Denial of Service Attack Targets Epoch Times - Elements in Chinese Communist regime suspected
By Matthew Robertson
Epoch Times Staff
Created: April 2, 2012
Last Updated: April 2, 2012
Technology » Cyber Security
The Epoch Times was hit with a series of cyber attacks beginning on March 29, with an unsuccessful distributed denial of service attack first targeting epochtimes.com, before follow-up sorties on connected servers on the morning of April 1. The English website, theepochtimes.com, was also targeted in the second round of attacks, suffering what appeared to be a denial of service attack.
The first attack on the evening of March 29 targeted the front end of epochtimes.com, the Chinese-language website, but was soon repelled, according to Jan Jekielek, website chief editor of TheEpochTimes.com.
Then on the morning of April 1, from approximately 8 a.m. until 11 a.m. EDT, attackers went after epochtimes.com’s Domain Name System, or DNS, server. DNS is a way of translating a website, as written in English like “epochtimes.com,” into an Internet protocol address, like “18.104.22.168.” The attackers used what is called a “DNS query flood” to disrupt the server hosting that system, which would have caused users attempting to visit epochtimes.com to find the page unable to load.
The attacking IP addresses, numbering over 10, were added to a blacklist, stopping the attack. The IP addresses used may have been compromised computer systems, or they may have been spoofed by the attackers, according to Jekielek.
A concurrent attack on April 1 was aimed at theepochtimes.com, the English-language website, which resides on a different server. “Basically our server was saturated,” Jekielek said. That took place between 8:40 a.m. and 10 a.m. EDT. “It was consistent with what a DOS attack looks like. Your ports are flooded,” he said.
The attack was such that huge numbers of queries are made to multiple ports on the server, which prevents the server from functioning properly. “They’re taking up the whole pipe, but they’re not reading. The server is being hit repeatedly for information from a whole ton of the same computers,” Jekielek said. “Our pipe was maxed out.” The server did not crash during the attack.
The Epoch Times email, content management, voice, and text chat servers were also targeted.
Jekielek said that the attacks were still being analyzed.
Traffic to epochtimes.com from mainland China has increased dramatically in recent months. “Right after Wang Lijun escaped on Feb 6, unique view counts on The Epoch Times increased by 3.4 times,” said Changlei Xiong, a member of the technical staff.
After March 15, when the removal of former Chongqing Party chief Bo Xilai was announced, Xiong said that the unique view counts on epochtimes.com again tripled from the February increase, making the traffic to the website far outstrip that to other overseas Chinese media outlets, according to statistics compiled by Alexa, an Internet traffic measurement company.
From the technical information that is able to be gathered on the attacks, it is not possible to tell where they ultimately originated from, or whether they were the work of a state or non-state actor.
The attack on the Epoch Times website occurs within the context of a power struggle in Beijing on which The Epoch Times has reported extensively. Analysts say that one side, the faction headed by Party chief Hu Jintao and Premier Wen Jiabao, wants at least some information about human rights abuses to flow more freely, while the faction headed by former regime leader Jiang Zemin wants to keep information restricted.
Beginning around March 21, searches on the Chinese Internet for sensitive terms that had previously been blocked were possible. Analysts said that searches for terms such as “June 4,” referring to the Tiananmen Square Massacre, or “live harvest,” referring to the atrocity of forced, live organ harvesting, put the Jiang Zemin faction at a disadvantage. Jiang is closely tied to the Tiananmen Square massacre and his faction, in particular Bo Xilai and domestic security czar Zhou Yongkang, are believed to be heavily implicated in forced, live organ harvesting. The Epoch Times has long reported on Zhou’s connection to human rights violations in China.
Analysts believe a crackdown on the use of popular microblogging platforms in China on March 31 was inspired by Zhou Yongkang, who was thought to be fighting back against Hu and Wen.
According to a Wikileaks cable from May 18, 2009, Zhou Yongkang was involved in the oversight of Chinese hacking against Google. Google cited the persistent hacking campaign, by actors thought to be associated with the Chinese Communist Party, as one of the reasons it would wind back its operations in China.
The recent attack on The Epoch Times servers was clearly coordinated and required a certain degree of technical expertise and computer and human resources, Jekielek said. The attackers were also determined to cause a disruption in access to the site, as they mounted one attack after the first failed, he said, also pointing out that there is no obvious economic incentive for rogue actors to perform such an attack.
“Who else,” asked Jekielek rhetorically, “but the Chinese Communist Party, would have an interest in mounting an attack of this sort? And who in the Chinese Communist Party is more interested in silencing the Epoch Times’ reporting on the situation in China than Zhou Yongkang?”