<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn/11"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Doug Henwood Talks » Blog Archive » China attacks Marxists.org!</title> <meta name="generator" content="WordPress 2.2.2" /> <!-- leave this for stats --> <link rel="stylesheet" href="http://henwood.blogspace.com/wp-content/themes/plain/style.css" type="text/css" media="screen" /> <link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://henwood.blogspace.com/?feed=rss2" /> <link rel="alternate" type="text/xml" title="RSS .92" href="http://henwood.blogspace.com/?feed=rss" /> <link rel="alternate" type="application/atom+xml" title="Atom 0.3" href="http://henwood.blogspace.com/?feed=atom" /> <link rel="pingback" href="http://henwood.blogspace.com/xmlrpc.php" /> <link rel='archives' title='September 2007' href='http://henwood.blogspace.com/?m=200709' /> <link rel='archives' title='August 2007' href='http://henwood.blogspace.com/?m=200708' /> <link rel='archives' title='July 2007' href='http://henwood.blogspace.com/?m=200707' /> <link rel='archives' title='June 2007' href='http://henwood.blogspace.com/?m=200706' /> <link rel='archives' title='May 2007' href='http://henwood.blogspace.com/?m=200705' /> <link rel='archives' title='April 2007' href='http://henwood.blogspace.com/?m=200704' /> <link rel='archives' title='March 2007' href='http://henwood.blogspace.com/?m=200703' /> <link rel='archives' title='February 2007' href='http://henwood.blogspace.com/?m=200702' /> <link rel='archives' title='January 2007' href='http://henwood.blogspace.com/?m=200701' /> <link rel='archives' title='December 2006' href='http://henwood.blogspace.com/?m=200612' /> <link rel='archives' title='November 2006' href='http://henwood.blogspace.com/?m=200611' /> <link rel='archives' title='October 2006' href='http://henwood.blogspace.com/?m=200610' /> <link rel='archives' title='September 2006' href='http://henwood.blogspace.com/?m=200609' /> <link rel='archives' title='August 2006' href='http://henwood.blogspace.com/?m=200608' /> <link rel='archives' title='July 2006' href='http://henwood.blogspace.com/?m=200607' /> <link rel='archives' title='June 2006' href='http://henwood.blogspace.com/?m=200606' /> <link rel='archives' title='May 2006' href='http://henwood.blogspace.com/?m=200605' /> <link rel='archives' title='April 2006' href='http://henwood.blogspace.com/?m=200604' /> <link rel='archives' title='March 2006' href='http://henwood.blogspace.com/?m=200603' /> <link rel='archives' title='February 2006' href='http://henwood.blogspace.com/?m=200602' /> <link rel='archives' title='January 2006' href='http://henwood.blogspace.com/?m=200601' /> <link rel='archives' title='December 2005' href='http://henwood.blogspace.com/?m=200512' /> <link rel='archives' title='November 2005' href='http://henwood.blogspace.com/?m=200511' /> <link rel='archives' title='October 2005' href='http://henwood.blogspace.com/?m=200510' /> <link rel='archives' title='September 2005' href='http://henwood.blogspace.com/?m=200509' /> <link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://henwood.blogspace.com/xmlrpc.php?rsd" /> </head> <body> <div id="page"> <div id="header"> <div id="headerimg"> <h1><a href="http://henwood.blogspace.com">Doug Henwood Talks</a></h1> <!-- <div class="description">Just another WordPress weblog</div>--> </div> </div> <hr noshade size="3" /> <div id="content" class="widecolumn"> <div class="navigation"> <div class="alignleft">« <a href="http://henwood.blogspace.com/?p=5019">Re: Free Sex Change and Same-Sex Unions to Come in Cuba</a></div> <div class="alignright"><a href="http://henwood.blogspace.com/?p=5021">Re: MySQL to go public</a> »</div> </div> <div class="post" id="post-5020"> <h2><a href="http://henwood.blogspace.com/?p=5020" rel="bookmark" title="Permanent Link: China attacks Marxists.org!">China attacks Marxists.org!</a></h2> <div class="entrytext"> <p><a href="http://www.marxists.org/incidents.htm">http://www.marxists.org/incidents.htm</a></p> <p>Attack Log</p> <p>January 10 - 13: Sporadic reports come in from volunteers in<br /> Australia and Asia that the MIA is not accesible for a few hours, and<br /> then comes back.</p> <p>First attack</p> <p>January 15: MIA detects a series of DoS (Denial of Service) SYN<br /> floods from various Chinese networks. Unlike the attacks of the<br /> previous few days, these are constant. These attacks cause our server<br /> to have a kernel panic and crash. Just as soon as the server reboots,<br /> the SYN floods [CVE-1999-0116] cause another crash, and this<br /> continues constantly.</p> <p>First, we write a crude script that blocks every SYN flood attempt,<br /> every minute. This is successful only for a short period, as the<br /> sheer number of Chinese IPs sending the SYN floods is too large to<br /> overcome. Next, we figure out that the SYN floods are exploiting a<br /> vulnerability in the Linux kernel (version 2.4.23), and we rebuild<br /> the Linux kernel to version 2.4.34, which overcomes these attacks.<br /> Meanwhile, the nature and origin of the attack, our previous history<br /> with the Chinese government (censorship, etc), and the experience of<br /> others suggest that this maybe politically motivated and directed by<br /> the Chinese government.</p> <h2>———————————————————————— </h2> <p>1 hour sample of attacking IP origins</p> <p>222.35.30.105 China Railway Telecom, Beijing 60.16.220.61 CNC Group, Liaoning Province Network, Liaoning 121.34.136.245 China Net, Guangdong Province Network, Guanzhou 222.240.83.89 China Net, Changsha Node Network 122.4.213.41 China Net, Shandong Province Network, Jinan 203.192.13.2 Xinhua News Agency 221.216.207.194 CNC Group, Beijing Province Network, Beijing 221.6.37.60 Nanjing Medical University, Nanjing Jiangsu Province<br /> Network, Nanjing 221.226.2.213 China Net, Jiangsu Province Network, Jiangsu</p> <h2>61.233.167.159 China Railway Telecom Center, unknown city</h2> <hr /> <p>At this point, however, our 4 year old server heaves under the<br /> strain. The string of constant reboots has taken its toll: the server<br /> reports a Machine Check Exception of a CPU context corruption,<br /> causing further crashes. This process further bludgeons the damaged<br /> server, and subsequent boots cause a failure in the RAID, forcing a<br /> rebuild of the array. During further crashes, one of the disks fails,<br /> causing future rebuilds of the array to be quite hopeless.</p> <p>Ironically, MIA had planned to purchase a new server in 2007, since<br /> our server was 4 years old, and our life expectancy for the server<br /> had nearly arrived. This attack forced this process to double, but<br /> another disaster would soon strike.</p> <p>January 16: In order to buy a new server, we needed to speak to our<br /> hosting provider and ISP, CCCP. We had been trying to contact CCCP<br /> for several months, to no avail, but after an urgent appeal, we<br /> finally recieved a response: CCCP is shutting down on February 1st.<br /> This, at least, explained our difficulties in contacting them!</p> <p>To recount events to date: first, we are attacked by China; second,<br /> our server hardware fails; third, our hosting provider is shutting<br /> down in two weeks.</p> <p>Late in the day, after reviewing several options, we resolve on the<br /> kind of server to buy to meet our needs.</p> <p>January 17: After a long search consisting of about 12 different<br /> options for colocation, we find one that suits our high bandwidth<br /> needs at a reasonable, low cost.</p> <p>January 18: After three days of debate, MIA votes 14 to 4 to include<br /> notice indicating that the source of the attacks was likely the<br /> Chinese government.</p> <p>January 20: Marxists.org is redirected to our mirror servers. On the<br /> following day, a round robin DNS is setup between three MIA mirrors.</p> <p>Second attack</p> <p>January 21-24: Mirror sites find a change in tactics, now a more<br /> crude Denial of Service attack is launched: Chinese sources download<br /> in mass material from the Chinese section. The German mirror combats<br /> this by limiting the number of connections to the server.<br /> Nevertheless, server load remains extremely high.</p> <p class="postmetadata alt"> <small> This entry was posted on Thursday, February 1st, 2007 at 2:52 pm and is filed under <a href="http://henwood.blogspace.com/?cat=1" title="View all posts in Uncategorized" rel="category">Uncategorized</a>. You can follow any responses to this entry through the <a href='http://henwood.blogspace.com/?feed=rss2&p=5020'>RSS 2.0</a> feed. You can <a href="#respond">leave a response</a>, or <a href="http://henwood.blogspace.com/wp-trackback.php?p=5020" rel="trackback">trackback</a> from your own site. </small> </p> </div> </div> <!-- You can start editing here. --> <!-- If comments are open, but there are no comments. --> <h3 id="respond">Leave a Reply</h3> <form action="http://henwood.blogspace.com/wp-comments-post.php" method="post" id="commentform"> <p><input type="text" name="author" id="author" value="" size="22" tabindex="1" /> <label for="author"><small>Name (required)</small></label></p> <p><input type="text" name="email" id="email" value="" size="22" tabindex="2" /> <label for="email"><small>Mail (will not be published) (required)</small></label></p> <p><input type="text" name="url" id="url" value="" size="22" tabindex="3" /> <label for="url"><small>Website</small></label></p> <!--<p><small><strong>XHTML:</strong> You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong> </small></p>--> <p><textarea name="comment" id="comment" cols="100%" rows="10" tabindex="4"></textarea></p> <p><input name="submit" type="submit" id="submit" tabindex="5" value="Submit Comment" /> <input type="hidden" name="comment_post_ID" value="5020" /> </p> </form> </div> <hr /> <div id="footer"> <p> Doug Henwood Talks is proudly powered by <a href="http://wordpress.org">WordPress</a> <br /><a href="feed:http://henwood.blogspace.com/?feed=rss2">Entries (RSS)</a> and <a href="feed:http://henwood.blogspace.com/?feed=comments-rss2">Comments (RSS)</a>. <!-- 18 queries. 0.931 seconds. --> </p> </div> </div> <!-- Gorgeous design by Michael Heilemann - http://binarybonsai.com/kubrick/ --> </body> </html>