When you fight fire with fire, you risk getting burned

Linda Musthaler
By | April 07, 2015

Posted in: Network Security Trends , ISP DDoS Protection

Censorship watchdog GreatFire.org lit a fire that has turned into quite a conflagration.

GreatFire.org is known for punching holes in China's Great Firewall, the surveillance and censorship system that attempts to prevent Chinese businesses and citizens from reaching the outside world via the Internet. GreatFire provides open access to the content of news sites like Reuters and the Wall Street Journal, to major services like Facebook and Google, and much more—all of which is blocked by the Great Firewall.

One of the techniques GreatFire.org uses to provide access is to set up mirroring sites for the sites that are blocked. These mirrors are hosted on content distribution hosting networks that use the same hosting services that approved Chinese sites are hosted on, such as Amazon Cloud Front and Akamai Technologies servers. This technique has been quite effective, at least until recently, because if the Chinese authorities also blocked those hosting sites, they would be blocking legitimate business sites too. Using this technique, GreatFire has been able to provide, among other banned content, an uncensored version of Chinese microblog website Weibo, and a news website called Boxun that is often critical of the Chinese government

Then the Wall Street Journal published an article about how free speech advocates like GreatFire.org and other groups use technology to get around the Chinese government's censorship. Shortly after that article was published, GreatFire.org and its partner websites suffered a massive DDoS attack.  According to a blog post on GreatFire.org's website, the attack is consistent with previous malicious actions that were credited to the Cyberspace Administration of China. The article says:

  • Millions of global internet users, visiting thousands of websites hosted inside and outside China, were randomly receiving malicious code which was used to launch cyberattacks against GreatFire.org’s websites.
  • Baidu's Analytics code (h.js) was one of the files replaced by malicious code which triggered the attacks. Baidu Analytics, akin to Google Analytics, is used by thousands of websites. Any visitor to any website using Baidu Analytics or other Baidu resources would have been exposed to the malicious code. A list of Baidu resources known to be used for the attack appears in the report.
  • That malicious code is sent to “any reader globally” without distinguishing that user’s geographical location, meaning that the authorities did not just launch this attack using Chinese internet users -  they compromised internet users and websites everywhere in the world.
  • The tampering takes places someplace between when the traffic enters China and when it hits Baidu’s servers. This is consistent with previous malicious actions and points to the Cyberspace Administration of China (CAC) being directly involved in these attacks.
  • More technical details of the attack can be read in a research report titled “Using Baidu to steer millions of computers to launch denial of service attacks”.

Technical readers might appreciate going through the research report mentioned in that last bullet point. There's some very good analysis of the attack and how it was orchestrated.

This DDoS attack has resulted in GreatFire.org seeing its server costs soar to $30,000 a day—an amount that's totally unsustainable by the activist group. And then on March 25, a similar DDoS attack was aimed at GitHub and it lasted for several days. GitHub was hosting content for GreatFire.org and it's believed the intent of the GitHub attack was to get the company to remove this content.

This string of messages on GitHub's system status kept the public informed on the efforts to fend off the attack. Of note here is that GitHub observed that the tactics in the attack changed frequently, forcing the company to adjust its defenses frequently. By March 31, the attack on GitHub seemed to be over.

As to whether there will be more retribution to come, only time will tell. You can bet, however, that the Chinese government will not condone having activists like GreatFire continue to circumvent its policies for the Great Firewall of China.

You May Also Be Interested In: