Internet anomalies in mainland China in 2014

In the afternoon of January 21, 2014, the Chinese internet suffered a major failure. The country's DNS infrastructure, which is responsible for translating domain names into IP addresses, started directing unrelated domains from various TLDs to the completely unresponsive IP address 65.49.2.178 at 15:10 (UTC+8). As a result, two-thirds of all domestic websites became non-functional, including such high-traffic sites as Baidu and Sina.

It is debated what caused this incident. Chinese officials point to the fact that the IP address is owned by Dynamic Internet Technology, an American Falun Gong-affiliated corporation most known for developing the Great Firewall circumvention tool Freegate, and argue that it was caused by external hacking. Independent researchers, however, argue that the incident is more likely caused by a misconfiguration in Great Firewall's DNS poisoning mechanism.

Incident timeline
At 09:00 on January 21, many of Tencent's online services failed. Tencent later clarified that this failure had nothing to do with the subsequent nationwide incident.

At 15:15, China's DNS servers started malfunctioning. Many sites ending in .com, .org, and .net were resolved to a wrong IP address, 65.49.2.178, affecting about two-thirds of the country's websites, while the .cn top level domain was not affected. GreatFire reports that the malfunctioning stopped by 15:39, and by 16:00 the various internet service providers have started manual flushes of the DNS cache to remove the poisoned entries. By 16:50, most sites were back to normal, although it could take up to 12 hours for the DNS cache to completely flush.

n.baidu.com, a sub-domain under Baidu, was found to show "catch me if you can" when visited via a browser, although it's unclear whether this was connected to the incident. The source code on the front page of DNS service provider DNSPod's official website was found to include snide content, but DNSPod said via the official Weibo that it was an Easter Egg.

Theories
The IP address 65.49.2.178 is owned by DIT, as aforementioned in the lead. WooYun, a now-defunct internet security platform, claimed on Weibo to have evidence of the said address sending out spam and carrying out other politically motivated hacking operations. Researchers of Kingsoft Antivirus similarly believe that the IP has carried out attacks. Bill Xia of DIT denied any allegations of hacking.

The hacking theory is widely questioned. Dong Fang of Qihoo (China), Ye Xuhui of Hong Kong ISP Association, and two other Chinese experts point out that any attack to cause a simultaneous dysfunction must be enormous in scale, as it needs to cover all the high-level DNS servers in China. Such an attack would be beyond the ability of most hackers. The power, however, is available to the ISPs, and a misconfiguration could have caused this issue.

Reuters and Bloomberg report that the attack was caused by a misconfiguration of the Great Firewall. Prof Xiao Qiang of UC Berkeley concurs. GreatFire.org, which specializes in monitoring the Great Firewall, shows "decisive evidence" that the incident was caused by the said firewall. GF.org argues that if such a problem was truly caused by an upstream DNS error, a non-Chinese DNS should return the correct IP address. However, during the incident, queries to Google's 8.8.8.8 DNS service are similarly incorrect, indicating a GFW involvement.