Slashdot Mirror

← Back to Stories (view on slashdot.org)

Github Under JS-Based "Greatfire" DDoS Attack, Allegedly From Chinese Government

Posted by Soulskill on from the year-of-the-ddos dept.

An anonymous reader writes: During the past two days, popular code hosting site GitHub has been under a DDoS attack, which has led to intermittent service interruptions. As blogger Anthr@X reports from traceroute lists, the attack originated from MITM-modified JavaScript files for the Chinese company Baidu's user tracking code, changing the unencrypted content as it passed through the great firewall of China to request the URLs github.com/greatfire/ and github.com/cn-nytimes/. The Chinese government's dislike of widespread VPN usage may have caused it to arrange the attack, where only people accessing Baidu's services from outside the firewall would contribute to the DDoS. This wouldn't have been the first time China arranged this kind of "protest."

25 of 116 comments (clear)

  1. Ancient Chinese wisdom by benjfowler · · Score: 5, Insightful

    For the purported great and ancient wisdom of 5000-year-old Chinese civilization, they have pretty lousy leaders.

    The West has leaders with minds like children too, but at least we can laugh at them, and eventually get rid of them. Must suck to be Chinese with these idiots in charge...

    1. Re:Ancient Chinese wisdom by dave420 · · Score: 4, Funny

      Can't you figure out how to use chopsticks? Poor baby.

    2. Re:Ancient Chinese wisdom by gstoddart · · Score: 2

      Gunpowder. Navigation. Paper. Writing. Printing. Silk. The compass. Noodles.

      In fact, a staggering list.

      And you being incompetent enough to not be able to eat with them means that China didn't achieve much?

      Get a life.

      What the hell have you invented?

      --
      Lost at C:>. Found at C.
    3. Re:Ancient Chinese wisdom by Anonymous Coward · · Score: 2

      They archived a lot, then stagnated. Same for the Middle East.

    4. Re:Ancient Chinese wisdom by blueg3 · · Score: 2

      Writing.

      I had no idea Mesopotamia was part of China.

    5. Re:Ancient Chinese wisdom by benjfowler · · Score: 2

      I think we all have a lot to learn from each other. Elements of Confucianism have a lot going for them, e.g. filial piety and respect for elders.

      But like all cultures, there will be assclowns who will selectively appropriate ideas for their own ends, e.g. the CCP notion of 'state as family', which inevitably leads to 'father knows best, you'll do what you're told' -- and naturally, conveniently ignore the fact filial piety also involves a duty to tell it like it is when your "betters" are screwing up.

      One element of Western culture I do think the world can learn from, is the deep understanding that power can be, and usually gets abused -- learnt from centuries of war, conflict and change in the West. Democracy doesn't so much come from the notion that "letting the people decide" (which, if you understand just how fucking stupid and easily influenced the average person actually is, is a REALLY bad idea), but rather, "if there are going to be revolutions, make them smooth and orderly". Thus, we have the Western model of representative democracy, which at its essence, is about smoothly getting rid of bad leaders. This is a piece of "ancient Western wisdom" that the Chinese will eventually learn the hard way.

  2. can't we all just get along... to block China? by swschrad · · Score: 3, Insightful

    knock them off the web for 12 hours, open it up... if they continue, block 'em again...

    --
    if this is supposed to be a new economy, how come they still want my old fashioned money?
  3. Re: Centralized on GitHub! LOL! by Anonymous Coward · · Score: 2

    You can't compensate your evident lack of technical understanding with being condescending. Those are two different contexts for the word 'decentralized' that you are mixing up.

  4. Too bad the US is so legalistic by MikeRT · · Score: 3, Interesting

    If our country weren't run by lawyers, we'd do what Russia and China do which is allow victims like GitHub to retaliate. Would be hilarious if GitHub contracted a few black hats to penetrate China's academic/military networks and give them a taste of the Wikileaks treatment.

  5. Github is scary for critical code by Anonymous Coward · · Score: 2, Interesting

    I have a coworker who advocates GitHub as the solution to all of our needs. He wants us to store all of our production code there. I asked him if he had a plan for backing up the GitHub repo, and his answer was along the lines of, 'someone will have the latest version on their PC, so we don't need a backup.' I asked him how we would work in times of limited GitHub availabilty. What if it goes down? What if it gets hit with DDOS? 'Oh, they're a big company, that won't happen.'

    I have no fundamental problem with GitHub. But if a software shop uses it as their sole repo for mission-critical code, I think they're crazy.

    1. Re:Github is scary for critical code by wisnoskij · · Score: 4, Insightful

      Well considering that apparently f***en CHINA is DDOSing them and they are only experiencing intermittent downtime that is pretty impressive to me. More of reason to switch than a warning against it.

      Still, no backups, no alternative plan, your coworker is an idiot.

      --
      Troll is not a replacement for I disagree.
    2. Re:Github is scary for critical code by dave420 · · Score: 5, Insightful

      You put your local github repo on some server, and then have it push its updates to Github. Should anything happen to that server, you can use Github to get a copy. The chances of Github and your local server losing your data is clearly much lower than either on its own, hence it making sense. Or just hate on Github because you are scared and don't understand stuff. Whatever's easier.

    3. Re:Github is scary for critical code by Fwipp · · Score: 2

      If you're that paranoid about an outage for an hour or two; mirror it on bitbucket, gitorious, gitlab, amazon S3, a local server, etc, etc, etc.

      It's trivial to do these sorts of mirrors, precisely because git's a DVCS.

    4. Re:Github is scary for critical code by abies · · Score: 2

      Technically, it is not China itself which is DDOSing them, but all the people from _outside_ of china which are accessing Baidu servers in China. Basically some part of chinese disapora is DDOSing github. Which is considerably smaller number of people than 'China'.
      Plus, it is happening just on browser refresh, not as dedicated trojan running heavy DOS attack from each PC.

    5. Re:Github is scary for critical code by fhage · · Score: 3, Insightful
      This is a good example of people having a fundamental lack of knowledge about Git and GitHub.

      You heard; "We don't need a backup because GitHub is so awesome". That does sound scary.

      However, the whole point of Git is everyone who cares about the project has the complete repository, usually with multiple backups, and works "off-line" as normal practice.

      Github is just an awesome and easy place to share a copy of the repository. It's trivial to set up another shared repository or just share directly with those involved in the development.

    6. Re:Github is scary for critical code by friedmud · · Score: 2

      If GitHub is down just:

      git remote add bitbucket git@bitbucket.org:company/project.git
      git push bitbucket

      And then keep rolling.

      Replace Bitbucket with any number of alternatives.

      It simply doesn't matter if GitHub goes down. It has a convenient interface, for sure, but you can continue to work without it easily.

  6. I love the alert they changed the page to by Anonymous Coward · · Score: 2, Funny

    To fight back they have changed those projects to be

    alert("WARNING: malicious javascript detected on this domain")

    So the user sees a message =)

    1. Re:I love the alert they changed the page to by blueg3 · · Score: 3, Insightful

      Not only do they see that message, but the alert pauses the loop that keeps loading the pages.

  7. Re:Socialism by blueg3 · · Score: 3, Funny

    Well, the acronym for Socialist In Name Only is "sino".

  8. Re:Socialism by halivar · · Score: 2

    See, that's a serious image problem right there. Since absolutely no self-described socialist or communist government in the world is considered "true" socialism or communism by those philosophy's respective defenders (who then go on to praise "socialist" European nations that are, in fact, simply capitalism plus robust welfare), it leads the rest of us to believe that those philosophies are simply impossible to implement in reality.

  9. Re: Centralized on GitHub! LOL! by Grishnakh · · Score: 5, Insightful

    You really don't understand what decentralized version control is, do you?

    The whole point isn't to avoid any centralization at all, it's that you're not utterly reliant on it. It's somewhat similar to the argument between a big server and thin clients (where nearly all computation is on the server) and "thick clients" (PCs) and less-capable servers (for sharing files, etc.). With a big server, if that server goes down or the connection to it goes down, you're screwed, and can't do anything. With today's more common thick-client paradigm, if your office file server goes down, you can't easily share files with your coworkers and other things are inaccessible, but you can still get some work done using whatever local copies you have.

    This is what DVCS is all about. With Git, you have a full copy of the repo just by virtue of having "checked out" a copy. You can still get some work done without access to the central server, whether it's down or your WiFi connection is down or your VPN is down. You can't do everything obviously, nor will you ever be able to, but that's not the point. And, in a worst-case scenario, if the central server just disappears one day without accessible backups, everyone with a copy checked out has the full repository, so it's possible to rebuild easily.

  10. Fix is pretty obvious. by tlambert · · Score: 2

    Fix is pretty obvious.

    There are two URLs being hit.

    Step 1: Put a reverse proxy cache which serves static pages directly out of RAM from a kernel module in front of GitHuB. If there's nothing like this for Linux, there is for FreeBSD, and it's pretty trivial to set up.

    Step 2: At the first URL, serve pro Free Tibet information. At the second URL, serve pro Falun Gong information.

    Step 3: Wait for someone in China in charge of the attack to call it off in fear for their life from the government for serving this illegal in China content to everyone in China going to one of the affected web sites that has the javascript injected.

    Step 4: (optional) Laugh your ass off as they are sent to a reeducation camp.

  11. Re: Centralized on GitHub! LOL! by Wootery · · Score: 3, Informative

    With Git, you have a full copy of the repo just by virtue of having "checked out" a copy.

    Quick nitpick: that would be a clone, not a checkout.

    For the non-git-users among us:

    git clone: copy that repository to my local file-system. (All branches are copied across. This is normally over ssh or https.)

    git checkout: give me the specified branch. (Doesn't require use of the network.)

    git fetch: update the local store of the repository to reflect the current state of the repository on the server.

  12. Re: Centralized on GitHub! LOL! by Atzanteol · · Score: 2

    # git remote add newupstream git://new.server/my-project
    # git push master newupstream

    Aaaaand, done.

    You're not going to do that with Subversion anytime soon. Sorry - I like SVN. But to claim that having a central repository is anything like *requiring* a central repository is just missing the point.

    --
    "Ignorance more frequently begets confidence than does knowledge"

    - Charles Darwin
  13. Baidu’s traffic hijacked to DDoS GitHub.com by DougPaulson · · Score: 2

    So basically Baidus search results is being hijacked to run a JS script in the client computers. Unlike a normal DDOS the client computer hasn't yet been compromised.

    Baidu’s traffic hijacked to DDoS GitHub.com