Attack on Anti-censorship Group Snares Baidu, GitHub

On Friday, Jesse Newland posted on the blog of the code-sharing site GitHub:

We are currently experiencing the largest DDoS (distributed denial of service) attack in github.com’s history. The attack began around 2AM UTC on Thursday, March 26, and involves a wide combination of attack vectors. These include every vector we’ve seen in previous attacks as well as some sophisticated new techniques that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic. Based on reports we’ve received, we believe the intent of this attack is to convince us to remove a specific class of content. [Source]

The specific content targeted was a pair of GitHub pages run by the censorship monitoring project GreatFire.org: its own page, and another for a mirror of the Chinese-language New York Times site. In late 2013, GreatFire began to create mirrored copies of blocked websites such as Reuters Chinese and its own FreeWeibo.com using Google and Amazon web services. This approach, dubbed “collateral freedom,” effectively dares Chinese authorities to block the entire platforms on which the mirrors are hosted. Although Google services were comprehensively blocked ahead of last year’s 25th anniversary of the 1989 June 4th crackdown, the project has diversified and expanded to provide access to ten blocked websites including CDT, with another nine covered by media freedom organization Reporters Without Borders.

The GitHub attackers hijacked tracking code from Chinese search giant Baidu, embedded in hundreds of thousands of Chinese sites, to recruit any visitors from outside China as unwitting accomplices. As long as these visitors remained on an affected site, their browsers would direct a stream of requests in the background to the two GitHub pages:

The Washington Post’s Andrea Peterson put the attack in context:

GitHub was briefly blocked inside China in 2013, but reinstated after an outcry from programmers. Because GitHub uses encryption to hide specific parts of the site, the Chinese government cannot selectively block only some of GitHub’s content. But blocking the site wholesale could be damaging to China’s economy because it is so widely used by the tech industry.

Forcing GitHub site to take down GreatFire’s pages, as Newland suggested is the attackers’ goal, would solve this dilemma. Peterson also addressed the question of attribution:

While determining the entities behind these types of attacks is difficult, the Chinese government would be an obvious culprit, said James A. Lewis, a senior fellow at the Center for Strategic and International Studies. “The only people who would really benefit from it would be China,” he said. Using such a bold tactic to attack content it dislikes seems to be either a way for the government to send a message or test out new capabilities, he said. [Source]

Security expert Mikko Hypponen similarly told Motherboard that “I have no proof it’s the Chinese government. But who else would have the motive? Who else would have the capability to hijack traffic like this?” On Twitter, he added:

The Amazon Web Services attack Hypponen refers to took place soon after the publication of a Wall Street Journal article on the project earlier this month. Buoyed by a flood of up to 2.6 billion server requests per hour, GreatFire’s bandwidth costs rose to $30,000 per day, which the group dryly noted could “put a significant squeeze on our operations.” It was already on China’s radar before the WSJ article appeared: in January, as Chinese authorities stepped up efforts to block censorship circumvention, the Cyberspace Administration of China labeled GreatFire.org “an anti-China website set up by an anti-China overseas organization, which has for a long time carried out unprovoked attacks on the Chinese government.”

After falling victim to an apparently random DDoS from China in January, Iconfactory’s Craig Hockenberry commented that “at the end of the day, every machine in China has the potential be a part of a massive DDOS attack on innocent sites. As my colleague Sean quipped, ‘They have weaponized their entire population.’” Observing the GitHub attack on Friday, Insight Labs’ [email protected] wrote that “even people outside China are being weaponized to target things the Chinese government does not like, for example, freedom of speech.”

The attack, meanwhile, continues: