China attacks Marxists.org!

http://www.marxists.org/incidents.htm

Attack Log

January 10 - 13: Sporadic reports come in from volunteers in
Australia and Asia that the MIA is not accesible for a few hours, and
then comes back.

First attack

January 15: MIA detects a series of DoS (Denial of Service) SYN
floods from various Chinese networks. Unlike the attacks of the
previous few days, these are constant. These attacks cause our server
to have a kernel panic and crash. Just as soon as the server reboots,
the SYN floods [CVE-1999-0116] cause another crash, and this
continues constantly.

First, we write a crude script that blocks every SYN flood attempt,
every minute. This is successful only for a short period, as the
sheer number of Chinese IPs sending the SYN floods is too large to
overcome. Next, we figure out that the SYN floods are exploiting a
vulnerability in the Linux kernel (version 2.4.23), and we rebuild
the Linux kernel to version 2.4.34, which overcomes these attacks.
Meanwhile, the nature and origin of the attack, our previous history
with the Chinese government (censorship, etc), and the experience of
others suggest that this maybe politically motivated and directed by
the Chinese government.

————————————————————————

1 hour sample of attacking IP origins

222.35.30.105 China Railway Telecom, Beijing 60.16.220.61 CNC Group, Liaoning Province Network, Liaoning 121.34.136.245 China Net, Guangdong Province Network, Guanzhou 222.240.83.89 China Net, Changsha Node Network 122.4.213.41 China Net, Shandong Province Network, Jinan 203.192.13.2 Xinhua News Agency 221.216.207.194 CNC Group, Beijing Province Network, Beijing 221.6.37.60 Nanjing Medical University, Nanjing Jiangsu Province
Network, Nanjing 221.226.2.213 China Net, Jiangsu Province Network, Jiangsu

61.233.167.159 China Railway Telecom Center, unknown city


At this point, however, our 4 year old server heaves under the
strain. The string of constant reboots has taken its toll: the server
reports a Machine Check Exception of a CPU context corruption,
causing further crashes. This process further bludgeons the damaged
server, and subsequent boots cause a failure in the RAID, forcing a
rebuild of the array. During further crashes, one of the disks fails,
causing future rebuilds of the array to be quite hopeless.

Ironically, MIA had planned to purchase a new server in 2007, since
our server was 4 years old, and our life expectancy for the server
had nearly arrived. This attack forced this process to double, but
another disaster would soon strike.

January 16: In order to buy a new server, we needed to speak to our
hosting provider and ISP, CCCP. We had been trying to contact CCCP
for several months, to no avail, but after an urgent appeal, we
finally recieved a response: CCCP is shutting down on February 1st.
This, at least, explained our difficulties in contacting them!

To recount events to date: first, we are attacked by China; second,
our server hardware fails; third, our hosting provider is shutting
down in two weeks.

Late in the day, after reviewing several options, we resolve on the
kind of server to buy to meet our needs.

January 17: After a long search consisting of about 12 different
options for colocation, we find one that suits our high bandwidth
needs at a reasonable, low cost.

January 18: After three days of debate, MIA votes 14 to 4 to include
notice indicating that the source of the attacks was likely the
Chinese government.

January 20: Marxists.org is redirected to our mirror servers. On the
following day, a round robin DNS is setup between three MIA mirrors.

Second attack

January 21-24: Mirror sites find a change in tactics, now a more
crude Denial of Service attack is launched: Chinese sources download
in mass material from the Chinese section. The German mirror combats
this by limiting the number of connections to the server.
Nevertheless, server load remains extremely high.

Leave a Reply