DDoS Protection , Security Operations

GitHub DDoS Attack Traces to China

Disruption Appears to Target Anti-Censorship Tools
GitHub DDoS Attack Traces to China

The popular code-sharing website GitHub, based in San Francisco, has been battling a massive distributed denial-of-service attack campaign that began late March 25. Security experts say the attack appears to have originated from China and targets anti-censorship tools hosted on GitHub.

See Also: DNS and the Threat of DDoS

"We are currently experiencing the largest DDoS attack in github.com's history," the site said in a March 27 service update. "Based on reports we've received, we believe the intent of this attack is to convince us to remove a specific class of content." The DDoS attack techniques "include every vector we've seen in previous attacks as well as some sophisticated new techniques that use the Web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic."

The attacks - and related disruptions - remained ongoing through March 30. "The DDoS attack has evolved and we are working to mitigate," reads a March 30 GitHub status update. But by later in the day, GitHub reported that its mitigations appeared to be working, and said access to the site remained stable.

"DDoS attacks are a quick and effective way for people who don't agree with what a group, political party, person or company is saying to shut down the platform on which they are promoting their message," says security researcher Igal Zeifman at DDoS defense firm Incapsula. "We've seen countless examples of this, mainly targeting government sites, but also recently with the takedown of the feminist site Femsplain on International Women's Day."

Baidu Analytics Code

Multiple information security experts say that the DDoS attack against GitHub appeared to involve - at least in part - hijacking HTTP queries related to Chinese search giant Baidu. In particular, attackers appear to have injected JavaScript into Baidu's user-tracking software. This software, which is widely used both inside and outside of China, is similar to the Google Analytics code that many businesses embed in their websites, both for analytics purposes as well as to serve targeted advertisements.

For the GitHub DDoS attack, this otherwise legitimate Baidu user-tracking software was modified to load two URLs - "https://github.com/greatfire/" and "https://github.com/cn-nytimes/" - every two seconds, reports InsightLabs.org researcher "Anthr@x," who claims to be Chinese, but based outside of China. The first targeted GitHub website address links to tools from Greatfire.org that are designed to help Chinese users evade government censorship, while the second links to a Mandarin version of The New York Times. Access to both of those links is reportedly banned from inside China. And by routing such a large number of fake requests to those URLs, the DDoS attack was at times disrupting the entire GitHub website.

But Baidu says the attack didn't appear to involve any of its systems. "After a thorough investigation by our security team, we found no security breaches in Baidu and no evidence that we had been hacked. We've notified other security organizations and are working together to get to the bottom of this," a spokesman tells Information Security Media Group.

Anthr@x says that the JavaScript DDoS code only appears to have been getting added to HTTP requests to Baidu that originated either from outside China or via a proxy server. "What is happening here is pretty clear now: A certain device at the border of China's inner network and the Internet has hijacked the HTTP connections [as they] went into China, replaced some JavaScript files from Baidu with malicious ones that would load [the two URLs] every two seconds," Anthr@x says.

The attack appeared to be quite effective for a number of reasons, says Ofer Gayer, an Incapsula security researcher. For example, it relied on real users - running real browsers - coming from a variety of locations and changing IP addresses, as well as from a legitimate source country, all of which would make it difficult to block outright.

"The reason we don't see this [type of attack] more often is because in order to execute such an attack, the perpetrator has to create a persistent [cross-site-scripting] DDoS scenario on a very popular website, or ... have control over a very high-traffic proxy - in this case ... the Chinese government's network equipment," Gayer says.

Mitigating Attack

After the DDoS attack began, however, attempting to access either of the links that were being targeted often resolved to an error message - "alert ('WARNING: malicious javascript detected on this domain')" - which Anthr@x says is likely a "very clever" defense on the part of either GitHub or Greatfire. That's because instead of simply allowing the Web page to be called, the error message will "block code execution to prevent it being called in a loop."

"This is a very clever and potentially effective mitigation approach," Gayer says. "The alerts halt the request loop iteration and consequently limit each visitor to one request per page, and possibly [also] notify the 'unwilling' GitHub visitors of their participation in the DDoS campaign."

In response to the InsightLabs.org report, Chinese Foreign Ministry spokeswoman Hua Chunying told Reuters - as the Chinese government has regularly claimed before - that China is a victim from, rather than instigator of, hack attacks.

Follows Greatfire DDoS Attack

The DDoS campaign against GitHub follows an attack - which has since ceased - against the Greatfire.org website itself, which pummeled the site with more than 700,000 HTTP requests per second. "The attack started on March 17 and we are receiving up to 2.6 billion requests per hour which is about 2,500 times more than normal levels," Greatfire.org said in a March 19 blog post. The anti-censorship site warned that the attack was costing it $30,000 per day in Amazon hosting fees. The organization said the attack began after The Wall Street Journal highlighted the group's anti-censorship activities.

Such activities are designed to help people in China circumvent the government's censorship of certain types of websites and content. That's enforced, in part, via the government-run "great firewall" of China, which restricts access to some types of content, backed by an army of censors who appear to especially target anything that might incite Chinese people into taking some types of collective action.

But it's not clear if these recent DDoS attacks are the work of Chinese government agencies. Security experts warn that such attacks could also be the work of independent political activists or even mercenaries.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.