China DDoS attack shows not all TLD servers equally secure

The distributed denial of service (DDoS) attack that took down a portion of China's Internet over the weekend demonstrates that the strength of the global network varies greatly across domains.

Servers running China's ".cn" top level domain (TLD) came under attack Sunday starting at about 2 a.m. Eastern time. The China Internet Network Information Center, which runs the TLD servers, confirmed the attack and apologized to affected users.

The organization said it was working to "enhance the service capabilities" of the system, but did not provide any more details.Ã'Â

CloudFlare, which provides security and performance services to more than 1 million websites, found that .cn suffered a limited outage that lasted between two and four hours. A drop in server performance by as much as 32 percent compared to 24 hours earlier caused the down time.

CloudFlare's Chief Executive, Matthew Prince, said on Monday that the CINIC would likely have to make its infrastructure "substantially beefier."

"Obviously, an attacker has shown that there is some bottleneck," he said.

Arbor Networks, which also protects websites against DDoS attacks, said the .cn servers had to contend with traffic that was four times higher than average. The attack also appeared to go on into Sunday afternoon.

"A serious attack was carried out," said Dan Holden, director of security research at Arbor.

During the bombardment, not everyone heading to a website using the .cn domain would have been shutout. That's because Internet service providers temporarily hold website IP addresses in caches to avoid querying a TLD server for each website every time.

[In-depth: 7 essentials for defending againts DDoS attacks]

However, if the attack had gone on for 24 hours, then more websites would have been affected gradually, since caches are routinely purged after a number of hours.

"Had it gone on longer than 24 hours, then literally no .cn domain would likely have been able to be reached," Prince said.

The fact that China's TLD servers would take a hit in a DDoS attack is surprising, given the overall sophistication of the country's Internet capabilities. The country has one of the most sophisticated Internet filtering systems in the world, and is credited with mounting some of the most advanced cyberespionage campaigns to steal corporate and government secrets from other countries.

If the CINIC stumbled against an attack, how would the many smaller TLDs expected to launch soon across the Internet stand up?

In 2011, the Internet Corporation for Assigned Names and Numbers (ICANN) ended most restrictions on generic top-level domains, such as .com, .net and .biz. As a result, companies and organizations will eventually be able to choose their own gTLDs.

The first batch of ICANN-approved generic domains is expected to be operational by next month. Experts expect as man as 1,000 new gTLDs over time, with most of them reflecting names of companies and products and cities. There will also be more generic names, such as ".bank" and ".sport."

The attack on .cn is a reminder that if a country code TLD can be crippled, then users of generic TLDs should make it a point to check the infrastructure of the organizations running the domain name registry underneath.

"The more obscure the TLD, the more likely they have less infrastructure to protect themselves," CloudFlare's Prince said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags arbor networksapplicationsChinalegalCloudFlaresoftwaredata protectioncybercrime.cnDDoS attackData Protection | Malwareddos

More about Arbor NetworksArbor NetworksHolden- General MotorsICANNInternet Corporation for Assigned Names and Numbers

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place