Baidu is China's largest search site. Security researchers are pointing to an attack on its DNS registrar as the source of yesterday's's outage. See The New York Times: ‘Iranian Cyber Army’ Strikes Chinese Site:
Less than a month after a group calling itself the “Iranian Cyber Army” attacked Twitter, users of China’s most popular search engine, Baidu, were redirected on Tuesday morning to a Web page displaying a message claiming that the same group had blocked access to that site as well.
China’s official news agency, Xinhua, reported:
Internet users attempting to open the site were greeted with a graphic stating that the site had been attacked by the Iranian Cyber Army. According to a report on the People’s Daily website, hackers changed Baidu’s DNS records, redirecting traffic to another site. As the BBC explained, “DNS records are like a telephone book, converting Web site names like baidu.com into a sequence of numbers understandable by the Internet.”
The security firm Praetorian Prefect details the DNS attack on their site:
A group called the Iranian Cyber Army has, fresh off the heels of their DNS attack on Twitter last month, hijacked the domain of Chinese search engine Baidu.com. Baidu is one of the most popular web sites in the world, a NASDAQ 100 multimedia company headquartered in Beijing that indexes over 740 million web pages for search and provides music and video content. The company employs over 6,000 people, has a 77% market share for search in China, and has annual revenue of about $200mm. For about three hours they were an advertising platform for a hacktivist group supporting the fundamentalist Islamic regime in Iran.
Baidu is a big company and this attack appears to have been accomplished through vulnerabilities in the United States. I can't quantify the financial or disruptive impact on Baidu or those who depend on it for search but it is not trivial.
This attack highlights the continuing worldwide vulnerability to DNS attacks. No matter how secure or reliable a web site, email system or VoIP system may be, it is still dependent upon the DNS to direct you to the proper site. If the DNS directs you to another site, you presently (without DNSSEC to provide authentication) have no way of knowing that the site is fake.
In this case the perpetrators wanted you to know the site was fake - but imagine if they took you to a fake search engine site that further directed you to sites that downloaded malware or logged your passwords or other credentials. This is called Cache Poisoning. It happens all the time and is the basis for a thriving crime business.
Comments