China's Great Cannon

Citizen Lab has issued a report on China's "Great Cannon" attack tool, used in the recent DDoS attack against GitHub.

We show that, while the attack infrastructure is co-located with the Great Firewall, the attack was carried out by a separate offensive system, with different capabilities and design, that we term the "Great Cannon." The Great Cannon is not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.

The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users. Specifically, the Cannon manipulates the traffic of "bystander" systems outside China, silently programming their browsers to create a massive DDoS attack. While employed for a highly visible attack in this case, the Great Cannon clearly has the capability for use in a manner similar to the NSA's QUANTUM system, affording China the opportunity to deliver exploits targeting any foreign computer that communicates with any China-based website not fully utilizing HTTPS.

It's kind of hard for the US to complain about this kind of thing, since we do it too.

More stories. Hacker News thread.

Posted on April 13, 2015 at 9:12 AM • 42 Comments

Comments

Nicholas WeaverApril 13, 2015 9:53 AM

As one of the lead authors of the report, I'm happy to answer any questions.

Hugh the HueApril 13, 2015 10:10 AM

Hard to apportion blame or single out actors nowadays. "China" you say, could be a defence contractor demoing their latest ddos tool for all I know.

So... @Nicholas Weaver


I read section 4 on your attribution to China.

China attempted to block Github, but the block was lifted within two days, following significant negative reaction from local programmers

so the attack
possibly an attempt to compel GitHub to remove *said undesirables


Compelling seems a little bit of a strange policy when everyone just blocks until the site surrenders to the authority of the country where the service is hosted. Two questions.

1) I mean, surely China would just tell Github to ip block Chinese IPs at those pages or it's going on the firewall?


2) It doesn't seem like a decent want or need to me, so have github stated any existing communication with China over the issue?

Nicholas WeaverApril 13, 2015 10:21 AM

Blocking GitHub didn't damage GitHub, it damaged the Chinese tech industry: locking China out of the major hub for pretty much anything involving open source development. So it wasn't GitHub capitulating, but China capitulating.

I presume China asked GitHub to remove the two pages and GitHub simply ignored them: the two pages really are only relevant to Chinese visitors as a way of evading the Firewall itself.

As for "decent want for China" it actually is: github.com/greatfire is a huge gaping hole in the Great Firewall's information control.


As for attributing China, its damn solid: The malicious scripts are injected by an IN-PATH network man-in-the-middle in multiple locations, we've identified two locations colocated with the Great Firewall in the network, and it apparently sharing some library code with the Great Firewall. Yet at the same time, its a separate tool with separate implementation capabilities and purpose.

Hugh the HueApril 13, 2015 10:24 AM

error, not literally where ***service is hosted***, meant: service is accessed. (like twitter blocked in Turkey until x is true for Turkish visitors to twitter)


Also a bit of a disclaimer. I still don't believe N.Korea done the Sony hack.

ZiranApril 13, 2015 10:55 AM

@Nicholas Weaver: Thank you for publishing your research. Would a Tor connection (e.g. navigating to a Chinese website using the Tor browser) provide protection against this form of MITM?

Hugh the HueApril 13, 2015 11:06 AM

Haven't been around to read up on all the drama. Just read Erik Hjelmvik blog


As for attributing China, its damn solid:

Seems hard to believe but it's likely so. It highlights the probable existence of bigger and badder attack tools. Damn, massive scale.

Nicholas WeaverApril 13, 2015 11:17 AM

Ziran: Nope. Tor is blocked at the Chinese border, and there is no exit nodes in China that I know of. In fact, non-HTTPS over Tor is actually a bad thing, as exit nodes may be malicious.

HTTPS does work, but China is about as anti-encryption as the NSA is. I guess they can agree on something.

Clive RobinsonApril 13, 2015 11:17 AM

It would be a help to stop this if people did three things...

1, Only use HTTPS,
2, Turn of JS for all sites,
3, Don't use sites that use JS.

JS is more than stale it's got beyond the point of a rotting festering sore, it's gangrenous to the point of killing the host.

Most "user experiance" things that can be done with JS can be done otherways a lot more safely for the end user. As long as people frequent sites that use it, it will just prolong the agony untill it's final demise.

I know some people will talk about NoScript etc, but they are missing the point. It's known how to get around HTTPS with phoney certificates so that's far from a reliable fix, and I auspect there is not a site out there that cannot be hacked, likewise a router node.

Thus the solution to the malignancy that is JS is to refuse to use it in any way, which will have a knock on effect to make lazy developers to do things without JS...

LisaApril 13, 2015 11:43 AM

@Clive: I use HTTPS whenever possible, with noscript and certificate patrol plugins with FireFox.

But there are simply too many websites that break their navigation when 3rd party JavaScript is blocked. Forcing me to often temporarily grant temporary access in noscript to 3rd party tracking junk like google analytics, Facebook like buttons, etc.

It is likely too late now, but if Firefox and Microsoft teamed up to default block all 3rd party JavaScript on all new browser versions, such that the only JavaScript one can get is from the exact same web site domain as the web page, web developers will be forced to develop and test against this. Eventually, this will signifigantly improve overall security and speed up web page loading.

Sure google, Facebook, and others won't be happy to lose being able to inject arbitrary JavaScript into everyone's web pages, but they can adjust, since static images and hyperlinks of 3rd party content can still be used in a less dangerous way to keep their business model of tracking users and directing traffic.

US CouncilApril 13, 2015 11:56 AM

EHCE Certification, Certified Ethical Hacking Training, Cyber Security Certification and Training, CEH Training, Online Ethical Hacking Certification, Ethical Hacking and Counter Measure Expert, etc. US Council Certification and Training offers them all to you at affordable prices. For more information visit http://www.us-council.com

Nick PApril 13, 2015 12:14 PM

@ Clive

"JS is more than stale it's got beyond the point of a rotting festering sore, it's gangrenous to the point of killing the host. Most "user experiance" things that can be done with JS can be done otherways a lot more safely for the end user. "

I disagree almost 100%. All attempts to replace bad protocols, languages, and so on have failed. The market and user base dictated compatibility plus convenience above all. The only player to shake up the web was Macromedia's Flash, which provided a richer experience. Over time, CSS and Javascript were updated to cover a lot of that along with bandwidth efficiencies (eg Ajax). These tech spread to all browsers without need for a plugin. Today, add HTML5 to the list to replace Flash.

So, JavaScript lets site designers do more, it's more efficient than pure HTML/HTTP, it exists on all platforms, and preserves compatibility. Further, Google's efforts to replace each component were largely a failure. Whereas Mozilla strengthened JavaScript to more efficiently run native code and that tech is seeing plenty of adoption. Many language designers also started compiling their better languages to JS. The Unreal game engine even runs in it. So, demand for and innovation supporting JavaScript capabilities is at an all time high while every effort to ditch it has failed miserably.

JavaScript is the smart bet for players in the market. For now. My idea for getting rid of it is to target a plugin/replacement for enterprise market. It will have better performance, reliability, security, and so on. That underlying platform will support a very useful app at a good price point that works across all platforms. Once enough adoption, browser vendors might be convinced (and/or paid) to include support for it by default. At that point, third parties can transparently use it in place of HTTP/HTML/JavaScript. Then, we can start seeing adoption.

The closest thing I see in the market is REBOL and IOS. Same kind of scheme but with different tech. And better apps that also look better. You know them users love their eye candy. ;)

65535April 13, 2015 1:36 PM

I don’t quite understand the mechanics of this attack.

I somewhat understand the mechanism but not well:

1] Js is the script used.

“GreatFire.org fingered malicious Javascript returned by Baidu servers as the source of the attack.” –Citizenlab

https://citizenlab.org/2015/04/chinas-great-cannon/

2] Browsers are the DDos mechanism

“…Specifically, the Cannon manipulates the traffic of “bystander” systems outside China, silently programming their browsers to create a massive DDoS attack. While employed for a highly visible attack in this case, the Great Cannon clearly has the capability for use in a manner similar to the NSA’s QUANTUM system,4 affording China the opportunity to deliver exploits targeting any foreign computer that communicates with any China-based website not fully utilizing HTTPS..” –Citizen lab

3] Baidu and it Content Delivery Network [CDN] are the source of the scripts

“That's correct. I work at a company in the US, and visitors to our website were giving the "Malicious Script" alert because we had Baidu analytics installed. Defending against this is much more nuanced than just blocking all traffic from China” -HN

https://news.ycombinator.com/item?id=9356185

"I'm curious what prompted installing Baidu analytics in the first place." -HN

"So block the Baidu analytics CDN and call it a day?" -HN

"That would work, assuming there isn't a workaround. If they were really serious about the attack, though, it's easy to imagine ways around that, especially if you add the possibility of browser caching and exploits in the injected script." -HN

https://news.ycombinator.com/item?id=9356569

[and]

https://news.ycombinator.com/item?id=9353785

3] Block Buidu CDN [all CDN IPs or domains?]

4] Browser fix to eliminate DDOS from individual browsers visiting Buidu and its CDN?

Does this affect USA CDN’s?

5] Block actual routers distributing malicious Java script?

Browser caching? Other CDNs used in the DDOS Attack? What am I missing?

SkepticalApril 13, 2015 1:59 PM


I'm not sure I see this as a significant deviation in PRC policy. They've long sought to impose costs on companies and entities that they perceive as enabling the violation of their laws. It's a new tactic, perhaps, but the strategy is similar.

Given among other things the short duration of use, this also may be better explained by bureaucratic politics within the PRC than by an analysis of the PRC taken as a unitary actor. Someone put effort into building this, someone had to market it to leadership, and someone might want to show off its use.

The PRC knows that it can only use a tool like this for short-term actions, as anything of longer duration will provoke countermeasures by the USG, other governments, and various companies.

Indeed, if Amazon writes off GreatFire's bill, the Great Cannon may suffer from a recoil problem: the entire episode will have reduced the deterrent effect such a a tactic might have by showing it to be ineffective. Moreover, groups with interests in openly opposing the PRC's censorship policies might even seek to be targeted by the Great Cannon, knowing that they can do with impunity and seeking to reap the benefits of additional public attention to their cause.

Without any special insight into the PRC bureaucracies and personalities that would have led to this decision, the obvious sequence of moves here, which works to the PRC's strategic detriment, suggests to me that this was a decision very driven by some internal politics.

As to whether the US can complain... well of course it can. The US would say that its use of any similar capabilities is justified, while this is not. The problem isn't so much in the very use of the capability as it is in the ends to which that capability is being used.

But that said, I don't think this is something that necessarily requires escalation or much response from the US other than verbal condemnation - and I'd expect Amazon will waive the fees.

In fact, on the matter of US response, were there some particular technical capability of the US that the PRC were seeking to gauge, launching a high-profile, low-cost attack like this to provoke the US use of such capability in order to study it, then I could see a strategic rationale for this action that would make sense from the perspective of the PRC taken as a unitary actor. Recon by provocation.

65535April 13, 2015 2:07 PM

To clarify:

6] The “Great Cannon” or Js injector is sitting behind the Firewall that Cisco helped to build and cannot be blocked.

7] The “Great Cannon” or Js injector infects Baidu’s CDN which then could affect US CDN’s which are in the chain to the individual browser.

8] Nobody wants’ to block Baidu’s CDN or another country’s CDN? [Deep packet inspection and blocking?]

Mike AmlingApril 13, 2015 2:53 PM

@Nick P, Clive R
When Java came out it had certain features and specifications (e.g. bytecode verification, security manager) that could make it safe for a client to run bytecode even from a malicious source, provided the JVM and libraries were sufficiently carefully coded. While there have many failures of sufficient carefulness in the intervening decades, there was at least the possibility of a safe client implementation.

I'm far less familiar with JavaScript and its history. Was there or is there a specification that allegedly allows a client to safely run JavaScript from a malicious source? If not, can it be done for (a subset of?) JavaScript?

Chris SApril 13, 2015 3:06 PM

I find myself torn - JS is indeed a gaping hole, rife with malicious possibilities.

However - it's also the lowest common denominator in executable content, and arguably a better option than native code in some cases, because it should be easier to sandbox.

There are now zero knowledge storage sites. I might choose to use such a site and I might choose to even run their native client. But if I want to send you a link to a large file stored there, "zero knowledge" at the storage end means that you need local execution to decrypt what you receive. And since I may be in the position of not knowing anything about your local native environment, a link that contains the password as a local parameter (I send the link, the site does not send the link) but that calls upon downloadable JS to complete the decryption, is going to be more portable than almost any other option.

It's stuff like this that makes security truly hard. People just want stuff to work, but in the background are these massive risk/trust/capability tradeoffs making it hard to establish one good way for everyone.

Nick PApril 13, 2015 4:16 PM

@ Mike Amling

There's prototypes such as ADsafe for that. There's also been work on sandboxed interpreters and capability-secure Javascript. Lots of interesting research avenues.

BoppingAroundApril 13, 2015 4:40 PM

Lisa,
> But there are simply too many websites that break their navigation when 3rd party
> JavaScript is blocked. Forcing me to often temporarily grant temporary access in
> noscript to 3rd party tracking junk like google analytics, Facebook like buttons, etc.
Perhaps you can provide examples? I have never had any problems with GA, FB and other 'social' crap blocked. Unless you meant ajax.googleapis.com and not analytics.

KyleApril 13, 2015 8:40 PM

@Nicholas Weaver:

Could the same attack mechanism could be used via any HTTP resource, not just JavaScript?

If this clearly was a demonstration, who should take note, and what are next steps for them?

Nicholas WeaverApril 13, 2015 9:00 PM

kyle:

A: Yes, although it has to support SOME level of active content. Thus replacing an HTML page works, but an image doesn't.

B: We all should. Unless traffic is encrypted, it is now considered in-scope for attack. And its not just China, but its more "China has officially joined the club" of those willing to directly inject malicious content into target traffic.

DonApril 13, 2015 9:41 PM

DDoS attack against GitHub?

Isn't that kind of juvenile considering more damaging and sophisticated attacks by other nation states on their cyber enemies?

And, apparently the enemy is just about everyone with an electronic device anymore, even their own citizens and nominal allies.

The Cyber Arms War is definitely on, just as in the old days of bigger cannons, bigger warships, bigger guns, bigger bombs.

Which is better the Chinese tactic of openly interfering with communication and arresting alleged enemies of the state publicly, or the Five Eyes way of collecting everyone's data secretly just in case? Then if they find a need to surgically haul off certain actors to the gulag they do it based on the secret evidence, sanitized via parallel construction.

It's really unfortunate so few people even care about this stuff. I think the day will come when most everyone does care, but of course then it will be too late.

BuckApril 13, 2015 9:53 PM

@Nicholas Weaver

I've got a couple of random questions for you...

Firstly, what capabilities or causes deserve such branding as a 'big scary thing' when the amateur hour has already been reeking plenty of havoc for far too long..?

Furthermore, how is the attribution made firmly, without a doubt -- are we really meant to believe that the 'great' wall of China is truly impenetrable to all outside parties!?

Clive RobinsonApril 14, 2015 2:25 AM

@ Kyle,

The method alows any part of the page you wish to download to be augmented or replaced.

Thus any add ins which have their own "bugs" that can be used as vulnerabilities can be used. This problem has existed since day one with the way HTML works.

Whilst running via HTTPS limits this potential it is not reliable as a protection mechanism. We know that false certificates signed by trusted --by your browser-- CAs can alow man in the middle attacks.

Thus the unencrypted HTML and the other content it brings with it needs to be armoured in some way. Traditionaly this is with a Message Authentication Code (MAC) that is then it's self protected in some way that can be trusted.

It's this last step of protecting the MAC we do not currently have a foolproof method for currently, due to the way we want to use browsers (it's the same problem as PubKey Certificates).

The problem is that there needs to be some method of exchanging a verification token from one end of the communication path to the other. In military and other secure communications this is done by a secure and trusted side channel such as a KeyMat Courier.

This secure and trusted side channel just does not exist for the web browsing model, nor with the likes of National Security Letters or their equivalent is it ever likely to happen.

However there is another issue to consider, and that is of routing protocols. To work this "Great Cannon" attack like many others needs to get to some "upstream node" of your browser to place it's self into your communications path with the site you are communicating with. Thus many would incorrectly consider themselves safe if they just used "in country" web sites. We know that Cisco routers have been hacked, we know that routers from other sources have been hacked, and if the Ed Snowden and other revelations are to be believed most state level attackers have methods to hack routers.

But even if no state could hack the code inside a router they could still put themselves in the communications path. As has been seen occasionally chunks of the Internet have mysteriously got re-routed through out of the way places. The usual cause of this has been an incorrect message going out advertising a route, the routers then automaticaly reconfigure themselves to use this route, and shortly there after you might discover US user to US site communications going through China... This has happened and continues to happen because the routers implicitly trust other routers. Like all technology of this sort it's agnostic to use, thuss it can be used for good or bad depending on your view point. For instance it's been used in the past to reduce the effect of DDoS attacks thus keeping web sites open, and we now assume that some routing "oddities" might be a deliberate effort to reroute traffic through surveillance nodes. One simple way to do this is to just to make the surveillance node "attractive" by putting in high capacity trunks and making the use of the node not just preferable but cheaper than other routes (it's what some people believe of certain main European routing nodes).

GrauhutApril 14, 2015 2:25 AM

@65535: "I don’t quite understand the mechanics of this attack."

Someone injects a .js invisible iframe loader or something similar.

This is one of the oldest web x.x DDOS and malware infection tech stuff i know of. This is wide spread in areas like maleware distribution, click fraud and ddossing.

Often bad administrated ad servers are hacked and used as .js frame cannon since ads are inserted with .js on websites.

If one looks for an states agency, it could be done by any agency with access to data streams. This would also be true for the NSA.

Attributiopn is not that easy in this case.

How did they rule out the usual ad server hacks and possible other attackers with network level access to data directed to and from baidu?

65535April 14, 2015 4:09 AM

@ Grauhut

“Someone injects a .js invisible iframe loader or something similar. This is one of the oldest web x.x DDOS and malware infection tech stuff i know of. This is wide spread in areas like maleware distribution, click fraud and ddossing… If one looks for an states agency, it could be done by any agency with access to data streams. This would also be true for the NSA.”

“Attributiopn is not that easy in this case. How did they rule out the usual ad server hacks and possible other attackers with network level access to data directed to and from baidu?”

Thanks!

Things are getting clear.

Yes, exactly how did they rule out ad server hacks to and from Baidu [I assume this includes the 5-eyes CDNs]?

“As has been seen occasionally chunks of the Internet have mysteriously got re-routed through out of the way places. The usual cause of this has been an incorrect message going out advertising a route, the routers then automaticaly reconfigure themselves to use this route, and shortly there after you might discover US user to US site communications going through China... This has happened and continues to happen because the routers implicitly trust other routers… For instance it's been used in the past to reduce the effect of DDoS attacks thus keeping web sites open, and we now assume that some routing "oddities" might be a deliberate effort to reroute traffic through surveillance nodes. One simple way to do this is to just to make the surveillance node "attractive" by putting in high capacity trunks and making the use of the node not just preferable but cheaper than other routes (it's what some people believe of certain main European routing nodes).” –Clive

That makes it clearer. Subsidizing or dropping the link cost regardless of the physical path is a trick I have heard about.

I assume this is done with the massive buying power of state actors, routing and DNS players and CDNs… Am I close?

Nicholas WeaverApril 14, 2015 7:26 AM

Buck:

Why are we concerned? Because it is trivial to change the operation from "recruit DOS participants" to "exploit computers by IP address". E.g. "this computer belongs to the US state department, exploit it".

As for attribution, please see the report. Its colocated with the firewall, it shares code and objectives, but the implementation is different: man-in-the-middle vs man-on-the-side.


Grahut: See the report: We were able to isolate the links responsible for injecting the malicious content. We initially thought it might have been classic malvertizing, it was only when we developed specific tests to trick the network device into injecting the content that we realized it was this separate malicious device in the network.

GrauhutApril 14, 2015 1:12 PM

@65535: "I assume this is done with the massive buying power of state actors, routing and DNS players and CDNs… Am I close?"

Nope, it is enough to have a decent ad server system hacked or abused. (An ad server network to serve Baidu needs to bee decent:) It happend more then one time that evil hax0rs became ad service customers and added malware to multimedia ads.

Every service strong enough to serve ads on baidu would be strong enough to act as this proposed "great chinese cannon".

Since only Baidu users outside the GFoC were abused it could also have been any agency hanging on these lines. Smells a little like FOXACID.

https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html


The GFoC guys are btw. incredible fast, competent and efficient. Some years ago i contacted them by email in order to stop a port 53 udp dns flood from a hacked box at a chinese university to one of the systems i administred. After 20mins the udp flood ended and after 30 mins i received a ticket close with the friendly question if anything would be all right now.

BooApril 14, 2015 4:03 PM

"The key question I would raise with you is: how do we prepare for the fact that the scientific revolution in molecular biology and its derivative bio-technologies will be further and fearsomely applied to the conduct of war, and maybe especially to new “non-military forms of warfare” in shocking and mentally dislocating combinations, and which may be very productive of strategic paralysis and deep spiritual despair? What effects will a eugenics culture of genetic engineering have on the young? Moreover, in a potentially hostile strategic culture of science and technology, such as in China, we will find that the Chinese are already very advanced in the bio-sciences and in bio-technologies, and less restrained in their experimentations. How might the deft and deceptive Chinese apply bio-technology against us in the form of grand-strategic or strategic indirect warfare? Or, if we embarrassed them over Taiwan, how might the PLA use what some now call “no-limit” or “unrestricted warfare” for a finite and well-focused end, but with unscrupulous means?"
http://isme.tamu.edu/JSCOPE00/Hickson00.html

The Great Firewall strategy collapsed (don't tell anyone) and now they have a Great Waterfall strategy. We have Niagra Falls and cheap hydro power. They have fake Viagra.

BuckApril 14, 2015 5:00 PM

@Nicholas Weaver

Thank you for your reply! OK, I can see how it could be a big deal, but I'm still not %100 sure about attribution. Reusing bits of attack code created by others is a well known M.O. employed by a variety of different groups...

Nicholas WeaverApril 14, 2015 5:38 PM

Buck: Who else could insert a man-in-the-middle into multiple locations on the Chinese internet. This isn't compromised servers, but a MitM device, and we have the pcaps that show this.

BuckApril 14, 2015 8:30 PM

@Nicholas Weaver

That's a very difficult question for me to answer without more details about the GFW infrastructure's physical & supply-chain protection measures and the people who have intimate knowledge of the software... I don't know, but I won't discount the possibly!

GrauhutApril 15, 2015 2:10 AM

@ Nicholas Weaver: "Who else could insert a man-in-the-middle into multiple locations on the Chinese internet."

Where is the evidence that shows us, that is was a MitM and that the MitM could only have happened on the chinese side of international cables? Only international Baidu users were abused for this scheme.

How exactly do we know it wasnt a FOXACID PR attack?

65535April 15, 2015 12:24 PM

@ Grauhut

“Since only Baidu users outside the GFoC were abused it could also have been any agency hanging on these lines. Smells a little like FOXACID… it is enough to have a decent ad server system hacked or abused. (An ad server network to serve Baidu needs to bee decent:) It happend more then one time that evil hax0rs became ad service customers and added malware to multimedia ads.”

Wow, so any box serving http could be a DDoS victim in the chain of the target of infection [http is now wide open for abuse and it useful life is running short – just consider the number of not https sites in use]. That is worse than I thought!

…”it is trivial to change the operation from "recruit DOS participants" to "exploit computers by IP address". E.g. "this computer belongs to the US state department, exploit it".”-Nicholas Weaver

[and]

“Unless traffic is encrypted, it is now considered in-scope for attack. And its not just China, but its more "China has officially joined the club" of those willing to directly inject malicious content into target traffic.”- Nicholas Weaver

“The GFoC guys are btw. incredible fast, competent and efficient. Some years ago i contacted them by email in order to stop a port 53 udp dns flood from a hacked box at a chinese university to one of the systems i administred. After 20mins the udp flood ended…” –Grauhut

That is fast. No court orders necessary in China… and none for their offensive military actions.

Clive noted: “The usual cause of this has been an incorrect message going out advertising a route, the routers then automaticaly reconfigure themselves to use this route, and shortly there after you might discover US user to US site communications going through China...” – Clive

I am assuming that advertised route is a lower cost which may or may not be subsidized by an unknown major actor. This would allow placing the “China” link in the communication path of the target. This may improve at accuracy of the .js injector whether by the Chinese version of Foxacid/Quantum injectors or the US version of Foxacid/Quantum injectors – but who knows.

In short, China has joined the internet “nuclear weapons club” for better or for worse [If I am correctly getting the point of the overall danger the Citizen lab is highlighting].

[Please excuse all of the grammar and other errors]

GrauhutApril 15, 2015 3:08 PM

@65535: "Wow, so any box serving http could be a DDoS victim in the chain of the target of infection [http is now wide open for abuse and it useful life is running short – just consider the number of not https sites in use]. That is worse than I thought!"

It has never been different in web biz. People like me fight such incidents for decades now! I had my 20 years full time internet ant jubilee last year. :)


My personal best guess about the so called "chinese cannon" is:

This was a malware distribution attempt that went wrong. Maybe a chinese group that attacked only Baidu readers outside china in order to avoid beeing catched by the Chinese police if the GFoC team recognizes them.

Malware has often been illegally hosted on Github.

"EK exploit kit surfaced; the malware was distributed via sites hosted on the project hosting services SourceForge and GitHub that claimed to offer "fake nude pics" of celebrities."
http://en.wikipedia.org/wiki/Ransomware#Non-encrypting_ransomware

This means Github must have strengthened security.


What may happen to a possible inline malware scanner at Github if too much malware is loaded from their site at a time? Log or quarantine to death! :)

This could easily have been a case of self-dos by incompetently installed security systems.

BooApril 15, 2015 3:21 PM

The Gettysburg Gyrocopter is the threat of the day.

"He's not a suicide bomber, he's a patriot," said Shanahan, 65, of Apollo Beach

Richard Burns, 27, who said he works for a marijuana lobby group in Washington, stood in wonder and solidarity.

"I don't know whatever it was he was doing but I support him."
http://www.tampabay.com/news/politics/elections/ruskin-mailman-tries-flying-to-capitol-in-gyrocopter-to-deliver-campaign/2225584

It's good knowing the new marijuana lobby is in solidarity. Go back to your regularly scheduled NSA paranoia. The eagle has landed.

65535April 15, 2015 11:20 PM

@ Grauhut

“My personal best guess about the so called "chinese cannon" is: This was a malware distribution attempt that went wrong. Maybe a chinese group that attacked only Baidu readers outside china in order to avoid beeing catched by the Chinese police… [Or] This could easily have been a case of self-dos by incompetently installed security systems.”

Interesting comments. You could be right.

“It has never been different in web biz. People like me fight such incidents for decades now! I had my 20 years full time internet ant jubilee last year. :)”

I hear you.

I have a client will a well known email server and firewall, and at 15,000 attempts to break in I stopped counting.

We upped the pass-phrase length and changed the name of the Admin account. I suspect new attacks are filling the security logs and once full are now deleted to make room for new security logs – I have no idea of the actual number in individual attempts to gain access – but it is very high.

Congrats on your 20 year jubilee. My you next 20 years be just as fun ;)

GrauhutApril 16, 2015 1:40 AM

@65535: "I have a client will a well known email server and firewall, and at 15,000 attempts to break in I stopped counting. We upped the pass-phrase length and changed the name of the Admin account"

On *nix systems fail2ban and portknocking are your best friends in such cases. ;)

Tor userApril 20, 2015 7:56 AM

Grauhut are you a sock puppet of the CPR ?

It's amazing how people just keep on blabbing and ignoring the Citizenlab report and it's author reactions.

They did Time To Live, TTL probes, to exactly measure when/where the MiTM malicious java script code was injected IN THE PATH to Baidu. Increasing the TTL each round to identify the hop where stuff got injected, they have included full packet logs for you to review.

They have discovered multiple Chinese ISP's routes in to China collocated with the Great Fire Wall IP location, where the Great Cannon is deployed even inside the infrastructure of one Chinese ISP.

Reading the Citizenlab report has made it very clear to me that the Chinese government is behind the attacks on Github and GreatFire.

After Snowdens revelations it seems that the gloves are coming off.

Network World War III, has started on the Internet, as all governments now believe they can just hack and hose each others networks, despite this being criminal acts according to local law.

No computer that downloads unencrypted, unverified content can be trusted anymore, that includes this PC I'm using, as I want to play games, so I'm pwnd by default.

Turn off your computer now, it's no longer safe to use the Internet.

grumpyApril 20, 2015 9:43 AM

@Tor user

"Grauhut are you a sock puppet of the CPR ?"

I hear you, man. While I don't think the sockpuppetry accusation is warranted, I too can say that the level of discourse on this site has dropped significantly lately and that many regular commenters frequently tend to go on their favorite tangent without even reading the article.

Tor userApril 20, 2015 10:04 AM

It triggered a sock puppet alert in my head, when I saw him not reacting multiple times on Nicholas Weaver answers in the topic here, and just keep on going with miss information.
Not reading the Citizenslab piece is one thing, not reacting to what is said here is curious. Of cause SP can be hard to attribute, then again maybe people where in a hurry to answer.

It's not only Citizenlab that has done trace routes to verify the GC (Great Cannon) location, other articles and sources have done the same.

http://www.netresec.com/?page=Blog&month=2015-03&post=China%27s-Man-on-the-Side-Attack-on-GitHub

It's interesting how the Chinese forgot, to make the GC react only if a proper minimum length TTL was in the requesting GET packet for the script.
I guess the way they implemented it, by only fetching the first packet for inspection, if the connection should be rerouted for attack, and the IP flow cache structure etc, made it hard for them to block the TTL probes.
Next attack from the GC might be smarter and only react if the packet can reach Baidu or a new victims server.

But since we now know that they got this tech parked on the border, we can assume, that with next massive DDoS, where similar script injection is involved is from the GC, even if TTLs are better masked in trace routes.

Brace for impact.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.