China DDoS Attack

Normally, June is a quiet month when it comes to cybersecurity news. Or, in fact, any kind of news. This June, though, we have a bonanza of cybersecurity stories from hackings to DDoS attacks.

The China DDoS Attack – Why, What, and How?

The U.S. government recently confirmed that a database full of traveler photos had been hacked. In addition, news came out that another hacker group has been probing the US power grid for weaknesses.

Next, there was arguably the most important story of the month, the DDoS attack on Telegram Messenger by the Chinese government. For several days, the encrypted messaging service was flooded with terabytes of data. This significantly affected users in Hong Kong, China, and the US. 

Although this attack is not the first of its kind, it does show that China is becoming more flagrant when it comes to blocking encrypted messaging services. It also illustrates the worrying amount of power that China can command when it comes to cyber attacks.

DDoS attack on Telegram Messenger

Image Source: MessengerPeople

1. China and Cybersecurity

The attack we’re about to describe reveals some worrying signs in China’s attitude towards internet privacy and security. Currently, Hong Kong does not face the strict internet censorship that exists in mainland China. Many activists have expressed concern about increased pressure from Beijing on the region.

More broadly, many countries are worried about the power that China has over IT infrastructure. The news that Huawei has been banned from the 5G network in Australia made headlines. Additionally, there are some less well-known but equally worrying trends out there.

According to this study of the top 20 free VPNs listed in the Google Play and Apple Store, the majority are either registered as a Chinese company or were created by Chinese developers. It’s no secret we would all prefer to use a cost-free VPN rather than pay. However, some cyber security professionals recommend following these trusted third-party reviews of free VPNs that don’t only include Chinese products.

2. Why the China DDoS Attack?

You don’t have to look far to find a motivation for the attack. There have been mass protests in Hong Kong for the past few weeks. These protests were originally against a specific bill that would allow criminal suspects in Hong Kong to be extradited to China. Since, the issue has escalated into huge protests against corruption and the extent of Hong Kong’s special administrative status.

Last Wednesday, protesters massed outside government headquarters. This show of force, like many of the protests, have been coordinated largely through encrypted messaging services, such as WhatsApp, Signal, and Telegram.

Chinese protesters against DDoS attacks

The Chinese government is aware of this, and has taken direct measures to undermine the security of these communications. For instance, and as reported by the South China Morning Post, one of the administrators of a Telegram group was recently arrested. Being charged with ‘conspiracy to commit public nuisance’, this case is to be intended as a warning to anyone using the app.

3. What Happened During the Attack?

The attack was first reported on June 12, by Telegram themselves. Initially, the company was reticent to identify the origin of the attack. Although, we have reason to assume that they knew it was coming from China from the earliest stages.

A DDoS attack like this can take many forms, but most commonly this type of attack is realized by sending a target server million upon millions of service requests every second. The idea is to flood the server with so many illegitimate requests that it is not able to respond to those of genuine users.

Telegram actually described the DDoS attack in a simplistic way. They invited their users to: 

“Imagine that an army of lemmings just jumped the queue at McDonald’s in front of you – and each is ordering a whopper. The server is busy telling the whopper lemmings they came to the wrong place – but there are so many of them that the server can’t even see you to try and take your order.”

After this tweet, the attack has come to be known as the ‘whopper’ DDoS attack.

Whopper DDoS attack

It was only after a few more days had passed that Telegram were willing to identify the culprit. Telegram’s founder Pavel Durov took to Twitter to suggest that the Chinese government had launched the attack. His conclusion was based on the sheer scale of the attack, and the fact that most of the IP addresses associated with it were in mainland China. He was pretty upfront about this, calling the attack a “state actor-sized DDoS,” and noting that the attack coincided with the ongoing protests in Hong Kong.

4. How Did the Attack Happen?

We are unlikely to ever know the precise mechanism through which the attack was carried out. DDoS attacks like this are often associated with botnets, but the resources that are available to the Chinese government means that they don’t have to rely on these, necessarily, to carry them out. 

Looking at this from a different perspective, it’s worth thinking about what Telegram could have done to protect users against a DDoS attack. In many ways, the service performed admirably given the scale of the attack.

Stable Icon

Telegram appeared to have stabilized after a few hours

Safe User Data Icon

They assured users that their data is safe


So, in a sense, Telegram did the job that encrypted messaging services are supposed to. It allowed protesters (and everyone else) to exchange encrypted information, even if this was not possible for a few hours while the attack was in progress. This, presumably, is a source of great frustration to the Chinese government. It is also the reason why, as Bloomberg reported, encrypted messaging apps like Telegram are trending in Hong Kong.

Sadly, there is not much individual users can do to protect themselves against DDoS attacks on services like Telegram. If you own a business, it is certainly worth taking measures to prevent DNS attacks, because these are some of the most common cyberattacks against small businesses. But if your messaging provider itself is the victim, there’s little you can do to help.

The Bottom Line: China DDoS Attack

Until the last few years, passive surveillance of this type was the most worrying element of Chinese cyber policy. With the recent DDoS attack, however, we are witnessing a shift in the way that China approaches these issues. Rather than ‘merely’ spying on users, it now feels secure enough to directly attack the services they use. For this reason, it is essential for online businesses to have advanced DNS and DDoS protection.


Sam Bocetta

Sam Bocetta

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography. Currently working as part-time cybersecurity coordinator at