Hong Kong-based citizen media platform inmediahk.net [zh] was hit by a DDoS attack last week, coming mainly from China. On April 19 at approximately 4pm, the website was taken offline by Rackspace, the website's cloud host, due to malicious traffic. Inmedia, a volunteer citizen media network, has been blocked in mainland China since 2007. Inmedia members believe that recent coverage of controversial issues, including a dock workers’ strike in Hong Kong and the construction of a military pier in the city's center, may have triggered the attack.
DDoS Attacks from China
Administrators explained that the attack resulted in heavy packet loss caused by a deluge of automated data requests that left the site's servers overloaded. A further explanation from Rackspace to inmediahk.net said the DDoS attacks came mainly from China:
The attack was specifically targeting the domain name www.inmediahk.net. When we changed IP's in DNS, the attack followed. As far as the source IP's, it was a large group of addresses from various different countries, mostly from China, which is typical of a DDOS from a botnet of compromised hosts. The attack switched from a SYN flood to a TCP fragmentation attack after we enabled a measure which provides for SYN flood protection at the expense of site performance.
In order to restore the website, inmediahk.net has begun using Cloud Flare, a DDoS mitigation service, to pre-filter malicious traffic coming from sources such as a botnet zombie [a computer with a DDoS attack program] and web spammers [computer bots that send spam or post spam-like comments] before they reach the site's system. In 24 hours, Cloud Flare recorded 608 unique threats to the site. A threat control report confirmed that while the attacks are coming from different countries, nearly half of the attackers are from China, including Hong Kong.
Baidu Reported as Webspammer
The report also showed a large number of IP addresses (between 220.127.116.11-18.104.22.168) that registered as web spammers. According to Domain Tools’ IP information, this set of IPs comes from Baidu, China's largest search engine, which is listed on the US stock market.
Because inmediahk.net is blocked in China, all visits from China must come through a VPN (Virtual Private Network) or a proxy server — visitors’ IP addresses thus appear to come from overseas rather than from mainland China. In fact, Baidu's search engine does not show any results linking to inmediahk.net. When one searches the headline of a recent inmediahk.net article “香港獨立媒體網被中國黑客攻擊” [Hong Kong Independent Media's Website Attacked by Hackers from China], Baidu offers no result leading to inmediahk.net [zh]; an identical search on Google brings up inmediahk.net's article as the top result [zh].
Global Voices Advocacy asked Baidu for comment on the attack, but the company had not yet replied as of publication time.
According to inmediahk.net's report about the hacking incident [zh], the website has been paralyzed by hackers in the past. Despite having shifted to a cloud hosting service in 2010, it has continued to suffer from occasional DDoS attacks around sensitive periods, such as the annual June 4 Candlelight Vigil to commemorate the 1989 protests at Tienanmen Square. These have typically resulted in a rapid increase in computational cycles that slow down the website. But the scale of the recent attack is much greater than previous ones.
Members of inmediahk.net believe the attack was triggered by recent content on the site. Over the past two weeks, the network has been covering an ongoing strike by dock workers for Hong Kong International Terminals (HIT), the company that runs Hong Kong's docks and is owned by local business tycoon Li Ka-Shing. Articles on the site expose how workers have been exploited through HIT's subcontracting system — subcontracted workers currently earn lower wages than they did in 1995. Another polemical series focuses on the construction of the People's Liberation Army (PLA) Navy Pier [zh] at Central, the city center of Hong Kong. It accuses the Hong Kong government of violating city planning protocols in the construction of PLA pier and criticizes authorities for converting a large piece of city land from a public recreational space into one for military use.
Global Voices Advocacy will continue to cover this story as it unfolds.
GVA note: Oiwan Lam is a volunteer editor for inmediahk.net.