Written by Alberto Scicali
On March 26th GitHub was encountering a massive DDoS attack on its servers, which caused dispersed moments of down time. The DDoS has been traced back to the China, specifically the Chinese Government. The government employed an interesting method, which involved utilizing their Great Firewall of China (GFW) to their advantage. The GFW is typically used to block various sources of international content from Chinese citizens, as well as preventing internationals from accessing certain servers located in China; however, China used it to employ a man-on-the-side attack. A typical scenario played out like this:
- A user is browsing the internet from outside/inside China.
- A fake response is sent from within China, rather than the Baidu script. The fake response contains a malicious script which forces the user’s browser to continuously reload two web pages, github.com/greatfire and github.com/cn-nytimes
One site links to a tool for Chinese citizens to gain access to international content, such as Google. While the other is a link to a New York Times related GitHub page.
In 2013, the Chinese government blocked access to GitHub for all citizens; do to GitHubs use of HTTPS for encryption, the GFW cannot block connections to specific URLs because it doesn’t know what is being accessed. Many programmers and engineers retaliated, stating that GitHub was heavily used by Chinese software engineers in their work (China makes up the 4th largest user base of GitHub) and allowed Chinese programmers to remain competitive among their international peers. China then unblocked GitHub, but then employed this new strategy in hopes of forcibly pulling down sites which are a detriment to their censorship efforts.