Internet anomalies in mainland China in 2014 explained

In the afternoon of January 21, 2014, the Chinese internet suffered a major failure. The country's DNS infrastructure, which is responsible for translating domain names into IP addresses, started directing unrelated domains from various TLDs to the completely unresponsive IP address 65.49.2.178 at 15:10 (UTC+8). As a result, two-thirds of all domestic websites became non-functional,^[1] including such high-traffic sites as Baidu and Sina.

It is debated what caused this incident. Chinese officials point to the fact that the IP address is owned by Dynamic Internet Technology, an American Falun Gong-affiliated corporation most known for developing the Great Firewall circumvention tool Freegate, and argue that it was caused by external hacking. Independent researchers, however, argue that the incident is more likely caused by a misconfiguration in Great Firewall's DNS poisoning mechanism.

Incident timeline

At 09:00 on January 21, many of Tencent's online services failed.^{[2] [3]} Tencent later clarified that this failure had nothing to do with the subsequent nationwide incident.^[4]

At 15:15, China's DNS servers started malfunctioning. Many sites ending in .com, .org, and .net were resolved to a wrong IP address, 65.49.2.178, affecting about two-thirds of the country's websites, while the .cn top level domain was not affected.^[5] GreatFire reports that the malfunctioning stopped by 15:39, and by 16:00 the various internet service providers have started manual flushes of the DNS cache to remove the poisoned entries. By 16:50, most sites were back to normal, although it could take up to 12 hours for the DNS cache to completely flush.^[6]

n.baidu.com, a sub-domain under Baidu, was found to show "catch me if you can" when visited via a browser, although it's unclear whether this was connected to the incident. The source code on the front page of DNS service provider DNSPod's official website was found to include snide content, but DNSPod said via the official Weibo that it was an Easter Egg.^[7]

Theories

The IP address 65.49.2.178 is owned by DIT, as aforementioned in the lead. WooYun, a now-defunct internet security platform, claimed on Weibo to have evidence of the said address sending out spam and carrying out other politically motivated hacking operations. Researchers of Kingsoft Antivirus similarly believe that the IP has carried out attacks.^[8] Bill Xia of DIT denied any allegations of hacking.^{[9] [10]}

The hacking theory is widely questioned. Dong Fang of Qihoo (China),^[11] Ye Xuhui of Hong Kong ISP Association,^[12] and two other Chinese experts^[13] point out that any attack to cause a simultaneous dysfunction must be enormous in scale, as it needs to cover all the high-level DNS servers in China. Such an attack would be beyond the ability of most hackers. The power, however, is available to the ISPs, and a misconfiguration could have caused this issue.^[12]

Reuters and Bloomberg report that the attack was caused by a misconfiguration of the Great Firewall.^[14] Prof Xiao Qiang of UC Berkeley concurs.^[14] GreatFire.org, which specializes in monitoring the Great Firewall, shows "decisive evidence" that the incident was caused by the said firewall. GF.org argues that if such a problem was truly caused by an upstream DNS error, a non-Chinese DNS should return the correct IP address. However, during the incident, queries to Google's 8.8.8.8 DNS service are similarly incorrect, indicating a GFW involvement.^[15]

See also

• High availability
• Network behavior anomaly detection
• Routing
• China Telecom
• Telecommunications in China

Notes and References

1. Web site: Leyden . John . DNS poisoning slams web traffic from millions in China into the wrong hole . www.theregister.com . en.
2. News: 腾讯QQ邮箱等出现故障 网友调侃年终奖发少了 . 2014-01-21 . 2014-01-23 . . 2014-01-28 . https://web.archive.org/web/20140128012105/http://tech.gmw.cn/2014-01/21/content_10181433.htm . live .
3. Web site: 关于网络故障造成部分业务无法正常使用的通知 . 腾讯客服团队 . 腾讯 . 2014-01-21 . 2014-01-23 . 2016-03-05 . https://web.archive.org/web/20160305210711/http://kf.qq.com//announce/x_49.html . live .
4. News: 域名解析故障 全国网站挂了大半 . . 2014-01-22 . 2014-01-23 . 2014-02-01 . https://web.archive.org/web/20140201185509/http://epaper.bjnews.com.cn/html/2014-01/22/content_491659.htm?div=-1 . live .
5. News: 国内顶级域名根服务器故障. 南方都市报. 2014-01-22. 2014-01-23. dead. https://web.archive.org/web/20140201203914/http://epaper.oeeee.com/A/html/2014-01/22/content_2013428.htm. 2014-02-01.
6. News: 中国顶级域名根服务器故障 大部分网站受影响 . 新浪科技 . 2014-01-21 . 2014-01-21 . 2014-01-27 . https://web.archive.org/web/20140127074835/http://tech.sina.com.cn/i/2014-01-21/16169115784.shtml . live .
7. Web site: @DNSPod" (page archive backup, stored in the Internet Archive). 21 Jan 2014. Weibo.
8. News: 全国大面积网络“瘫痪”. 羊城晚报. 2014-01-22. 2014-01-23. dead. https://archive.today/20140123093345/http://www.ycwb.com/EPAPER/YCWB/html/2014-01/22/content_353945.htm?div=-1. 2014-01-23.
9. News: More Questions than Answers About China Internet Outage . Voice of America . 2014-01-22 . 2014-01-23 . Matthew Hilburn . en . 2016-08-02 . https://web.archive.org/web/20160802014726/http://www.voanews.com/content/more-questions-than-answers-about-china-internet-outage/1835525.html . live .
10. News: 中國網路癱瘓 疑內部作業失誤. 自由時報. 2014-01-23. 2014-01-23. dead. https://web.archive.org/web/20140123064733/http://www.libertytimes.com.tw/2014/new/jan/23/today-int1.htm. 2014-01-23.
11. News: 全国多数网页出现登录故障 专家：黑客攻击嫌疑最大 . 央广网 . 2014-01-22 . 2014-01-23 . 2014-08-07 . https://web.archive.org/web/20140807062620/http://china.cnr.cn/yaowen/201401/t20140122_514711333.shtml . live .
12. Web site: Chen. Lulu Yilun. "Chinese Internet Outage May Be the Result of Censorship Changes". 23 Jan 2014. Bloomberg News.
13. News: 惊魂一小时：全国域名解析首遭大规模污染 . 新浪科技 . 2014-01-22 . 2014-01-23 . 2020-02-11 . https://web.archive.org/web/20200211130217/http://tech.sina.com.cn/i/2014-01-22/02059116964.shtml . live .
14. News: Massive Internet mishap sparks Great Firewall scrutiny in China . Paul Carsten, Pete Sweeney . Reuters . 2014-01-22 . 2014-01-23 . en . 2014-02-26 . https://web.archive.org/web/20140226212103/http://uk.reuters.com/article/2014/01/22/us-china-internet-idUKBREA0K04T20140122 . live .
15. Web site: Internet outage in China on Jan 21. 22 Jan 2014. GreatFire.org.