

Chinese Activists under DDoS - infinitnet
http://anti-ddos-protection.com/chinese-activists-under-ddos-attack/

======
Caelish
I actually sent an email offering to help (I have a lot of experience
mitigating DDoS attacks) but never received a reply. I imagine they must
already have something in the works to resolve this.

~~~
KhalilK
Just curious, how are DDoS attacks mitigated?

~~~
Caelish
Depends on the attack and how sophisticated it is. For most layer 7 attacks
like this one, you can filter e.g. specific user agents or protocols. One
thing that often works (but has some false positives with simpler search
engines) is dropping all HTTP/1.0 traffic, because any remotely modern browser
uses HTTP/1.1. Essentially you block anything that's unusual, like specific
user agents (reflected attacks from user agents containing 'Wordpress' and
'PHP' come to mind a lot especially), HTTP headers, and so forth. Ideally as
far upstream as possible, but it can be done on the server level as long as
you have enough horsepower to throw at iptables or the web server, and your
connection doesn't get saturated. The right IP blacklists can help a lot as
well.

~~~
est
It does not work in this case, rogue states like China are using national
backbone internet as DDoS tool.

You can find research papers back in 2001 about GFW. The DNS spoofing
"service" can be easily used as a x3 amplification tool by anyone.

~~~
Caelish
The implication in the article seems to be it's a GET/POST flood though, not
DNS-based. Granted, for DNS amplification, having big enough pipes starts to
matter a lot more, which is where providers like OVH shine because of how much
network capacity they have, but it's not like DNS traffic can't be filtered. I
haven't read the research papers you're referring to though, so I may be
overlooking something obvious.

------
mg1982
Shouldn't it be just anti-ddos or ddos-protection? I read anti-ddos-protetion
to mean that they're against the things that protect against ddos. Which
they're not.

~~~
infinitnet
Probably they're going to bash DDoS protection providers there in the future,
who knows. ;-)

------
dang
[https://news.ycombinator.com/item?id=9233491](https://news.ycombinator.com/item?id=9233491)

------
cbz1995
Could you give a report of the statistics of the IP address in the DDOS
attack? Maybe you can block all the ip address from China. As I known in China
people have to use VPN to access some sensitive websites (such as 8964,
falungong, dajiyuan).

~~~
est
That's their dilemma.

One one hand they are abusing CDN or cloud platforms for their broken
"collateral freedom" project

One the other hand, every effective DDOS protection outside China has been
blocked by China already, like Google Project Shield, Cloudflare, etc.

~~~
infinitnet
I assume we can then count the days until they simply block AWS as well? But
that explains why they don't use one of these to keep the bad traffic away
from their hosting infrastructure and instead of AWS eat all of it.

~~~
est
AWS does not work in China. Tons of EC2 blocked. Rest are just too slow to
connect (like >400ms pings)

Very few S3 CDN IP address left with 443 port open, so greatfire.org carefully
picked those and hosting content mirrors there.

Although what they operate is totally free speech, legal and reasonable, but
it's like your bad neighbor in a VPS who eats all your co-hosting CPU,
bandwidth and disk IO. You have no choice but move to somewhere else.

------
cbz1995
BTW: you can put the contents of Greatfire.org to github, it is free.

------
nerdy
China operating under an unprecedented level of transparency!

