GitHub attack - evidence points to China

China is being accused of pulling unwitting users into DDos attacks on the GitHub website to hit anti-censorship activists.

GitHub attack - evidence points to China
GitHub attack - evidence points to China

 China is accused of being the instigator of a prolonged DDoS attack on coding website GitHub.

The attack has used China's “Great Firewall” to send large volumes of traffic to GitHub in the hope of taking the site offline.

According to anti-censorship activists Greatfire.org, Chinese authorities were behind the denial-of-service attacks that have led to San-Francisco-based Github going offline intermittently.

“This attack was unusual in nature as we discovered that the Chinese authorities were steering millions of unsuspecting internet users worldwide to launch the attack,” the organisation said on its blog. “We believe this is a major cyber-security and economic threat for the people of China.”

The anti-censorship activists have hosted some of its content on GitHub repositories and this information was the focus of attacks.

GitHub first detected a massive attack on its infrastructure last Thursday.

“These include every vector we've seen in previous attacks as well as some sophisticated new techniques that use the Web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic,” GitHub said in a blog post. “Based on reports we've received, we believe the intent of this attack is to convince us to remove a specific class of content.”

Security researchers said an analytics tool provided by Chinese search firm Baidu had been commandeered in China. JavaScripts has been surreptitiously planted onto websites that use Baidu's analytics service to track website visitors.

Only one per cent of users get this malicious code instead of the legitimate one from Baidu. The malicious code forces a user's browser to constantly reload two target Github pages; one for GreatFire.org while the other hosts a mirror site of The New York Times' Chinese edition. Both are banned by Chinese authorities.

“This attack demonstrates how the vast passive and active network filtering infrastructure in China, known as the Great Firewall of China or ‘GFW', can be used to perform powerful DDoS attacks,” said Erik Hjelmvik a security researcher at network forensics firm Netresec.

“Hence, the GFW cannot be considered just a technology for inspecting and censoring the Internet traffic of Chinese citizens, but also a platform for conducting DDoS attacks against targets world wide with help of innocent users visiting Chinese websites,” he added.

Chris Marrison, consulting solutions architect at Infoblox said that the attack on GitHub highlights that there is “no easy solution to securing DNS”.  He added that organisations that don't know their query load will never know when they're under attack.

“By using statistic support built into the DNS software BIND, administrators can help analyse their data for attack indicators. Whilst it may not always be clear what an attack looks like, anomalies will be more easily identifiable,” he told SCMagazineUK.com.

Catalin Cosoi, chief security strategist at Bitdefender said that another solution to prevent DDoS attacks happening would be to rely on cloud mitigation providers to scrub the traffic for you and only allow legitimate traffic to your resource (eg website, data centre, etc).

“Having a lot more available bandwidth than a company and more expertise in dealing with such attacks, they can sometimes minimise the damage caused by DDoS attacks,” he told SC.