Massive denial-of-service attack on GitHub tied to Chinese government

The massive denial-of-service attacks that have intermittently shut down GitHub for more than five days is the work of hackers with control over China's Internet backbone, according to two technical reports published Tuesday that build a strong case that government authorities are at least indirectly responsible.

GitHub officials have said the torrent of junk data pummeling their servers is the biggest they have ever seen. As previously reported, the two GitHub pages are constantly loaded and reloaded by millions of computer users inside and outside of China, an endless loop that left unmitigated outages not just on the two targeted pages but throughout GitHub's entire network. Exhibit A in the case in which China is involved are the two specific GitHub pages targeted: one hosts anti-censorship service GreatFire.org while the other hosts a mirror site of The New York Times' Chinese edition. The targets suggest the attackers are sympathetic to the vast censorship apparatus known as the Great Firewall of China.

Now researchers have unearthed additional evidence implicating China that goes beyond motive. Specifically, the computers hammering GitHub servers are all running a piece of malicious code that surreptitiously makes them soldiers in a massive DDoS army. The JavaScript gets silently injected into the traffic of sites that use an analytics service that China-based search engine Baidu makes available so website operators can track visitor statistics. About one percent of people visiting such sites don't receive the true Baidu analytics JavaScript but instead get code that forces their browser to constantly reload the two targeted GitHub pages.

A time to live

Researchers at Sweden-based Netresec analyzed the technical fingerprints of the malicious JavaScript and found they are different from the remainder of the non-malicious traffic received by the one percent of computers conscripted into the DDoS army. For instance, the time to live limits placed on how long packets should be accepted by end-user computers are vastly different for the malicious content—from 30 to 229 compared with 42 for legitimate analytics code. The Netresec researchers also tried blocking one of the malicious packets so that a request would be made to the originating server for the packets to be resent. The requests were ignored. Both observations are consistent with the DDoS code being inserted by someone other than the websites using the Baidu analytics service.

"This attack demonstrates how the vast passive and active network filtering infrastructure in China, known as the Great Firewall of China or 'GFW,' can be used in order to perform powerful DDoS attacks," the Netresec researchers wrote in a report published Tuesday. "Hence, the GFW cannot be considered just a technology for inspecting and censoring the Internet traffic of Chinese citizens, but also a platform for conducting DDoS attacks against targets world wide with help of innocent users visiting Chinese websites."

The report included the following data, which was taken using the tshark packet sniffer. It shows that the TTL of a legitimate SYN+ACK packet is 42, while three packets with a malicious payload have TTL values of 227, 228, and 229. The results suggest that the SYN+ACK packets are coming from the actual Baidu server, while the packets carrying the malicious payload are injected somewhere else:

tshark -r baidu-high-ttl.pcap -T fields -e ip.src -e ip.dst -e tcp.flags -e ip.ttl
192.168.70.160 61.135.185.140 0x0002 64 <- SYN (client)
61.135.185.140 192.168.70.160 0x0012 42 <- SYN+ACK (server)
192.168.70.160 61.135.185.140 0x0010 64 <- ACK (client)
192.168.70.160 61.135.185.140 0x0018 64 <- HTTP GET (client)
61.135.185.140 192.168.70.160 0x0018 227 <- Injected packet 1 (injector)
192.168.70.160 61.135.185.140 0x0010 64
61.135.185.140 192.168.70.160 0x0018 228 <- Injected packet 2 (injector)
61.135.185.140 192.168.70.160 0x0019 229 <- Injected packet 3 (injector)
192.168.70.160 61.135.185.140 0x0010 64
192.168.70.160 61.135.185.140 0x0011 64

Researchers from GreatFire have issued their own report that also lays out evidence the attacks could not have been carried out without the cooperation of Chinese authorities. In an accompanying blog post, they went on to name the Cyberspace Administration of China and its head Lu Wei. The GreatFire researchers wrote:

Inserting malicious code in this manner can only be done via the Chinese Internet backbone. Even if CAC did not launch the DDoS attack directly, they are responsible for managing the internet in China and it is not possible that they did not know what was happening. These attacks have occurred under CAC’s watch and would have needed the approval of Lu Wei.

Lu Wei and the Cyberspace Administration of China have clearly escalated the tactics that they use to control information. The Great Firewall has switched from being a passive, inbound filter to being an active and aggressive outbound one. This is a frightening development and the implications of this action extend beyond control of information on the internet. In one quick movement, the authorities have shifted from enforcing strict censorship in China to enforcing Chinese censorship on internet users worldwide. CAC can launch these attacks quickly and easily and they have the technical and financial resources behind them to continue to launch DDoS attacks against any website, anywhere in the world.

These attacks also illustrate the shortsighted nature of the Chinese authorities. Weaponizing Chinese internet services stifles global confidence in Chinese entrepreneurs and contributes to the fragmentation of the global internet. The SEC has already asked Weibo to explain how the censorship apparatus works - Baidu, a publicly-listed company in the US, may be called in to do the same.

We correctly predicted last year that China would increase their use of MITM attacks in an effort to censor encrypted websites. We now sadly predict that the DDoS attacks against us and GitHub are likely to signal a ramping up of attacks against foreign internet properties. These kinds of attacks should draw scorn and criticism from government officials of all countries around the world.

So far, there are no reports of Chinese officials responding to the accusations. In fairness, readers should remember that assigning responsibility to Internet-based attacks is extremely difficult. Attackers often manipulate their hacks to give the appearance they originated somewhere else. Still, there's no doubt that Chinese authorities carefully police that country's Internet backbone. It's hard to imagine how malicious code could be inserted into so many different China-based websites for five days straight without a government authority actively participating, or at least looking the other way, while it happened.