS attack that relied on random domain names to escape detection.
“However, the request headers looked very legitimate. Even via passive fingerprinting, we were able to properly tie the operating system, to the browser and the user agent. It also didn’t look like a DDoS botnet that we could identify. To our surprise, it seemed like real browser requests from valid users,” Cid says in a blog post.
Wave of redirects this large would cripple many services
Although the cause of this incident is still unclear, based on analysis of the logs from multiple individuals in the security industry, the general consensus is that the Great Firewall of China may have suffered from mis-configuration and directed requests to blocked websites to Sucuri’s systems.
As such, users in China trying to access content from restricted services would see an error message from Sucuri, since the wrong host was accessed.
Cid says that most of the requests were for CDN (content distribution network), images and API files, which fits the explanation.
As far as the reason why the Great Firewall of China was doing this, there is no answer at the moment and the researcher speculates that a bug was at fault.
Given that clients asked for content from the most popular online platforms, the number of requests was unusually large and it came from thousands of IP addresses in China. Cid says that a wave of this magnitude would be sufficient to bring down most servers unless DDoS mitigation solutions are available, such as diluting the traffic and routing it to other machines.