Bad Program Logic Amplifies Baofeng Attack

A distributed denial-of-service (DDOS) attack on DNS servers of a domain registrar coupled with bad program logic in a popular media application caused network outages in parts of China last week.

Baofeng is a widely popular media player in China, with a total of 200 million users and several million users online simultaneously. The player starts when Windows boots and connects to Baofeng’s online server; then it’s designed to send DNS queries to DNS servers to get the IP addresses of different online servers until it gets an answer. Because of its massive number of online users, it would be a powerful DDOS attack tool if all online Baofeng programs were to send continuous DNS queries at the same time, especially if the authoritative DNS server could not answer the queries.

Several DNS servers of DNSPod (a Chinese domain service provider and registrar) were hit by a DDOS attack on the night of May 18. These DNS servers became inaccessible. The assault was meant to be a targeted attack against one company, but one of the customers of DNSPod is Baofeng.com, whose authoritative DNS server was the server under attack. Because of a design flaw in Baofeng’s media player, all online Baofeng programs started continuously sending DNS queries after the DNS responses previously cached by other servers timed out on May 19. The massive number of DNS queries flooded the network of China Telecom (one of the biggest ISPs in China). As a result, users in parts of China were unable to access websites.

The initial DDOS attack that targeted a specific domain registrar now transformed into a DDOS attack on almost all DNS servers in China, so we can see how a bad design in a program “helped” the attacker(s) amplify the attack.