China kicked up a storm earlier this month when it was alleged to have used its “Great Cannon” weapon to carry out distributed denial of service (DDoS) attacks against GitHub, a code repository for open source projects, and GreatFire.org, a project that provides servers to aid Chinese citizens in circumventing the national firewall.

The attack was described as a significant escalation of state-level information control, but now Google is arguing it would never have been possible if Internet traffic were encrypted as standard.

“This provides further motivation for transitioning the web to encrypted and integrity-protected communication,” wrote Google security engineer Niels Provos in a blog post. “Unfortunately, defending against such an attack is not easy for website operators.”

Provos used Google’s Safe Browsing infrastructure to analyze the DDoS attacks on Greatfire.org, and said it was fairly prolonged. The Great Cannon began ‘testing’ the sites defences on March 1, before ramping things up for a more sustained assault from March 14 through to April 15.

“At first, requests were made over HTTP and then upgraded to to use HTTPS,” noted Provos. “On March 14th, the attack started for real and targeted d3rkfw22xppori.cloudfront.net both via HTTP as well as HTTPS. Attacks against this specific host were carried out until March 17th.”

Provos said it was during this phase of the attack that the cloudfront hosts suddenly started serving 302 redirects to greatfire.org, and other domains. It ceased substituting JavaScript on March 20, but continued injections into HTML pages for days afterwards.

Suddenly, on March 25, the Great Cannon switched focus from Greatfire.org to Github.

“The attack against GitHub seems to have stopped on April 7th, 2015, and marks the last time we saw injections during our measurement period,” wrote Provos.

Provos said that Google detected 19 different JavaScript payloads during the attack, and said the payloads were similar for the HTML attacks, though he was unable to determin a number.

According to Provos, had the entire web already moved to encrypted traffic via TLS, it would not have been possible to carry out an injection attack.

“In this case, the attack Javascript requests web resources sequentially and slowing down responses might have helped with reducing the overall attack traffic,” Provos wrote. “Another hope is that the external visibility of this attack will serve as a deterrent in the future.”

Image credit: PublicDomainPictures via Pixabay.com