Slashdot Mirror

← Back to Stories (view on slashdot.org)

Github DDoS Attack As Seen By Google

Posted by Soulskill on from the i-can-see-my-house-from-here dept.

New submitter opensec writes: Last month GitHub was hit by a massive DDoS attack originating from China. On this occasion the public discovered that the NSA was not the only one with a QUANTUM-like capability. China has its own "Great Cannon" that can inject malicious JavaScript inside HTTP traffic. That weapon was used in the GitHub attack. People using Baidu services were unwitting participants in the denial of service, their bandwidth used to flood the website. But such a massive subversion of the Internet could not evade Google's watchful eye. Niels Provos, engineer at Google, tells us how it happened. Showing that such attacks cannot be made covertly, Provos hopes that the public shaming will act as a deterrent.

52 comments

  1. Go Git Em! by Anonymous Coward · · Score: 0

    Teh G!

  2. Public Shaming the Red Chinese ? by Crashmarik · · Score: 3, Interesting

    I'll love seeing how that works out. Their people are locked behind their firewall and don't get to see any criticism the government doesn't want them to see. Hell you can't even get politicians here shamed if the media doesn't do a full bore dog pile.

    1. Re:Public Shaming the Red Chinese ? by fustakrakich · · Score: 2

      You can't shame a sociopath. And even with the 'cannon' in China, do we know who lit the fuse?

      QOTD from one of the links:

      We have one network in the world today. Either we build our communications infrastructure for surveillance, or we build it for security. Either everyone gets to spy, or no one gets to spy. That's our choice, with the Internet, with cell phone networks, with everything.

      Wonderfully put

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Public Shaming the Red Chinese ? by Anonymous Coward · · Score: 0

      >and to some extend every western country
      >western
      either you are getting 50 cents to post that or you live in a delusional "asian > *" mentality.

    3. Re:Public Shaming the Red Chinese ? by dfsmith · · Score: 1

      As explained in

      War is Peace, Freedom is Slavery, and Ignorance is Strength

      The Theory and Practice of Oligarchical Collectivism by Emmanuel Goldstein

    4. Re:Public Shaming the Red Chinese ? by thegarbz · · Score: 3, Informative

      Their people are locked behind their firewall and don't get to see any criticism the government doesn't want them to see.

      I wouldn't be so sure about that. It's effectively no different in China than it is in the west. Yes there are people who are locked behind technology, just like there are Americans who only ever watch Fox News. Maybe it's representative of where in China I was staying, or the class of people who I worked with, but all of them had some form of service to get around the great firewall. Even if they don't at home or on their phone (I realised this when people constantly showed me stuff on Google Maps which is blocked) then if these people work for an international corporation they nearly always have some form of corporate VPN too.

      The people are well and truly clued in on what their government is doing.

    5. Re:Public Shaming the Red Chinese ? by Anonymous Coward · · Score: 0

      The Chinese are "red" (i.e. communist) like the Americans are capitalists.

    6. Re:Public Shaming the Red Chinese ? by Anonymous Coward · · Score: 0

      Censorship works because:

      1) People are lazy. Censorship leaves you lacking the complete picture. And an incomplete picture can be plausibly deniedor excused. And more specifically, plausibly denied to oneself. People have an inherent need to rationalize their situation.

      2) Censorship breeds rumor and destroys trust. Not only does it discredit the veracity of government statements, but it discredits _everybody_. People inevitably try to fill in the missing pieces, and they'll very often get it wrong. Similar to #1, this makes it easier to disbelieve, excuse, or otherwise ignore government misbehavior because it's difficult to make conclusive assessments.

      3) Because applying reason requires access to (or at least the belief in the existence of) credible, reliable, and accurate sources of information, and because censorship casts doubt on all sources of information (see #1 and #2), censorship undermines the ability of the public and of individuals to experience and practice well-reasoned debate regarding social, political, and economic policy. I don't think it's a coincidence that people who tend toward conspiratorial thinking also tend to be challenged in the analytical reasoning department. Those things tend to go together, regardless of the underlying relationship (censorship, mental illness, etc).

      Have you ever tried to discuss politics with somebody from a country without a credible, free press? It's like _everybody_ is a conspiracist. They believe in the stupidest, most outlandish crap. If you think the American electorate is bad, you ain't seen nothing. Only the well-studied and well-traveled can really engage in the same kind of well-reasoned debate that most Americans actually take for granted. There are plenty of smart people, but even the smart people won't have access to credible sources of information. So at best they don't really have much to say, because a logical argument based on uncredible facts is not much better than an illogical argument. And this is why the corrupt can stay in power for so long--they divide and conquer by spreading FUD.

    7. Re:Public Shaming the Red Chinese ? by cavreader · · Score: 1

      There is no firewall to limit US internet users from accessing any source of information across the world. If someone chooses to watch only Fox News that is their decision and not something they are forced to do. The same thing applies to those who think the real truth can only be found in Pravda, The Guardian, or Al jazeera. The most unsettling fact is that people tend to gravitate to news sites, blogs, and other information sources that only present information they already agree with. Subtle but manipulative editorial lines create entrenched zealots who eventually are more interested winning arguments then they are about finding the truth. Anyone espousing a different opinion are labeled brainwashed fanatics and idiots. The Internet will be the catalyst for the next world war. The promise of instant global communication and collaboration provided by the internet never factored in human nature and the impact that would make.

    8. Re:Public Shaming the Red Chinese ? by Anonymous Coward · · Score: 1

      Who said the Chineese did it? Could be the NSA hacking Chineese computers... nobody fucking knows.

    9. Re:Public Shaming the Red Chinese ? by x0ra · · Score: 1

      I was more thinking Paul Wolfowitz.

    10. Re:Public Shaming the Red Chinese ? by x0ra · · Score: 1

      I don't really think that any generalization such as "asian > *" or "western > *" make much sense. You can't summarize 4.3 billions people into one entity called "asian" and even less put a moral/cultural/economical judgement on top of that description.

    11. Re:Public Shaming the Red Chinese ? by x0ra · · Score: 1

      And to some extend, I really don't give a fuck about my local/state/national hockey/baseball/football/soccer/curling/jerking team. I do enjoy a good game, but I don't take side... the winner takes it all.

    12. Re:Public Shaming the Red Chinese ? by bill_mcgonigle · · Score: 2

      And even with the 'cannon' in China, do we know who lit the fuse?

      Almost certainly the same people who arranged for NXDOMAIN on github.com a few weeks back. They really hate that there are open source anti-censorship tools on there.

      They had to stop breaking DNS for github since most of China's Internet developers couldn't get any work done anymore.

      That Chinese developers are freely using a California hosting service which has benefits to everybody in the world, and everybody recognizes that the "damage" here is government, it actually gives me a bit of hope. People do prefer to cooperate on all things, until a few sociopaths get a set of keys.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    13. Re:Public Shaming the Red Chinese ? by Anonymous Coward · · Score: 0

      also, how is that any more shameful than what the US does? You guys are worse in every meaningful way. Its good that China is growing bigger and stronger than you. At least it will help European politicians find their balls and tell US to go fuck itself.

    14. Re:Public Shaming the Red Chinese ? by Anonymous Coward · · Score: 0

      A Chinese replying you from UK. No shameful feelings at all.

    15. Re:Public Shaming the Red Chinese ? by Crashmarik · · Score: 1

      I was more thinking Paul Wolfowitz.

      I'd suggest adding de Tocqueville to your reading list

    16. Re:Public Shaming the Red Chinese ? by cascadingstylesheet · · Score: 1

      Their people are locked behind their firewall and don't get to see any criticism the government doesn't want them to see.

      I wouldn't be so sure about that. It's effectively no different in China than it is in the west. Yes there are people who are locked behind technology, just like there are Americans who only ever watch Fox News. Maybe it's representative of where in China I was staying, or the class of people who I worked with, but all of them had some form of service to get around the great firewall. Even if they don't at home or on their phone (I realised this when people constantly showed me stuff on Google Maps which is blocked) then if these people work for an international corporation they nearly always have some form of corporate VPN too.

      The people are well and truly clued in on what their government is doing.

      Riiight ... China doesn't have noteworthy censorship, because Fox News.

      And you actually think that it is the Fox News viewers who are sealed in the ideological bubble, instead of yourself. Amazing.

    17. Re:Public Shaming the Red Chinese ? by thegarbz · · Score: 1

      No. I do however think you fail at reading comprehension.

      China's censorship via the firewall is as optional to citizens with internet as sitting down and only watching Fox News is optional to Americans. Everyone can get around the firewall if they chose, and pretty much most educated people do get around it. Know how I accessed all my Google services while I was over there? I asked the receptionist at work. She told me which program to find and where to find it. Then I even had her install it because I couldn't speak Chinese which made finding the download button hard.

      China doesn't have noteworthy censorship, because Fox News.

      If that's what you got out of reading my post it makes me very sad for the American education system.

    18. Re: Public Shaming the Red Chinese ? by YodaDaCoda · · Score: 1

      In the words of Tom Clancy "Your dicks aren't big enough to get into a pissing contest with us!"

    19. Re: Public Shaming the Red Chinese ? by Anonymous Coward · · Score: 0

      but theirs aren't on their shoulders

  3. Hipsters are pissed off about this. by Anonymous Coward · · Score: 0, Troll

    I sometimes work in some shared office space. I'm there to work on my PhD thesis, but a lot of the other people there are Ruby on Rails hipsters. The stereotypes about these people are true. They do wear fedoras, they do speak negatively of women, they are very opinionated, and pretty much none of them have any formal education (a number of them are even high school dropouts). Anyway, you wouldn't believe how angry these people got when this GitHub DDoS nonsense broke. They were actually screaming and yelling about it. Some of them were probably close to foaming at the mouth with anger, they were so displeased. I started to realize that Git and GitHub aren't just tools to these people. Git and GitHub have replaced religion for these folks. Maybe they don't worship Jesus or Allah, but they do worship Git and GitHub. It was kind of unnerving to see how seriously they take Git and GitHub, and it was disturbing to see how much anger this DDoS crap brought out in them.

    1. Re:Hipsters are pissed off about this. by Anonymous Coward · · Score: 0

      +1 Interesting

  4. Watchful eye of Google by ZeroInt · · Score: 1, Interesting

    Nothing escapes the watchful eye of Sauron.

    1. Re:Watchful eye of Google by mcl630 · · Score: 1

      http://www.alef.net/ALEFFeatures/GoogleSauron.Gif

  5. Shaming? More like helping by Sarusa · · Score: 2

    You can't shame the (mainland) Chinese government on this one. They were fairly overt about it by using their own govt search engine to do it. It's a scarcely veiled threat to anyone who might want to mess with them, like doing an atomic bomb test or running your aircraft carriers around in sensitive regions. I'm sure they welcome the extra publicity.

    1. Re:Shaming? More like helping by tnk1 · · Score: 4, Insightful

      "As the representative of the Chinese government, I can categorically deny the Chinese government's use of Baidu for a highly effective attack on GitHub. We did not make use of this capacity, which can be used to quickly and efficiently shut down any networked target at will.

      As China is a responsible citizen of the world, we would never use specially trained teams of professional PLA hackers to provide a demonstration of our significant power.

      Although China is a global superpower and leader in computer science education, and we certainly have the ability to call down multiple, simultaneous, and devastating defensive DDoS's, (a tactic that we refer to as the Great Worker's and Peasants' Rain of Steel), we are a peace loving nation who does not resort to aggression to pursue our policies.

      We condemn in the strongest terms this attack, although we do note its effectiveness and our preparation to do battle on these terms, if such a thing was necessary to maintain the sovereignty of the People's Republic of China from similar aggression.

      Thank you."

  6. Shitty story, shitty blog by Anonymous Coward · · Score: 5, Insightful

    >Will China get the message ?

    What message? The one it has been getting forever, the one that says "we know it's you, but we're never going to do anything about it because we rely on you for cheap everything"?

    1. Re:Shitty story, shitty blog by myid · · Score: 2

      we're never going to do anything about it because we rely on you for cheap everything"?

      That's true, but I'm afraid it's even worse than that. If China is the only country with factories for certain items, then we rely on them for those items, cheap or not. China is developing the power to tell us to stop supporting Taiwan or whatever, or else they'll stop selling us things that we need.

      The US government should make up a list of manufactured goods that the US needs. Then have tax incentives for US companies to make those items in the US, with American managers and workers.

  7. Who cares? by Anonymous Coward · · Score: 1

    Github is really not very good. We could probably do with it being crushed for awhile to allow competitors to rise. This would increase the ecosystem for dev tools and be very beneficial overall as github has become the basket with all eggs in it.

    1. Re:Who cares? by Anonymous Coward · · Score: 0

      Obviously you never used Visual Source Safe.

    2. Re:Who cares? by onepoint · · Score: 1

      dammit you're an AC. I wanted to know more about what you just said.

      --
      if you see me, smile and say hello.
    3. Re:Who cares? by x0ra · · Score: 1

      OP said "github", not "git" altogether...

  8. Easy to solve by melting_clock · · Score: 2

    Cyber attacks by China are easy to fix; give them exactly what they want and cut them off the Internet. Problem solved.

    The website operators have little ability stop these attacks but those controlling the Internet infrastructure between the attacker and victim absolutely do. Once the attacker is identified there should be procedures to quickly block the attack. If that means taking an entire country off the Internet to encourage them to stop the attack and not do it again in the future that is perfectly reasonable action.

    1. Re:Easy to solve by sound+vision · · Score: 1

      To take an entire country "off the internet" would require the cooperation of every country they're peering with. I don't know the details of China's network infrastructure, but I'm willing to bet they have direct connections to quite a few countries. It would be much easier for whichever country is being targeted to have their ISPs blackhole everything coming from China. But then you start risking a trade war scenario. The United States, as you may know, has a particularly large amount of trade with China. Not just physical goods going back and forth, but companies with branches in both countries, and online/remote services of all kinds. If email and web contact between the US and China got broken, there would be major disruption to all sorts of businesses. Neither side wants that. GitHub going down for a few days is nothing compared to the disruption that closing all US-China data exchange would cause.

  9. Niels Provos - the blacksmith by psergiu · · Score: 1

    Niels Provos - when not fighting [cyber]crime, he's forging a mean sword: https://www.youtube.com/user/m...

    --
    1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
  10. A "subversion" of "github"... by RingDev · · Score: 4, Funny

    I see what you did there.

    -Rick

    --
    "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
  11. Heres a thought by Anonymous Coward · · Score: 0

    How about democratic nations around the world sign a treaty not to pull this kind of shit. In that treaty, they also agree to block network backbone access for 30 days to bad actor nations to bitch slap them into not doing it either. China needs the internet, filtered or not, a lot more than the rest of the world needs them to have it. If they want to act like a gradeschool bully on the web, maybe it is time we kicked them off the playground for a month. Let their economy spiral down the toilet and see if they are willing to pull this crap again. The internet is integral to everything from business email, VOIP phone connections to financial transactions. To use it as a weapon is to poison the well and countries that do this, especially without provocation or justification, don't deserve the benefits of the internet. Even N Korea suffered when they lost their backbone connection after the whole Sony attack, and they rely on the internet a lot less than China's growing economy.

  12. PI by Anonymous Coward · · Score: 0

    It's not much of a stretch for any computer science student or IT workers to even be able to grasp the howtos of doing this. The only way to scale this up is to sit on a nexus point for any comms.

    So why wouldn't anyone just do this. It's simple - commerce. Barring targetted insertions, ( hello anonymity ), any large use of this would result in sanctions of some sort. Which is why as everyone else shows off their grandstanding canons, this does not bode well for economies that depend on both.

  13. Link to the actual Google blog post... by brunes69 · · Score: 0

    ... instead of the shitty ad-filled blog

    http://googleonlinesecurity.bl...

  14. Loss of Face by Tokolosh · · Score: 1

    A little bit of finesse and you can cause a massive loss of face. That will get a chinaman's attention.

    --
    Prove anything by multiplying Huge Number times Tiny Number
  15. Yes and No by s.petry · · Score: 2

    Sure, the US needs enemies but this is not the case of faking enemy action. This attack was easily traced to Chines devices which were injecting Javascript into HTML files, resulting in a massive DDOS. The servers performing this were part of the Chinese version of Google, which returned contaminated cache pages to queries.

    Call me a skeptic, but I don't think the injections were limited to the cache servers Google names. I think this was done at a lower level to achieve the scale. The reason for the attack is somewhat of a mystery as well. China can just block Github, they don't need to DDOS.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re: Yes and No by Anonymous Coward · · Score: 0

      So because chinese servers were involved the culprit was chinese too?

  16. Shaming anyone? Hahahaha by X.25 · · Score: 4, Insightful

    Shaming "western" governments/agencies doesn't have any effect at all, why would anyone think thank shaming Chinese would be any different?

  17. HTTPS by Lennie · · Score: 1

    This is why every website should be on HTTPS.

    No more Javascript injection by the network.

    --
    New things are always on the horizon
  18. public shaming is a red herring by Anonymous Coward · · Score: 0

    Really,

    As the saying goes, a thief is going to steal if he really wants to.... public shaming, if not for a logic result (e.g. child porn) will backfire and usually makes situations worse: person develop a tolerance for it.

  19. Why do you need a cyber security bill by Anonymous Coward · · Score: 0

    If technology is so advanced, why do Americans need cyber security bills to ensure companies share information?

  20. Google government by kwoff · · Score: 1

    Like your propaganda over theirs. We should hook up some time.