China ‘Carried Out GitHub DDoS Attack’

The Chinese government appears to have been responsible for the denial-of-service attack on web-based code repository GitHub carried out over the past several days, according to security researchers and those targeted.

The attack targeted GitHub’s mirrors of two websites blocked by China’s official Internet filtering system, according to researchers – those of activist organisation GreatFire and a Chinese edition of The New York Times.

Official involvement

“This attack was unusual in nature as we discovered that the Chinese authorities were steering millions of unsuspecting internet users worldwide to launch the attack,” GreatFire said in a statement.

Meanwhile, the attack, which consists of directing large amounts of traffic to two GitHub addresses, is ongoing but mitigation efforts have eliminated its effects as of Monday evening, according to GitHub.

“Mitigation remains effective and service is stable,” GitHub said via its status Twitter feed early on Tuesday morning, UK time.

The attack began on Thursday, and involved a “wide combination of attack vectors”, GitHub said at the time.

“These include every vector we’ve seen in previous attacks as well as some sophisticated new techniques that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic,” the service said in an advisory.

Attack filters

Security researchers determined that the Chinese government’s official filters, which monitor Internet traffic entering or leaving the country, were being used to direct malicious requests at GitHub.

“China is using their active and passive network infrastructure in order to perform a man-on-the-side attack against GitHub,” wrote Erik Hjelmvik, a researcher with Swedish security monitoring and forensics firm Netresec, in an advisory.

The technique targeted users from outside the country visiting Chinese websites, according to Hjelmvik and other researchers. Such websites commonly contain requests intended to retrieve a snippet of JavaScript code from Baidu, a Chinese search engine, that is used to analyse traffic.

In this case, the request was intercepted by government filtering infrastructure, which responded with its own JavaScript code – code that instructed the user’s web browser to send requests to two specific GitHub addresses every few seconds.

The substitution occurred only about 1 percent of the Baidu JavaScript requests, according to Hjelmvik, but this still generated enough traffic to help overwhelm GitHub’s servers.

Multiple scripts

Other Baidu scripts seem to have been used in the attack, including those used for advertising and other services.

“These domains are all owned bu Baidu, but technically any JavaScript from any site in China could have been exploited to perform this sort of Man-on-the-side attack,” Hjelmvik wrote. “The Great Firewall of China cannot be considered just a technology for inspecting and censoring the Internet traffic of Chinese citizens, but also a platform for conducting DDoS attacks against targets worldwide with help of innocent users visiting Chinese websites.”

The attack didn’t require any infiltration of Baidu’s systems, as the company confirmed to
The Wall Street Journal. “After careful inspection by Baidu’s security engineers, we have ruled out the possibility of security problems or hacker attacks on our own products,” the company stated.

Are you a security pro? Try our quiz!