Compliance Management, Network Security, Network Security, Privacy

Telegram blames China for DDoS disruptions during Hong Kong unrest

Telegram pointed the finger at Chinese state-sanctioned actors yesterday after a distributed denial of service (DDoS) attack overwhelmed its servers as protests were taking place in Hong Kong.

"We're currently experiencing a powerful DDoS attack, Telegram users in the Americas and some users from other countries may experience connection issues," the encrypted messaging service said in a tweet sent on June 12 at 4:20 a.m. ET. Almost an hour later, at 5:15 a.m. Telegram issued an update on Twitter saying that the situation had stabilized, at least for the moment.

After a Twitter user asked if Telegram could identify the source of the fake DDoS traffic, Telegram CEO Pavel Durov replied via his own personal Twitter account that the offending IP addresses were based primarily in China.

An autonomous territory of China, Hong Kong has experienced civil unrest following the introduction last March of proposed legislation that would make it easier to extradite suspected criminals from Hong Kong to mainland China and other Chinese territories. Citizens of the city see the law as a way for China's authoritarian government to exert control over the region.

Protesters are often known to use services like Telegram to organize their efforts in a manner free from government oversight, but a crippling DDoS attack would deny them access to such tools.

"Historically, all state actor-sized DDoS (200-400 Gb/s of junk) we experienced coincided in time with protests in Hong Kong (coordinated on @telegram). This case was not an exception," tweeted Durov.

To describe how DDoS attacks like this work, Telegram in a series of tweets employed a rather odd analogy involving fast food and rodents.

"Imagine that an army of lemmings just jumped the queue at McDonald's in front of you – and each is ordering a whopper." (Editor's note: Whoppers are actually found at Burger King, not McDonald's. But just go with it.)

Pictured: a dramatic recreation of yesterday's DDoS attack against Telegram... metaphorically speaking.

"The server is busy telling the whopper lemmings they came to the wrong place – but there are so many of them that the server can’t even see you to try and take your order," the tweets continue.

"To generate these garbage requests, bad guys use 'botnets' made up of computers of unsuspecting users which were infected with malware at some point in the past. This makes a DDoS similar to the zombie apocalypse: one of the whopper lemmings just might be your grandpa."

But, "There’s a bright side: All of these lemmings are there just to overload the servers with extra work – they can’t take away your BigMac and coke. Your data is safe."

“Telegram CEO Pavel Durov isn't crazy for suspecting the Chinese government is targeting Telegram," said Paul Bischoff, privacy advocate at, in emailed comments. "It wouldn't be the first time that China has weaponized botnets... to target websites with DDoS attacks," he added, referring to a wave of attacks against GitHub in 2015 that experts say targeted pages containing content or links to content that was banned in China.

Bischoff said Telegram users who are unable to access the service should "try using a VPN to connect to a few different countries so that your connection to Telegram goes through a server that's not under attack. Some VPNs even enable you to use Telegram from within mainland China, where it is normally censored."

"This type of attack is government censorship using cyber tools to block internet traffic," said Mark Skilton, professor of practice at Warwick Business School. "This was not a specific technology, but a distributed network attack on the internet ISP and NSP network providers. The strong encryption inside the Telegram app had no defense against the traffic level protocols and volume of traffic.

"To stop this type of attack would need new technology to block adversaries' traffic before the network, something that is not possible if the Chinese government control and have access to that network currently. What typically happens is alternative telecoms networks might be used. But I suspect those too would be targeted for a full-scale attack," continued Skilton, who researches and consults on cybersecurity. "However, we don't know if it was a full wide-scale internet attack or if it was a complete network-wide attack. It seems some sophistication was used to target the Telegram app and user service. This may be a symptom of a more advanced distributed 'denial of service' acting as a swarm of attacks against specific targets."

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.