Home News Internet Reels, Kneels, and Baofeng Crashes DNS in 6 Chinese Provinces
Internet Reels, Kneels, and Baofeng Crashes DNS in 6 Chinese Provinces PDF Print E-mail
Written by TLDA   
Monday, 08 June 2009 01:41

AddThis Social Bookmark Button
Political Map of China
On May 19th, 6 Coastal and Northern Provinces in China went dark when millions of everyday Internet users inadvertently flooded the netork infrastructure with packets of DNS queries...
Depending on who was asking, who was being asked, and when - counted in days, not minutes or hours after the incident - the answer was as much a moving target as the elusive parties responsible for the meile that ensued.
As it turns out, there was no virus, but there were two DDoS (Distributed Denial of Service) attacks. The first occured when rival gamers DDoS'd the Chinese ISP "DnsPod" in a gaming war with each other. But that was intentional.
Once the name servers at the Chinese ISP became unavailablle to queries as a result of being flooded, the Internet litterally crashed throughout China as the popular online streaming service, Baofeng, created so much recursion in the Chinese DNS that milliseconds turned into minutes throughout the Jiangsu, Anhui, Guangxi, Henan, Gansu, and the Zhejiang provinces.
 
Complete catastophic failure of the DNS occured in five of those provinces, and the news coming from China was conflicting and rumour-filled for several days following the incident. Initial reports stated it was a virus, or the video streaming service, but in the end there is always a culprit.
This time four people were tracked down and arrested for the original packet flood attack against DnsPods name servers that escalated into an outtage the size of Colorado, New Mexico, Arizona, Nevada, and Texas combined.
Only two surnames have been released Since the aprehension of suspects in the 29 May 2009 Arrest, which has led many to speculate that the calamity was sparked by adolescent script kiddies, some of whom are minors.
China only has 300 million Internet subscribers, so it's no wonder that when a portion of those people got home and wanted to use the Baofeng video streaming service while their provider's nameservers were overwhelmed  with traffic, it simply piled right on up the DNS ladder until over 20 Chinese provinces in all were affected.
Once those DNS Servers were sidelined and useless, DnsPod had no choice but to terminate access to the servers since there really is no way to filter packets on a scale such as the one perpetrated by the four script kiddies currently in custody.
China's Ministry of Industry and Information Technology released an initial statement which read, "Carriers and related firms should do more back-up to avoid similar incidents." We recommend redundancy.
 
The larger the distributed network is, and the greater the number of competing DNS networks available offering more redundancy in the name space, the more dificult it is for a Distributed Denial of Service attack to succeed, exhibiting greater network stability. Such an attack would be limited to the scope of that particular root system.
The real culprit here is the lack of DNS infrastructure due to a monolithic network architecture, providing a central point of failure at the Chinese Internet Root.
On the other hand, because the Chinese Root System is yet another competing root system network in the global scheme of things, network administrators could choose to view the outtage as an anomoly limted to users of that particular root system, while preserving subcriber service using other root server networks (RSNs).
If this were to occur in a world where there was only a single, unique root system providing DNS Service to everyone on the planet (meaning, if there were no Chinese RSN), this isolated incident might have manifested itself as a global catastrophe.
The health of the Internet name space is dependant upon redundancy, and that includes the root itself. When several competing RSNs coexist simultaneously, and there is catastrophic failure of the DNS in one of them, traffic will continue to flow in all of the others.
 
When there is, however, only one root system, the potential for global failure is prominent. For this reason the TLDA advocates multiple independant, distributed RSNs carrying all known, operational TLDs.
The TLDA maintains that the most important factor in an inherently unreliable network is redundancy, which transcends from the single machine in a datacenter with redundant disk arrays all the way up to and including the root. 
Multiple paths and redundant networks is the original military and institutional model for the ARPAnet (Internet), enabling network functionality and communications to continue in the remaining portions of the network in the event of catastrophic failure at one or even several locales throughout the global infrastructure.
Dr. Milton Mueller, Professor of Telecommunications and Network Management for Syracuse University, in a position paper published in October of 2001, arrived at the conclusion of, "...competition among DNS roots should be permitted and is a healthy outlet for inefficiency or abuses of power by the dominant root administrator."
Had the Chinese operated in observance of Internet RFC 2826 (IAB Technical Comment on the Unique DNS Root), this outtage might have extended itself onto several other continental regions of the world.

Add this page to your favorite Social Bookmarking websites
Digg! Reddit! Del.icio.us! Mixx! Google! Live! Facebook! StumbleUpon! MySpace! Wists! Newsvine! Blinklist! Fark! Blogmarks! Yahoo! Smarking! Netvouz! Mister-Wong! RawSugar! FeedMeLinks! BlinkBits! linkaGoGo! Cannotea! Diigo! Faves! Ask! DZone! Swik! ShoutWire! MyLinkVault! Maple! BlogRolling! GodSurfer! Meneame Twitter! LinkedIn! TwitThis Joomla Free PHP
 
Copyright © 2010 Top Level Domain Association - TLDAinc.org. All Rights Reserved.