GitHub has been hit by a massive DDoS (distributed denial-of-service) attack in the last day or so, intermittently resulting in outages for developers attempting to access source code stored on the site.
What’s particularly interesting about the attack on GitHub is that the denial-of-service attack does not appear to be conducted in the familiar fashione of a botnet of compromised computers around the world, bombarding the site with traffic.
Instead, it appears that someone is tricking web browsers visiting Chinese websites into repeatedly reloading two pages on the GitHub site:
https://github.com/greatfire/
and
https://github.com/cn-nytimes/.
A researcher at Insight Labs wrote up an analysis of what he believed was going on.
In a nutshell, many Chinese websites use advertising and visitor tracking code from Baidu, China’s leading search engine (just as many other sites around the world might use, say, Google Analytics). It appears that when webpages containing the Baidu scripts are accessed from outside China, the script’s code is being replaced with code serving a different function.
When the obfuscated code is decrypted, its purpose becomes clear: it tries to access the GitHub pages, over and over again.
Baidu, however, has denied any involvement in the attack – telling The Verge that an external party must be to blame.
Insight Labs seems to back up that theory, believing that “a certain device at the border of China’s inner network and the Internet” must be hijacking incoming connections and replacing the Baidu Javascript with its own malicious code.
As a consequence, not only are the GreatFire and CN-NYTimes projects disrupted on Github but *all* of GitHub suffers a denial-of-service attack. An attack which, because it is being driven by users’ browsers outside China, may not immediately be seen to be originating from China itself.
GreatFire, of course, is a group which monitors online censorship in China (the name is short for the “Great Firewall of China”). It has itself suffered badly at the hands of DDoS attacks recently.
It’s natural for the finger of suspicion to point in the direction of the authorities in Beijing, keen to prevent Chinese citizens from accessing censored material on the internet.
GitHub has been keeping its users informed of the site’s status, as it yo-yos up-and-down, via status.github.com. The site says it has deployed “volumetric attack defenses against an extremely large amount of traffic.”
So, just how big a problem are denial-of-service attacks?
Seems that some folks just can’t agree.
San Francisco-based DDoS-mitigation outfit Black Lotus says that the number of denial-of-service attacks declined last year, from 450,000 attacks in Q1 to fewer than 150,000 by the end of 2014.
Meanwhile, Corero Network Security says in its latest report that DDoS attacks are “increasingly rampant”.
What isn’t in dispute between the companies which help businesses protect against DDoS attacks is that attacks are becoming more complex, with multiple techniques being combined to bring down a site or online service.
“There is a continuous trend of people combining different attacks together, in hybrid attacks,” Frank Ip, Black Lotus’s VP of marketing and business development told CSO Online. “We’re also seeing more application-layer attacks. Even though those are smaller in size, they are not smaller in terms of effect or damage to the targeted victim.”
Corero, meanwhile, says that on average its customers each experienced 3.9 DDoS attack attempts every day during the last three months of 2014:
Today’s DDoS threat landscape is complex and increasingly sophisticated. Opportunistic DDoS attacks remain a menace, but targeted attacks are a rapidly growing threat. Each vertical market reveals variations in the motivations behind DDoS attacks, including cyber terrorism, political or ideological intentions, fraud, ransom, monetary gain, data exfiltration attempts or even for gaining a competitive advantage. The drivers are endless, and the attacks keep coming.
DDoS attacks can be used to make money, to make a political point and to silence freedom of speech. They’re not going to be going away anytime soon.
In fact, we should get used to them becoming more sophisticated as more attackers – whether solo activists, cybercriminal gangs or governments – deploy them in anger.
A few questions Graham (sorry for the length of the second); 1) What tool do you use to decrypt obfuscated code?
2) My understanding of that Javascript, which could easily be wrong, is as follows.
NUM will be assigned the value 2, as that is the number of items in the array, thus its .length. Why bother with this at all? Would it not be simpler just to create 'var a' by moduloing unixtime() by the integer 2? It seems like an unnecessary step. (after thought on this added below)
unixtime() % 2 will either return 1 or a 0. This means that upon whatever time unwitting individuals fall victim to this malicious script, they will send a connection request(?) to either the first URL or the second but not both. Could the reasoning behind this be that it would help mask illegitimate traffic from the legitimate?
When you say "it tries to access the GitHub pages, over and over again." is this because people are visiting webpages containing the Baidu scripts on such a mass scale that it is effectively creating a DDOS attack via the huge volume of effected users or is it that this script will run over and over once an effected page has been loaded up?
(after thought) – It makes sense to me now why they'd assigned NUM the length of the array. It means that this code can be easily altered or reused where the only thing that needs to be changed are the URLs. Have 5 URLs and unixtime() % NUM produces a range of 0-4, meaning that it will always get a valid index reference from the list of URLs. 17 URLS = range 0 – 16, etc.. etc…
I guess with this degree of re-usability put in place it probably means that this has already been used in the wild, is intended to be used again or is just written by a good programmer.
Anyway, enjoy the bank holiday.