GitHub DDoS Attack Traces to ChinaDisruption Appears to Target Anti-Censorship Tools
The popular code-sharing website GitHub, based in San Francisco, has been battling a massive distributed denial-of-service attack campaign that began late March 25. Security experts say the attack appears to have originated from China and targets anti-censorship tools hosted on GitHub.
See Also: 2016 State of Threat Intelligence Study
"We are currently experiencing the largest DDoS attack in github.com's history," the site said in a March 27 service update. "Based on reports we've received, we believe the intent of this attack is to convince us to remove a specific class of content." The DDoS attack techniques "include every vector we've seen in previous attacks as well as some sophisticated new techniques that use the Web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic."
The attacks - and related disruptions - remained ongoing through March 30. "The DDoS attack has evolved and we are working to mitigate," reads a March 30 GitHub status update. But by later in the day, GitHub reported that its mitigations appeared to be working, and said access to the site remained stable.
"DDoS attacks are a quick and effective way for people who don't agree with what a group, political party, person or company is saying to shut down the platform on which they are promoting their message," says security researcher Igal Zeifman at DDoS defense firm Incapsula. "We've seen countless examples of this, mainly targeting government sites, but also recently with the takedown of the feminist site Femsplain on International Women's Day."
Baidu Analytics Code
For the GitHub DDoS attack, this otherwise legitimate Baidu user-tracking software was modified to load two URLs - "https://github.com/greatfire/" and "https://github.com/cn-nytimes/" - every two seconds, reports InsightLabs.org researcher "Anthr@x," who claims to be Chinese, but based outside of China. The first targeted GitHub website address links to tools from Greatfire.org that are designed to help Chinese users evade government censorship, while the second links to a Mandarin version of The New York Times. Access to both of those links is reportedly banned from inside China. And by routing such a large number of fake requests to those URLs, the DDoS attack was at times disrupting the entire GitHub website.
After 113 hours of sustained DDoS attacks our defenses are holding. We will keep our status at yellow until the threat has subsided.ï¿½ GitHub Status (@githubstatus) March 30, 2015
But Baidu says the attack didn't appear to involve any of its systems. "After a thorough investigation by our security team, we found no security breaches in Baidu and no evidence that we had been hacked. We've notified other security organizations and are working together to get to the bottom of this," a spokesman tells Information Security Media Group.
The attack appeared to be quite effective for a number of reasons, says Ofer Gayer, an Incapsula security researcher. For example, it relied on real users - running real browsers - coming from a variety of locations and changing IP addresses, as well as from a legitimate source country, all of which would make it difficult to block outright.
"The reason we don't see this [type of attack] more often is because in order to execute such an attack, the perpetrator has to create a persistent [cross-site-scripting] DDoS scenario on a very popular website, or ... have control over a very high-traffic proxy - in this case ... the Chinese government's network equipment," Gayer says.
"This is a very clever and potentially effective mitigation approach," Gayer says. "The alerts halt the request loop iteration and consequently limit each visitor to one request per page, and possibly [also] notify the 'unwilling' GitHub visitors of their participation in the DDoS campaign."
In response to the InsightLabs.org report, Chinese Foreign Ministry spokeswoman Hua Chunying told Reuters - as the Chinese government has regularly claimed before - that China is a victim from, rather than instigator of, hack attacks.
Follows Greatfire DDoS Attack
The DDoS campaign against GitHub follows an attack - which has since ceased - against the Greatfire.org website itself, which pummeled the site with more than 700,000 HTTP requests per second. "The attack started on March 17 and we are receiving up to 2.6 billion requests per hour which is about 2,500 times more than normal levels," Greatfire.org said in a March 19 blog post. The anti-censorship site warned that the attack was costing it $30,000 per day in Amazon hosting fees. The organization said the attack began after The Wall Street Journal highlighted the group's anti-censorship activities.
Such activities are designed to help people in China circumvent the government's censorship of certain types of websites and content. That's enforced, in part, via the government-run "great firewall" of China, which restricts access to some types of content, backed by an army of censors who appear to especially target anything that might incite Chinese people into taking some types of collective action.
But it's not clear if these recent DDoS attacks are the work of Chinese government agencies. Security experts warn that such attacks could also be the work of independent political activists or even mercenaries.