Security

Chinese government linked to largest DDoS attack in GitHub history

GitHub was the victim of a DDoS attack for six days in March 2015. Here's a look at how the attack was orchestrated, and why GitHub might have been targeted by the Chinese government.

Image: GitHub

On March 26, 2015, a very well-coordinated distributed denial of service (DDoS) attack was waged on GitHub, the heir apparent to the now-closing Google Code. GitHub characterized this as the largest DDoS in its history.

The Electronic Frontier Foundation (EEF) and security researchers Netresec name the Chinese government as the culprits of the attack, which lasted until March 31, 2015. Here's an overview of why the cloud-based git repository host was targeted.

Deconstruction of the DDoS attack

The nature of this DDoS attack is very involved, and the construction of it implies Chinese government involvement. This attack is orchestrated as a man-on-the-side attack, in which users outside of China who view Chinese language websites that utilize the Baidu Analytics user tracking package (comparable to Google Analytics) would — in the course of a normal page view — load the JavaScript file that allows for user tracking. This attack replaces that JavaScript file with a different, obfuscated JavaScript file, which instructs the user's browser to endlessly reload two specific project pages at GitHub.

The two project pages in question are for GreatFire, an organization that leverages cloud providers in the US to allow users to circumvent the Great Firewall of China, and a Chinese-language edition of The New York Times. The means by which this man-on-the-side attack was constructed requires network access at a depth that the Chinese government clearly possesses, and regularly exerts control over.

To that end, a functionally identical DDoS attack was used against GreatFire from March 17, 2015; the founder, Charlie Smith, indicates this is in response to a Wall Street Journal article about the project. This deconstruction of the attack on GreatFire names the Chinese government as the culprits. During a press conference, Chinese Foreign Ministry spokesperson Hua Chunying provided a baffling response that does not deny the involvement of the Chinese government in the attacks:

"...it is quite odd that every time a website in the US or any other country is under attack, there will be speculation that Chinese hackers are behind it. I'd like to remind you that China is one of the major victims of cyber attacks."

For comparison, President Obama on April 1, 2015 signed an executive order that provides sanctions to target individuals and groups outside the US that launch cyberattacks as a means to threaten foreign policy, security, or economic stability — a problem the order characterizes as a "national emergency."

Why this attack was possible

According to the EFF, the attack vector exists because the traffic to Baidu Analytics is not encrypted by default, which allows for the swap of the legitimate analytics script for the attack script, though they note that encryption is not a perfect solution to the issue. Organizations such as Baidu could be forced by the Chinese government to disclose the keys for use in the attack.

Not GitHub's first time being a target of government censorship

The entire GitHub site was blocked by the Chinese government in January 2013; this measure was decried as "unjustifiable" by the former head of Google in China, Kai-Fu Lee, who indicated that the measure "will only derail the nation's programmers from the world, while bringing about a loss in competitiveness and insight." Naturally, as the largest git repository host, the ability to utilize published open-source code is vital to learning and understanding the intricacies of programming.

Similarly, the Indian government blocked GitHub and other developer-centric websites including Pastebin in December 2014 for hosting terroristic content. This decision was promptly reversed following a realization of the negative impact it would have on the IT industry.

Is this the new normal?

With this attack on GitHub apparently the work of the Chinese government, and following attacks by other government actors, will cloud providers be facing pressure to limit uses of their services for overriding blocked websites? Will cloud attacks create a liability for other cloud-connected companies caught in the crossfire? Share your thoughts in the comments section.

Also read

Note: TechRepublic and ZDNet are CBS Interactive properties.

About James Sanders

James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.

Editor's Picks