UPDATED 15:08 EDT / APRIL 10 2015

DDoS attack on GitHub evidence for the Great Cannon of China

china-red-424993_640China is already well known for its nation-wide Internet filtering software dubbed The Great Firewall of China, but what is only coming to light is that China also may have a Great Cannon. According to a report posted on CitizenLab the Great Firewall of China may have been used to effect distributed denial of service (DDoS) attacks against GitHub, a code repository for open source projects, and GreatFire.org, a project that provides servers to aid Chinese citizens in circumventing the national firewall.

The report, compiled by Bill Marczak, Nicholas Weaver, et al. reveals evidence of a separate attack infrastructure that was most likely used during the March 16th DDoS attack on GreatFire.org and the recent March 26th attack against GitHub.

“While the attack infrastructure is co-located with the Great Firewall, the attack was carried out by a separate offensive system, with different capabilities and design, that we term the ‘Great Cannon,’” says the report. “The Great Cannon is not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.”

This report continues to bolster evidence that China was behind these attacks, as reported previously by the Electronic Frontier’s Foundation and others. Earlier this month, Robert Graham from Eratta Security added further evidence that the Great Cannon attack servers were co-located with the Great Firewall of China.

During the GreatFire.org attack, the company reported that malicious Javscript was being delivered via Baidu, a massive web services, community, and search company located in China. Baidu denied any involvement in adding malicious scripts to its content; thus the report suggests the likelihood that the Great Cannon can use man-in-the-middle attacks to add arbitrary code (e.g. DDoS attack code) to web content exiting China.


Image credit: CitizenLab.org topography of the Great Cannon of China


Proving that China is behind the DDoS attacks


The report authors localized the attack to China, and therefore the activity of the Cannon, but examining the victims of the malicious code used to DDoS GreatFire.org. Over 66.9% of the IPs that took part in the DDoS originated in Taiwan and Hong Kong, two regions where Chinese is the official language. China, however, accounted for only 0.1%.

The authors of the report also believe there is compelling evidence that the Chinese government operates the Great Cannon. When pressed on the issue, Chinese government spokespeople deflected questions about the DDoS attack by suggesting that China was the victim of and not perpetrator. The report cites the co-location of the Great Firewall of China and the Great Cannon as meaning most likely that China must be in control of the Great Cannon infrastructure. The report also notes the targets, GreatFire.org and GitHub, are politically charged when it comes to China and that suggests state-level cyberwarfare.

The Great Cannon changes the landscape of cyberwarfare


The report concludes that the Great Cannon’s capabilities show that just instigating a DDoS attack against GreatFire.org and GitHub is only one part of the total breadth. The attack against these sites appears to have been designed to be blunt and obvious, however, the report suggests that it would be simply to change the Great Cannon to do surgical traffic manipulation.

“A technically simple change in the Great Cannon’s configuration,” the report explains, “switching to operating on traffic from a specific IP address rather than to a specific address, would allow its operator to deliver malware to targeted individuals who communicates with any Chinese server not employing cryptographic protections.”

The report from CitizenLab suggests avoiding web pages served from Chinese sources that do not fully utilize HTTPS connections to lessen the potential of inserted malicious code. It also leads that anyone communicating with China may want to employ Virtual Private Networking (VPN) encryption software to verify and protect content passing into or out of China to prevent tampering.

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.