Massive DDoS Takes Out Anti-China GitHub Pages

Written by

Beijing is suspected of masterminding the largest DDoS attack in GitHub’s history – specifically targeted at two anti-censorship projects on the developer platform.

The attack began in the early hours of Thursday morning and involved a “wide combination of attack vectors,” GitHub said in a status note on Friday.

It added:

“These include every vector we've seen in previous attacks as well as some sophisticated new techniques that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic. Based on reports we've received, we believe the intent of this attack is to convince us to remove a specific class of content.”

This content apparently includes one part of GitHub run by anti-censorship body Greatfire.org, and another linking to the New York Times’ Chinese language website, which is banned inside the Great Firewall.

Writing on security forum Insight-labs, Chinese security blogger Anthr@x claimed the attackers are hijacking HTTP connections going into China and replacing some JavaScript files used by search engine Baidu for advertising and tracking with malicious ones.

These load the two GitHub pages every two seconds, causing the DDoS.

“In other words, even people outside China are being weaponized to target things the Chinese government does not like; for example, freedom of speech,” said Anthr@x.

As of Monday morning (BST) GitHub was still under attack. Its latest tweet reads: “The DDoS attack has evolved and we are working to mitigate.”

The attack comes just days after Beijing was linked to a high profile man-in-the-middle attack when one of its intermediate certificate authorities was caught by Google issuing rogue certificates, in contravention of all agreed industry rules.

It also comes over a week after Greatfire.org was itself hit with a massive DDoS, flooding its infrastructure with 2.6 billion requests an hour.

The anti-censorship body has been a vocal campaigner against China’s repressive subjugation of internet freedoms, mirroring many banned sites on its own cloud-based infrastructure in a project dubbed ‘collateral freedom’.

It seems the authorities are making a concerted bid to crush these attempts, with the main actors pegged as propaganda tsar Lu Wei, who is in charge of the Cyberspace Administration of China (CAC).

Dave Larson, CTO of Corero Network Security, explained that DDoS attacks are increasingly seen to evolve over one or two days, with attackers launching multiple waves to circumvent mitigation techniques.

“GitHub have done the right thing in keeping their users informed of the status of the attacks.  But when the attackers are sufficiently motivated and have extensive resources, which is common when the perpetrators are powerful syndicates or state actors, as may be the case here, it is difficult to stay ahead of the attack if your response methodology relies on human analysts,” he added.

“With the growing power and sophistication of DDoS and other attacks aimed at service disruption, coupled with the increasing ease of launching attacks, every organization no matter how large or small can become a victim.”  

Infosecurity has reached out to Greatfire.org and will update this story if we hear back.

What’s hot on Infosecurity Magazine?