Do we have any proof as to whether this was an intentional DDoS? I'd imagine that any resource injected into Baidu pages would be a strain on the servers providing that resource. If Baidu decided to use js hosted by GreatFire and / or cn-nytimes so that their users could get around the Chinese firewall, would the outcome look any different?
posted by idiopath at 7:26 AM on March 29, 2015 [1 favorite]

On viewing the Insight Labs link, I'll answer my own question: they aren't loading js from those projects, they are simply loading the github front pages, which is useless unless you are trying to do a DDoS.
posted by idiopath at 7:32 AM on March 29, 2015 [2 favorites]

Perhaps this demonstrates the balance of power in international CyberWar. One of the of largest countries in the world vs. a few dozen top nerd techs: no contest, techs win.
posted by sammyo at 7:38 AM on March 29, 2015 [5 favorites]

Yeah, the Javascript injected into Baidu pages by the Great Firewall of China was definitely a deliberate attack, at least according to Insight Lab's analysis. Note that's only one of several attacks being deployed against GitHub in the past few days; I don't think we know details about the other vectors. GitHub so far has said very little.

I didn't want to put this in the main post, but there was another Chinese DDOS attack back in January where specific IP addresses suddenly got flooded with a huge amount of spurious traffic from China. What's weird is the targets; nothing overtly political, but high profile bloggers like waxy.org and jwz.org. I don't think the cause of that attack has been fully explained. Craig Hockenberry (Furbo) was also a victim, his writeup and commentary is the best analysis I've seen.
posted by Nelson at 7:38 AM on March 29, 2015 [16 favorites]

Yes, I was thinking exactly that: after phase 1 trials (Hockenberry, JWZ) now we're on to phase 2. I doubt this is the endgame, or even the middle. More like scouts probing the defenses.
posted by RedOrGreen at 8:02 AM on March 29, 2015 [2 favorites]

From the Baidu wikipedia page:

"According to the China Digital Times, Baidu has a long history of being the most proactive and restrictive online censor in the search arena."

Maybe they were in on this?
posted by idiopath at 8:11 AM on March 29, 2015

The general, unable to control his irritation, will launch his men to the assault like swarming ants, with the result that one-third of his men are slain, while the town still remains untaken. Such are the disastrous effects of a siege.

--Sun Tzu, The Art of War
posted by swift at 9:15 AM on March 29, 2015 [6 favorites]

So I'm guessing that the various governmental agencies who went ballistic over the Sony hack are stepping in to help GitHub mitigate this attack?

lol
posted by phooky at 9:22 AM on March 29, 2015 [19 favorites]

According to the China Digital Times, Baidu has a long history of being the most proactive and restrictive online censor in the search arena.

I'm not a fan of Baidu (or at least of their search engine), but that's really not fair and I'm surprised that the CDT would say that. Baidu censors its web properties because it has to, just like every other internet company in China. Censorship is generally not much more appealing to Chinese geeks than it is to their counterparts in Silicon Valley, and the overhead involved in hiring content review departments, setting up keyword filters, etc. means that beyond being philosophically offensive, censorship is financially burdensome for Baidu and other companies like them. Talk to anybody in any Chinese tech company -- off the record -- and they'll tell you how much they hate this shit.

So if the suggestion is that Baidu, which (besides being a US-listed company with overseas web properties) has got nothing against GitHub, is supposed to have launched a DDOS attack from its own content-delivery network? Nope. Makes zero sense. Even a hand-wavy explanation like "they did it at the bidding of their evil government masters" doesn't work: Baidu is not a state-owned company, and state-owned properties like People's Daily have launched competing search engines against it. (Also, friends inside Baidu have told me that the company was blindsided and the bosses are pretty furious.) If anything, the fact that the hack directed traffic so obviously from Baidu's servers actually makes me wonder if the whole thing wasn't also a deliberate fuck-you to Baidu.
posted by bokane at 9:24 AM on March 29, 2015 [16 favorites]

The ddos evolution over the last 80 or so hours, with each iteration following closely behind an effective counter measure deployed by github indicates that this isn't accidental.
posted by iamabot at 9:38 AM on March 29, 2015 [2 favorites]

bokane: thanks for the clarification, I wasn't trying to cast aspersions as much as figure out where various parties stand, and your response is helpful and informative.
posted by idiopath at 9:55 AM on March 29, 2015 [1 favorite]

I was very impressed with github's response to this. I make heavy use of their service every day, and other members of my team were reporting minor issues because of the DoS. I noticed nothing... zero... and I must have made dozens of requests for their services during this time.

Bravo! I get a lot for my $12 a month...
posted by lupus_yonderboy at 9:58 AM on March 29, 2015 [4 favorites]

This is the distraction while the executive mailserver gets hacked.
posted by benzenedream at 10:06 AM on March 29, 2015 [1 favorite]

Yeah, I am also a paid user and have seen no issues, definitely worth it.
posted by idiopath at 10:07 AM on March 29, 2015

or, is it 'javascript injection' because external javascript ended up on the page no matter the mechanism? thx for the clarification.

That's the context I've heard it used in before: when someone between you and the server is adding code or content into a page you've requested. example, example. The phrase "man in the middle" comes from cryptography originally, I think, and seems to more frequently be used when the objective has to do with surveillance or impersonation.
posted by XMLicious at 10:11 AM on March 29, 2015 [1 favorite]

I saw a couple retweets of the github status messages but didn't mentally register that they were actual statuses/github is under severe attack. I thought there was just a brand new twitter internet-apocalypse humor-bot that kept saying dire things like "THE ATTACK HAS SHIFTED WE ARE WORKING TO MITIGATE" over and over. horrifying that it's real!
posted by ghostbikes at 10:17 AM on March 29, 2015 [2 favorites]

What's the cuttingest edge of protection against DDoS attacks? Is there any tech coming down the pike that will significantly help?
posted by wemayfreeze at 10:17 AM on March 29, 2015

To host a Web site in China, you need to apply for an ICP Licence.

I don't have a point to make here other than that the phrase "Juggalo Politburo" has not left my head for the past week because of this.
posted by rum-soaked space hobo at 10:18 AM on March 29, 2015 [19 favorites]

Note the Insight Labs analysis has detail on why they think the Javascript was injected added by the Great Firewall. The Javascript in question is Baidu's web tracker, similar to Google Analytics' tracker. Users inside China saw nothing unusual. Users outside China got JavaScript code to attack GitHub. One way this could happen is if the attack code were being added at the routers that pass traffic between China and the rest of the world. (Although this addition would be for outgoing traffic; usually the Great Firewall is manipulating inbound traffic). In addition there's a couple of Wireshark screenshots that show odd data in the TCP headers that is consistent with the packets being tampered with by the network infrastructure.

This attack seems like a really dangerous cyberwar escalation to me. The Chinese government has been saying they have the right to extend their sovereignty into the Internet, to shut down external threats that try to circumvent their firewall. But previous Chinese attacks against American interests have been clandestine with plausible deniability. Publicly attacking GitHub is surprisingly aggressive.
posted by Nelson at 10:24 AM on March 29, 2015 [5 favorites]

It just occurred to me that one of the goals here might be to get overseas websites to just blackhole traffic coming from China, as jwz did, thus paving the way for a "but they do it too" defense the next time someone brings up the Great Firewall with PRC government functionaries. Then again, it's not as if they've ever had problems justifying it before.

This attack seems like a really dangerous cyberwar escalation to me. ...[P]revious Chinese attacks against American interests have been clandestine with plausible deniability. Publicly attacking GitHub is surprisingly aggressive.

Agreed. It's very strange on a few fronts:
- Why now? In my experience, GFW upgrades and crackdowns on VPNs, such as we've been seeing for the last couple of months, have generally coincided with major internal or external events or with sensitive anniversaries, neither of which seems to be the case here.
- Why this way? I'm sure the PLA's hacking squad could get their hands on a botnet or two if they wanted to, or at least come up with something that doesn't scream THE PEOPLE IN CHARGE OF CHINA'S INTERNET CONTROLS ARE BEHIND THIS quite so much.
Why GitHub? No disrespect to the people behind GreatFire and the Chinese translations of the NYT, but AFAIK they were never of much interest or influence as far as Chinese internet users were concerned. They might've been enough to merit a standard GFW block, but a concerted attack like this is something else entirely.

Interesting times, as the Chinese proverb does not actually say.
posted by bokane at 10:38 AM on March 29, 2015 [4 favorites]

It just occurred to me that one of the goals here might be to get overseas websites to just blackhole traffic coming from China

At first this confused me. If github and tons of similar dev sites(and other sites, obviously) block China then what about you know... All those developers on the forefront of what they're doing that are Chinese and based there, like TaiG? What about large successful local business interests like xiaomi and Lenovo that work heavily with android and other OSS projects?

Then I realized they'd have to make their own local GitHub or work internally, and essentially fork that stuff or use vpns(or similar) to circumvent the massive ip ban/other block.

Maybe part of their goal here is to split projects being worked on in China in to the Chinese version and the main branch. Force a fork.

I could see that, and I could see the reasons for that too.
posted by emptythought at 11:08 AM on March 29, 2015 [3 favorites]

We manage some bioinformatics projects through GitHub and get a fair number of academic visitors from China. They get (IMO) well-made and useful software for free that helps push their genomics research efforts forward. Their govt is really shooting themselves in the foot with this stuff, in the long run.
posted by a lungful of dragon at 11:22 AM on March 29, 2015 [1 favorite]

Maybe it's just about vetting their strategy, and the idea is that by poking github, they can find out exactly how their attacks would be circumvented? I'd think github and its community would have a more sophisticated response than most random targets would.
posted by idiopath at 11:45 AM on March 29, 2015 [1 favorite]

Yeah; one of the strategies has been for the PRC to develop its own parallel internet, which is why some of the techier internet users there refer to what they have as the "intranet" (内联网) rather than the "internet" (互联网). This is, incidentally, part of why I don't understand why Facebook wants so badly to get into China: there's already a website occupying the space that Facebook would occupy, and nobody is really clamoring for anything else. Ditto (for the most part) Weibo / Twitter, Baidu / Google, Youku / Youtube, etc.

So forking everything and coming up with a Bizarro GitHub makes a certain degree of sense, except that (a) as far as I know there are no contenders for the title (though I've been out of China for a year and a half now and no longer pay much attention to anything that's happened there within the last millennium, so it's possible that I'm missing something), and (b) all of the Chinese geeks I know have got multiple VPN accounts, and the inconvenience of a GitHub block would be a lot less discouraging for them than it would be for a non-geek audience.
posted by bokane at 11:46 AM on March 29, 2015 [1 favorite]

It just occurred to me that one of the goals here might be to get overseas websites to just blackhole traffic coming from China, as jwz did

I'm not sure about that. One of the features of this attack that makes it harder to block is that the DDoS traffic does not originate from China. The way the attack works is that the attack code is only injected into browsing sessions where the IP address is from outside China (indirectly via websites that serve ads and tracking code from Baidu). This renders the old strategy of blocking China IP addresses ineffective, as the origin of the DDoS is everyone but China.
posted by RichardP at 11:50 AM on March 29, 2015 [3 favorites]

I push to Github at least 5 times a day as I code and some days much more.* The only problem I've had with Github this week is that I had one commit that I had to try to push three times before it went through.

* - We use Travis CI for continuous integration testing. I love it. Every time I push, it runs our test suite. (Unless I tell it not to.) That allows me to move on to something else instead of waiting 10+ minutes for the tests to run on my machine. It plays nicely with Github, too. The only problem with it is that sometimes it goes down for an hour or two. My company pays for it, so I have no idea how much it costs, though I do know that you can pay extra for more concurrent jobs.

Note: I have no stake in Travis CI.
posted by double block and bleed at 11:52 AM on March 29, 2015

...the attack code is only injected into browsing sessions where the IP address is from outside China (indirectly via websites that serve ads and tracking code from Baidu).

Oops. You're quite right.
Well, dang. Now this makes even less sense to me.
posted by bokane at 11:53 AM on March 29, 2015

Actually I'd bet the goal is to compromise github's hosting architecture somehow to either allow monitoring or code injection on certain projects of interest. Why would the Chinese govt do something so ham handed when they are capable of stuff like the RSA key hack?
posted by benzenedream at 12:51 PM on March 29, 2015

It saddens me that git, a decentralised VCS, is now unbreakably associated with github, a centralised hosting provider. I wish we could have made it easier to publish repos on standard hosting, or to make pull requests easier without needing a giant all-seeing Web site. I feel like by making something that people could target for this sort of thing, we've failed.

I keep watching videos from Redecentralize and hoping that things will get better some day.
posted by rum-soaked space hobo at 1:05 PM on March 29, 2015 [17 favorites]

It saddens me that git, a decentralised VCS, is now unbreakably associated with github, a centralised hosting provider.

To be fair, git is a huge pain to learn and use and github made it much simpler. That said, there's absolutely no reason you can't just go on your merry way and continue to use git without github today. It shouldn't be difficult for a single project to use multiple git "hosting" services (github, bitbucket) so there's a simple fallback if things go south with one.
posted by phooky at 1:19 PM on March 29, 2015 [2 favorites]

I also think it's really strange that this attack was done so visibly with means that only the Chinese government practically controls. Perhaps China is signaling their capability? From what I've read, the Chinese government really believes it has a right to extend its laws to the Internet, a whole notion of online sovereignty. (I wish I had more material to support this than the one Economist article; links welcome!). The US thinks it has the right to seize Silk Road servers in Iceland, freeze Mega funds in New Zealand, and attack Iranian nuclear facility computers with malware. And so China thinks it has the right to stop socially upsetting information from entering China. I believe that's a false equivalence, but China doesn't seem to agree with me. Maybe this was a demonstration of a technical capability. I'm not sure quite to what purpose though; the end of this road is a scorched-Earth Internet. It could get a lot uglier with DNS and BGP attacks.

On decentralization, a GitHub-hosted git repo works just fine with GitHub down. You can still check in locally and even share changes with other developers through some other shared repo. What GitHub has centralized is project support: file hosting, bug databases, etc. I'm not aware of decentralized solutions to those challenges other than "everyone run their own servers for every thing."
posted by Nelson at 2:16 PM on March 29, 2015

GitHub is a customer of Fastly, the Content Distribution Network. Some stuff like GitHub Pages is hosted via Fastly. I don't know for certain, but Fastly and some of their other customers may be suffering collateral damage from these attacks.
posted by Nelson at 2:21 PM on March 29, 2015

We use Travis CI for continuous integration testing

Travis CI is really nice. It has helped us catch problems with building C++11 code with older and newer C++ compilers, which would be time-consuming to try to find out on our own. And it is free for public repos!

The hooks that GitHub offers that facilitate Travis also enable many other on-push services. We use readthedocs.org to publish software documentation. Updates are now as easy as pushing a commit to a master or feature branch. We can keep feature branch documentation private until we are ready to go with a stable release.

After Google Reader and the policy changes with Google Code, I saw the writing on the wall re: G-Code's shutdown coming about a year or so before it was announced and moved our projects to GitHub ahead of time. It's a tribute to how much GitHub has changed sharing open source code for the better, that Google Code offers a one-click option to push closed projects directly to GitHub.

GitHub Pages are great. I'm not sure if any other Git hosting service offers this, but it is remarkable to see what people in academia are experimenting with — it could really change science publishing in important ways, going beyond preprint servers that publish links to static PDFs, progressing to iterative versioning of research results and interpretation, and more direct "letters to the editor" in the form of pull requests, which is really what science and scientific discovery is about. Interesting times, indeed.
posted by a lungful of dragon at 3:03 PM on March 29, 2015 [3 favorites]

I really hope that China doesn't have a beef with GitHub. A project I participate in the development of and heavily rely on for work is hosted by GitHub and the project's lifeblood is a developer that lives in Shanghai. If he gets cut off it would be pretty bad news.
posted by zsazsa at 4:07 PM on March 29, 2015

Here's a bit more on China's theory of Internet Sovereignty. China Argues for ‘Internet Sovereignty.’ Is It a Good Idea? is a clear American perspective on the idea. "The upshot: They believe each country should have ultimate power to determine what Internet traffic flows in and out of its territory." Cyber Sovereignty Must Rule Global Internet is the (English) words of the Chinese government. There's more detail on pundit blogs: 1, 2, and 3.

Reading all this, it's mostly been China defending its policy of censoring inbound Internet traffic at the Great Firewall. (And implicitly, creating a protected space for Chinese Internet companies vs. foreign competition.) Extending that sovereignty into DDoS attacks on American businesses seems to be quite the reach. But maybe in the Chinese perspective it's that they are retaliating against an intrusion on their right to censor their Internet. "You create tools to break our firewall; we send some traffic out to break your tools".

But I'm totally winging this analysis, I'm no expert on diplomacy. I'm really hopeful this story gets more pickup in the mainstream press and we see more analysis and response.

(Meanwhile, the attack on GitHub continues. 95 hours and counting. I'm impressed with how well their defenses are holding.)
posted by Nelson at 6:53 PM on March 29, 2015 [1 favorite]

But maybe in the Chinese perspective it's that they are retaliating against an intrusion on their right to censor their Internet. "You create tools to break our firewall; we send some traffic out to break your tools".

That's the weird thing, though: circumvention tools like VPNs had been generally tolerated, other than the occasional nationwide sphincter-tightening (most memorably for about two weeks during the Arab Spring). VPNs are much less reliably accessible now, though from what I hear the major commercial VPN providers are still mostly working, and the GFW is supposedly now capable of blocking VPN traffic if and when it wants to. For Team Censorship to be going on the offensive is new and disturbing.

I remember talking to one of the Greatfire.org guys a couple of years ago when they were developing the cloud-based circumvention tool that might be the target of this attack. (Sorry, NYT Chinese.) He was really sure that the tool would be secure because Chinese internet authorities would never block overseas cloud services like Amazon etc. -- that the collateral damage for Chinese firms and users would be too great. I didn't share his confidence then, and I sure as hell don't now.
posted by bokane at 8:43 PM on March 29, 2015 [2 favorites]

I also think it's really strange that this attack was done so visibly with means that only the Chinese government practically controls.

This is really strange, one possibility might be that the central Chinese government is as terrible at internet as, say, the US government.

Perhaps China is signaling their capability?

Also sort of makes sense but typically, a nation state would signal some kind of overwhelming capability. 'We can flatten your cities' or 'sink your aircraft carriers'. 'We can annoy a few of your popular-but-niche bloggers and perhaps one of your major source-sharing services that we also use' just doesn't seem like very convincing signaling of anything.

So whether one accepts the interpretation of available evidence to say 'this is the government of the PRC' or not, neither proposition seems to shed any light on 'what is the point of all of this?'
posted by pvg at 3:00 AM on March 30, 2015

It saddens me that git, a decentralised VCS, is now unbreakably associated with github, a centralised hosting provider.

I have a suspicion that the main attractions of Git is actually Easy branching and GitHub itself*, with the distributed part being more of a theoretical concern further down the list .

* though I've encountered Stash and GitLab a fair bit lately occupying the sake role for organizations .
posted by Artw at 5:29 AM on March 30, 2015

Great story and I'm really enjoying all the various speculations here. One thing I try to keep in mind (as a complete non-expert in this field) is that we tend to ascribe coherent motives to foreign governments, especially ones that we perceive to be opaque (China, North Korea, etc.), but for all we know there could be a lot of domestic politics behind this that we're simply unaware of. Perhaps this is less a signal by the Chinese government as a whole to the US or the international community, and more a signal of one particular group within the government to another.
posted by Peter J. Prufrock at 5:30 AM on March 30, 2015 [3 favorites]

The story got picked up in the mainstream press. Wall Street Journal, CBC, Financial Times, The Independent, The Guardian, Bloomberg, Reuters. Also a tangentially related story in the New York Times. Many other places too; those are just the bigger print publications I found in a quick Google News search.

No new information in these stories really, just covering the highlights. The WSJ tried to get a bit deeper and no one was talking. They list sources it contacted who didn't comment: Cyberspace Administration of China, Greatfire.org and New York Times. Also no new comments from GitHub or Baidu, just quoting public statements.
posted by Nelson at 7:41 AM on March 30, 2015

NYTimes: China Appears to Attack GitHub by Diverting Web Traffic. Also no new information (and no statement from the New York Times Corp; they're part of the story). But it's a good overview and has some quotes from policy analysts, etc.

But the GreatFire.org material on GitHub, which is based in San Francisco, offers an unusual exception. By offering code that unblocks sites within China, it is assumed to be violating Chinese laws from abroad. James Andrew Lewis, a senior fellow at the Center for Strategic and International Studies, said the attack was an attempt to deal with extraterritoriality on the Internet.

“China is trying to redefine the rules of the Internet and they’re feeling their way forward as they do it,” he said. “This is one of another set of actions to say China will have a bigger voice in how the Internet works.”

posted by Nelson at 1:27 PM on March 30, 2015

> Here's a bit more on China's theory of Internet Sovereignty...

Previously.
posted by homunculus at 11:08 PM on March 30, 2015 [1 favorite]

GreatFire: Chinese authorities compromise millions in cyberattacks. Official blog statement from the primary target of the attack that's also hit GitHub. "We can now confidently conclude that the Cyberspace Administration of China (CAC) is responsible for both of these attacks."

Lu Wei and the Cyberspace Administration of China have clearly escalated the tactics that they use to control information. The Great Firewall has switched from being a passive, inbound filter to being an active and aggressive outbound one. This is a frightening development and the implications of this action extend beyond control of information on the internet. In one quick movement, the authorities have shifted from enforcing strict censorship in China to enforcing Chinese censorship on internet users worldwide.

They also published a March 25 technical report describing attacks GreatFire suffered starting March 18. This all predates the GitHub attack. That earlier attack used the same method of hijacking Baidu's analytics Javascript to create a DDOS, at that point directed against Amazon CloudFront CDN servers hosting GreatFire content.
posted by Nelson at 1:52 PM on March 31, 2015 [3 favorites]

Also interesting is Netresec's analysis that was released today: China's Man-on-the-Side Attack on GitHub.
posted by RichardP at 4:07 PM on March 31, 2015 [3 favorites]

Not directly related to the GitHub DDOS, but: Google Chrome will banish Chinese certificate authority for breach of trust. Long story short, CNNIC issued a certificate to an Egyptian company, MCS, which then screwed up and created some bogus SSL certificates that impersonated Google. In response Google and Firefox are both removing CNNIC's authority in their browsers, at least temporarily.

What's remarkable to me is that as far as I can tell CNNIC is the only Chinese certificate authority in Chrome and Firefox. It's a pretty strong move to cut them off. Again, there's nothing here directly related to the DDOS activity. On the other hand you have to bet a whole lot of people are much more nervous than they used to be about trusting the Chinese government with SSL certificate authority.
posted by Nelson at 11:40 AM on April 2, 2015 [1 favorite]

There is no reason to restrict yourself to just hoping, rum-soaked space hobo, come help us. :) And Redecentralize looks neat!
posted by jeffburdges at 1:55 PM on April 2, 2015

GitHub has still made no statement about the attack. Their status page last mentions dealing with DDOS attack traffic on March 31, so presumably the attacks stopped about a week ago. That seems to be the end of the story, at least until the next attack.
posted by Nelson at 6:51 AM on April 6, 2015

Just when I declare it over, DuoSecurity turns up a quote from a Chinese foreign ministry press briefing about the attacks.

A report says that a US website was under hacker attack, and the source of the attack was from China. How do you respond?

It is quite odd that every time a website in the US or any other country is under attack, there will be speculation that Chinese hackers are behind it. I'd like to remind you that China is one of the major victims of cyber attacks. We have been underlining that China hopes to work with the international community to speed up the making of international rules and jointly keep the cyber space peaceful, secure, open and cooperative. It is hoped that all parties can work in concert to address hacker attacks in a positive and constructive manner.

As Duo Security notes, this response does not actually answer the question.
posted by Nelson at 11:50 AM on April 6, 2015 [1 favorite]

China Is Said to Use Powerful New Weapon to Censor Internet (NYTimes). A summary of the research report China's Great Cannon, an investigation of the attacks. Interesting interdisciplinary group out of University of Toronto, they are doing both technical and public policy analysis. They've identified that the attack generator is a separate system colocated with the Great Firewall. And commentary on the implications, including "the repurposing of the devices of unwitting users in foreign jurisdictions for covert attacks in the interests of one country’s national priorities is a dangerous precedent." It's an excellent report well worth reading.

The NYTimes article mentions the attacks against GreatFire and GitHub are still continuing.
posted by Nelson at 7:10 AM on April 10, 2015 [2 favorites]

A Javascript-based DDoS Attack as seen by Safe Browsing, an analysis by Google's Niels Provos. Google has uniquely good data on the attack because it already monitors the web for malware. Includes details of the different types of malicious code injected, details of targets, and traffic statistics. The attacks ran from March 3 to April 7.
posted by Nelson at 11:45 AM on April 24, 2015 [1 favorite]