According to the state-run China Central TV two-thirds of China’s Internet went offline on Jan. 21. The outage, which lasted about two hours, included Weibo, one of the country’s most popular websites with over 500 million users. All traffic had been routed to Dynamic Internet Technology (DIT) a nonprofit site that has free tools used to circumvent China’s Internet censorship.
While no Chinese media mentioned the relations between Falun Gong (also known Falun Dafa a spiritual practice banned in China since 1999) and DIT, many media outlets outside of China said that Falun Gong is affiliated with DIT. The main newspaper of the Chinese Communist Party, Global Times, said the incident was a “sudden mysterious attack” that originated from an IP (Internet protocol) address belonging to a “circumvention software company.” The report was widely reproduced by Chinese media, including by the main newspaper of the Chinese government, Xinhua.
However, a Chinese government’s web management operations, who wished to remain anonymous, told Reuters that a “hacking attack was not to blame for the malfunction.”
Today the China Internet Network Information Center, the administrative agency responsible for Internet affairs under the Ministry of Information Industry, provided the official version for the outage. The cause was said to be a server malfunction, according to Voice of America.
Bill Xia, president of Dynamic Internet Technology, said he and his team were caught by surprise when their networks suddenly got hit by hundreds of thousands of visits per second.
Xia said the incoming traffic threatened to bring his services offline, and he and his team dropped the incoming traffic. “We thought it was an attack,” he said. “From our perspective, we observed excessive, abnormal traffic to one of our IPs.”
Freegate is free software that people can use to break through Internet censorship, and has a sister product called Ultrasurf. Xia created Freegate to help Chinese people break through the Great Firewall, but it is also used by people throughout the world, including in Iran, Egypt, and Burma to break through the censorship of repressive regimes.
Many of China’s Internet users, however, as well as overseas analysts, believe it was caused by an error on China’s system for censoring the country’s Internet.
Despite the claim by Chinese authorities that the Internet shutdown was an attack launched from a Freegate IP address, the majority of Chinese netizens on Weibo didn’t buy the claim—and often accompanied their posts with insults toward China’s state-run media.
One netizen, @sonicblue_nju, posted on Weibo, “It might be the firewall that wants to block the IP address but made a mistake. Otherwise, how could it be so powerful like that?”
Another netizen, @Pangpangde Kafeiji, mentioned on Weibo that he uses Freegate, which he described as “very excellent.” About the Global Times claims, he said, “The article blames the Free Gate, but I estimate that the ‘404’ Firewall was upgraded specifically for dealing with the Free Gate, however, it had errors that lead all the wrong links to that one place.”
The general opinion of China’s netizens was that the Internet shutdown resulted from an error on China’s Great Firewall, which is the system used by Chinese authorities to block and censor parts of the Internet.
These beliefs were confirmed by several sources outside China.
“We have conclusive evidence that this outage was caused by the Great Firewall (GFW),” stated an online post from GreatFire.org, a nonprofit organization for Internet freedom in China, which analyzed the incident.
It said the incident was caused by DNS poisoning, which is a technique “used extensively by the GFW.”
DNS is like an Internet phone book, and a website’s IP and the domain name are connected to it. When you type in a domain name (like “theepochtimes.com”), it goes to a DNS server, which finds the domain’s IP address and sends you to the website.
By changing a website’s target IP address, Chinese authorities are able to block traffic to the target website by sending visitors somewhere else. This is an example of DNS poisoning commonly used by China’s Internet censors when blocking websites.
Xia said in a memo that the size of the attack would require immense resources. He said, “No hacker can possibly control resources to manipulate 3,400Gbps [gigabytes per second] of traffic accurately only to target the DNS related communications.”
He also addressed the phenomena where one of the few domains not affected was China’s “.cn” domain. This lends credence to his theory, since, he notes, .cn domains are resolved inside China and the specific censorship program used by Chinese authorities “will not hit the DNS hijacking engine located near an international gateway.”
Internet Service Providers (ISPs) failed to give descriptions of the outage. This is because, Xia said, “The Chinese government never acknowledges the existence of its Great Firewall, not to mention the DNS hijacking engine. No ISP dares to confirm the existence of this DNS hijacking engine.”
He said, for Chinese authorities, launching an attack like this “doesn’t make sense for them, so I assume it was a mistake in their operation.”
“Maybe they meant to fill in another IP,” he said. “Maybe our IP is just on their minds.”