Wednesday, April 1, 2015

GitHub DDOS

Why did the attack start?

Who did it?

What caused it to stop?

  • Large Scale DDoS Attack on github.com
    We are currently experiencing the largest DDoS (distributed denial of service) attack in github.com's history. The attack began around 2AM UTC on Thursday, March 26, and involves a wide combination of attack vectors. These include every vector we've seen in previous attacks as well as some sophisticated new techniques that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic. Based on reports we've received, we believe the intent of this attack is to convince us to remove a specific class of content.
  • GitHub battles “largest DDoS” in site’s history, targeted at anti-censorship tools
    The attack started on Thursday morning (March 26), and has continued unabated since then, evolving several times to circumvent GitHub's defenses.
  • Massive denial-of-service attack on GitHub tied to Chinese government
    the two GitHub pages are constantly loaded and reloaded by millions of computer users inside and outside of China, an endless loop that left unmitigated outages not just on the two targeted pages but throughout GitHub's entire network. Exhibit A in the case in which China is involved are the two specific GitHub pages targeted: one hosts anti-censorship service GreatFire.org while the other hosts a mirror site of The New York Times' Chinese edition. The targets suggest the attackers are sympathetic to the vast censorship apparatus known as the Great Firewall of China.
  • China's Man-on-the-Side Attack on GitHub

    In short, this is how this Man-on-the-Side attack is carried out:

    1. An innocent user is browsing the internet from outside China.
    2. One website the user visits loads a javascript from a server in China, for example the Badiu Analytics script that often is used by web admins to track visitor statistics (much like Google Analytics).
    3. The web browser's request for the Baidu javascript is detected by the Chinese passive infrastructure.
    4. A fake response is sent out from within China instead of the actual Baidu Analytics script. This fake response is a malicious javascript that tells the user's browser to continuously reload two specific pages on GitHub.com.

  • Chinese authorities compromise millions in cyberattacks
    On March 17th 2015, our websites and partner websites came under a DDoS attack. We had never been subjected to an attack of this magnitude before. This attack was unusual in nature as we discovered that the Chinese authorities were steering millions of unsuspecting internet users worldwide to launch the attack. We believe this is a major cyber-security and economic threat for the people of China.
  • Hackers Attack GreatFire.org, a Workaround for Websites Censored in China
    GreatFire.org’s mirroring services provide unrestricted access within China to a range of websites, including itself and the Chinese language version of The New York Times, which has been regularly blocked in China. Some of the others are Deutsche Welle, BBC News, China Digital Times, Google.com, and Boxun, a Chinese-language news website. GreatFire.org says it does not mirror The Wall Street Journal. GreatFire.org works directly with some, but not all, of the websites it mirrors.

    GreatFire.org is partly funded by Open Technology Fund, a United States government-financed initiative under Radio Free Asia. Last year it provided $114,000 in funding, according to its website. Mr. Smith declined to comment on any financial backing.

  • Evidence links China to GitHub cyber-attack
    "The upshot is that people from around the world... had their traffic redirected to swamp GitHub," Prof Alan Woodward of the University of Surrey told the BBC after verifying the research.
  • The Attack on GitHub Must Stop
    According to Insight Labs, Internet traffic within China is being manipulated, such that users are essentially attacking GitHub.
  • Baidu’s traffic hijacked to DDoS GitHub.com
    What is happening here is pretty clear now: A certain device at the border of China’s inner network and the Internet has hijacked the HTTP connections went into China, replaced some javascript files from Baidu with malicious ones that would load

    ["https://github.com/greatfire/", "https://github.com/cn-nytimes/"]

    every two seconds.

  • Did China Just Launch a Cyber Attack on GitHub?
    Github’s whole site uses HTTPS encryption, so when a Chinese netizen visits content hosted on the site, Chinese censors can only see that the user is visiting github.com, but not the full URL address within GitHub. So China can't selectively block just some content on GitHub without blocking the entire site.
  • Man-on-the-side attack
    Instead of completely controlling a network node as in a man-in-the-middle attack, the attacker only has regular access to the communication channel, which allows him to read the traffic and insert new messages, but not to modify or delete messages sent by other participants. The attacker relies on a timing advantage to make sure that the response he sends to the request of a victim arrives before the legitimate response.
  • Using Baidu to steer millions of computers to launch denial of service attacks
    The attackers have implemented a sneaky mechanism that allows them to manipulate a part of the “legitimate traffic” from inside and outside China to launch and steer Denial of Service attacks against Cloudfront and the Greatfire.org's anti censorship project.
  • China's Great Firewall Turned Around: Why China Wants To Censor Global Internet
    Because the overall internet is too important to block, and because some sites are necessary (like Github) there are always holes in the system. Add in a useful dose of encryption (yay!) and the ability to control everything that's read in one particular country becomes increasingly difficult. You might hope the response would be to give up attempts to censor, but China isn't likely to give up just like that. So, instead, it's basically trying to censor the global internet, by launching a high powered attack on the site that is the problem, while basically saying "get rid of these projects and we'll stop the attack."

No comments:

Post a Comment