
GitHub under ongoing DDoS attack - MosheZada
https://status.github.com/messages?latest
======
ggreer
The PRC's DDoS of GitHub seems a little risky.[1] If GitHub is inventive (or
desperate) enough, they could call on their users for aid. The perpetrators
would immediately draw the ire of vast numbers of talented programmers. And
GitHub is positioned to direct this ire toward useful ends. They could
encourage users to contribute to GreatFire, or even start other initiatives
and projects to stymie censorship. The outcome could easily be worse for the
PRC than if the attack had never happened.

1\. Even if this isn't a PRC-ordered or sponsored attack, large parts of their
infrastructure are being co-opted. If they aren't criminally involved, they're
criminally irresponsible.

~~~
joshuak
Looks to me like it's time for a DDoS X-Prize.

1\. SSDP Flood 21%

2\. SYN Flood 19%

3\. UDP Flood 13%

4\. UDP Fragment 12%

5\. NTP Flood 8%

6\. GET Flood 7%

7\. CharGEN Attack 5%

8\. DNS Flood 5%

9\. ICMP Flood 2%

10\. SNMP Flood 2%

Eliminating these 10 attack vectors would account for 94% of DDoS attacks
according to this visualization[1], as witnessed by Akamai over the last 30
days. Just the top 3 is more than 50%. Seems like a reasonable start on a way
to measure success.

Who'd like to sponsor? Or should I just spin up a GitHub repo for the code and
a kickstarter for the prize money?

[1] [http://www.stateoftheinternet.com/trends-visualizations-
secu...](http://www.stateoftheinternet.com/trends-visualizations-security-
real-time-global-ddos-attack-sources-types-and-targets.html)

~~~
mike_hearn
SYN Flood is already mitigated a long time ago with SYN cookies. The rest
..... well, it's basically just packets.

I see this latest development as good news. The Javascript MITM trick was very
clever because forcing github to render and serve a page is a lot more
resource consuming than just firing packets at servers that ignore them (like
a UDP or SYN flood). The latter can saturate network links until the sources
are blocked, but those sources tend to be somewhat focused and don't shift
much. An HTTP level attack driven by random web users means every request
might have a different IP and it requires running way more of the app stack to
be able to filter them out. If China is now resorted to SYN flooding then it
means they ran out of better techniques.

~~~
blibble
synflooding is not mitigated by syncookies. the attacker can encode
information inside the packets in exactly the same way as the server, meaning
they don't have to maintain any state, see:
[http://insecure.org/stf/tcpdos/outpost24-sect-
sockstress.ppt](http://insecure.org/stf/tcpdos/outpost24-sect-sockstress.ppt)
(slide 18 onwards)

~~~
Buge
That's not a syn flood though. A syn flood is purely syns. So there is no need
for the attacker to encode information if they are just doing a syn flood.

------
gog
As a paying customer of Github I want them to know they have my undivided
support in staying strong against "the bullies".

~~~
mckoss
"Bully" is rather too weak a label for the perpetrator. This attack is
criminal. If carried out by a sovereign nation, perhaps an act of war. We
don't allow foreign raiding parties to enter our country to loot private
businesses. Neither should we treat this attack as a simple act of "bullying".

GitHub should get the full support of federal law enforcement, if not the
military.

~~~
Qantourisc
We should never take up arms for a thread that has no human casualties,
especially when there are alternatives. If your neighbour enter your home
uninvited, because the door is not locked, the first thing you do is ask
nicely not to do that. The next thing you do is lock the door. You don't start
shooting at them first ...

~~~
tracker1
I'd say cut the internet trunk lines to China... period.. end of story. That
would seem to be an appropriate response. Blacklist China's internet traffic
completely.

~~~
teknologist
This is why hacker news users are not in politics

------
rsuelzer
From looking at the Javascript injection code
([http://www.theregister.co.uk/2015/03/27/github_under_fire_fr...](http://www.theregister.co.uk/2015/03/27/github_under_fire_from_weaponized_great_firewall/))
it seems like the quality of the script is pretty amateur.

They inject jQuery not once, but twice, and only use jQuery to make a simple
XHR request. Perhaps they are worried about one instance of jQuery being taken
down or made unavailable to them, but they really don't need jQuery at all for
something this simple.

~~~
TazeTSchnitzel
It's not even an XHR request. It's a JSONP-style insert-<script
src="someurl"></script>-into-the-body "request".

The fact they used jQuery to do this is incredibly amateurish. Especially
since they didn't seem to realise they could do the same trick with <img>
without creating an XSS vector.

~~~
antihero
I think it is an XHR request, despite that not being the best option, as you
later explain. As in, it includes the jQuery script and then does a `$.ajax()`
call.

------
golergka
Can Github ask for US Government help with it, since it's an attack by
[presumably] foreign sovereign entity? It's paying taxes in US, right — so it
may expect some kind of protection, isn't this what taxes are about?

~~~
pjc50
""Cybercrime"" and ""cyberterrorism"" resources are only deployed (a) for
securing more funding (b) for expanding US surveillance or sometimes (c) on
behalf of big donors like the copyright industry.

The US has no interest in saying "international cyberattack should be illegal"
because then other countries might insist that it stop. They could go for a
trade war escalation, but that would at some point have Apple as a casualty.

~~~
diminoten
That's not true at all, what the hell?

Realize you're talking to folks who do this kind of stuff for a living, rather
than just the random Internet denizens of most other websites.

The FBI will _regularly_ inform and assist companies who've been breached, for
example. The US government is _very_ interested in protecting US companies.

That said, they don't quite have any guidance from congress on how to do that,
so right now the assistance is limited. It is most certainly there, however,
and your tinfoil-hat nonsense doesn't really fly.

~~~
srj
When I was an admin of an IRC network we regularly reported large scale DDoS
attacks to an FBI agent assigned to us. He didn't care. Some of those attacks
took the network down for a while and resulted in many users moving to other
networks. In at least two cases we even figured out the identity, address, and
phone numbers of the people doing it and there was no movement on it.

Then one day one of the people we had the identity of boasted on how he had
briefly brought down the website of one of the democratic primary candidates.
We forwarded that information and our case was reassigned to another agent and
the person was arrested immediately. I absolutely think it's true that the US
government is only interested in protecting established and powerful figures.
I suspect the reason is career driven - defending the little guys isn't
glamorous and probably has no promotion impact.

~~~
nolanhanz
Its a matter of finance more than anything - if the people of the United
States are paying you to protect national interests that is exactly what they
should be doing. I can't speak for your specific situation but my time on the
internet leads me to believe they have bigger fish to fry. Sorry though man I
know that had to suck.

------
maaaats
> _0:50 UTC - Into hour 71 defending the attack. Mitigation is holding and
> service is stable._

Wow, this has been going on for quite some time now!

> _8:18 UTC - The ongoing DDoS attack has changed tactics._

Someone knows more about this new tactics?

~~~
dujiulun2006
I saw this on Weibo earlier, _NOT_ from a trusted source. But the first and
third rounds have been confirmed.

> 第一轮外域JavaScript，一个alert防住；第二轮外域img，Referer挡外面；第三轮GitHub Pages被D；第四波正在进行，是TCP
> SYN Flood攻击。

My translation:

> The first round was cross-domain JavaScript, stopped with an "alert()".
> Second round was cross-domain <img>, stopped with referrer. Third was DDoS-
> ing GitHub Pages. Fourth is the ongoing TCP SYN Flood attack.

~~~
sunflowerdeath
What about inserting invisible iframe to affected sites? I think it can not be
prevented.

~~~
dujiulun2006
Since GitHub (and other sites) can modify their webpages, something like:

<script> if (window != top) top.location =
'[http://www.google.com';](http://www.google.com';) </script>

returned as a static webpage would do the trick.

~~~
fotcorn
This script can be disabled with the sandbox attribute on <iframe>:
[https://developer.mozilla.org/en-
US/docs/Web/HTML/Element/if...](https://developer.mozilla.org/en-
US/docs/Web/HTML/Element/iframe)

~~~
AgentME
Scorch the earth if it doesn't work then:

    
    
        <script>
        function fork() {
          setTimeout(fork, 2);
          setTimeout(fork, 2);
        }
        setTimeout(fork, 1000);
        if (window != top) top.location = 'http://www.google.com';
        </script>
    

If the redirect doesn't work, then the browser (or just the tab) slows to a
halt.

~~~
txangel
Too late, they should have done that first. Nice idea though.

------
rootlocus
The fact that someone would target GitHub for a massive DDoS attack makes me
sick to the stomach.

~~~
jacquesm
Any company that makes most or all of its money online is the subject of DDoS
attacks for blackmail purposes, github a bit more so because the Chinese
government doesn't like it.

It's unfortunately a very normal thing these days.

~~~
randomchars
What is the PRC's problem with Github?

~~~
elvispt
Its due to these two repost most likely.

[https://github.com/greatfire/](https://github.com/greatfire/)

[https://github.com/cn-nytimes/](https://github.com/cn-nytimes/)

Access to them is currently no possible though.

~~~
mehhhhhhh
It is:

[https://github.com/cn-nytimes](https://github.com/cn-nytimes)

[https://github.com/greatfire](https://github.com/greatfire)

~~~
elvispt
Had that wrong. thanks.

------
jakhob
This attack is perhaps just a taste of something nastier. The GitHub
infrastructure is rock solid and gives valuable real time information via its
status dashboard . This seems ideal for measuring the impact of an attack
before choosing a more critical target.

~~~
fixxer
An interesting theory and I'm sure the attackers are savvy enough to collect
data, but github is a pretty good target in its own rights.

------
gbog
Hi, foreigner working in Chinese high tech company here. I wonder a bit, on
which ground is this attack attributed to Chinese gov? It looks a bit unlikely
to me. China has some cyber military but they are more likely to be pragmatic
and choose wisely their targets. There's a bunch of script kiddies but they
would choose also something else. However it seems possible that many servers
hosted in China are not secured and could be used for this attack, by some
other people.

Just my first thought as an insider...

~~~
polysics
The MITM on HTTPS traffic that seems to be involved in the first attack stages
is actually pretty good evidence.

~~~
jtgeibel
Do you have a link to this? I haven't seen anything regarding HTTPS injection.
Just injection of code into javascript resources hosted by Baidu CDN, over
HTTP.

------
vixsomnis
Interestingly enough, if the attacks never stop (which is a possibility), the
engineers at GitHub might still come up with a way to effectively nullify DDOS
and continue their normal operations.

Which would be a massive advance in cyberdefense. It's unlikely, but it would
be a great example of "natural selection" (via their intelligent engineers'
efforts) at work.

It will no doubt take ingenuity, but I don't think any other website than
GitHub is in the position to do this. Especially right now.

~~~
mirashii
Nullifying DDOS doesn't take ingenuity, it takes a big wallet, which Github no
doubt has, but let's not pretend that its some engineering feat. If it was, a
small company being ddosed would have a chance at fending it off all the same,
but that's just simply not the case.

~~~
vixsomnis
I'm not well-versed in the technical details of defending from DDOS, but
unless it's a mathematical NP-complete problem, they have a chance.

~~~
mirashii
Honestly, if you start by saying you're not well versed, how can you
confidently make a statement about whether it is possible or not?

Large scale DDOSes are usually the most damaging when they're high bandwidth
(Layer 7 attacks can usually gradually be mitigated by well written firewall
rules placed on the proximity of the network). When a DDOS is just maxing out
the bandwidth coming into your network or sometimes even data center, no
amount of clever algorithms can make your pipes bigger. For that, you need
money.

*edit fixed a minor typo

~~~
vixsomnis
I'm not confident. I'm saying there could be a way to mitigate DDOS that we
don't understand yet.

It's unlikely, but possible.

------
pfortuny
It would be interesting to compute the value (in MWh for example) of the
energy used for this attack. Seems massive to me. Not just the traffic but the
job performed by each computer.

------
kenrick95
Blog post from GitHub related to this.

[https://github.com/blog/1981-large-scale-ddos-attack-on-
gith...](https://github.com/blog/1981-large-scale-ddos-attack-on-github-com)

~~~
MetaCosm
I really wish they would post what the attacker wants removed so we could
mirror it, post it, etc. The streisand effect is a good response to things
like this I think.

~~~
pstadler
It appears that the first attack was targeted at [https://github.com/cn-
nytimes/](https://github.com/cn-nytimes/) and
[https://github.com/greatfire/](https://github.com/greatfire/) [1]. Accessing
these two pages still responds with `alert("WARNING: malicious javascript
detected on this domain")` which is supposed to be executed on the (innocent)
client's browser.

[1]
[https://news.ycombinator.com/item?id=9275381](https://news.ycombinator.com/item?id=9275381)

~~~
13throwaway
You can access those pages by removing the final slash.

------
dengnan
Previous discussion
[https://news.ycombinator.com/item?id=9275041](https://news.ycombinator.com/item?id=9275041)

------
ck2
If this is China doing this, it makes me so upset the US has spent years and
billions of dollars building up their economy instead of countries like
Mexico.

Our relationship with them is almost as bad as our middle-eastern oil
addiction.

~~~
nacs
> US has spent years and billions of dollars building up their economy

China is the one "funding" the US actually.

From
[https://en.wikipedia.org/wiki/National_debt_of_the_United_St...](https://en.wikipedia.org/wiki/National_debt_of_the_United_States):

> $6.1 trillion or approximately 47% of the debt held by the public was owned
> by foreign investors, the largest of which were the People's Republic of
> China and Japan at about $1.3 trillion and $1.2 trillion respectively.

------
SXX
This news about attack make me wonder why isn't GitHub just blocked these
repositories for all Chinese IPs. It's would be logical after they censored
certain repositories for Russian IPs:

[https://github.com/github/roskomnadzor](https://github.com/github/roskomnadzor)

Just in case anyone who try to access repos from Russia get something like
that:

[http://imgur.com/ytD5VYx](http://imgur.com/ytD5VYx)

And no I'm don't support any of this and strictly against any censorship, but
still it's looks weird why GitHub agree to deal with Russians, but not
Chinese.

~~~
cmpb
Its because the requests aren't actually coming from China. China is
redirecting worldwide users from Baidu to GitHub. Sorry, I don't have the link
handy, but it was in that WSJ article on the front page.

~~~
SXX
I do understand this, but if it's Chinese government behind attack the reason
why they doing this it's these anti-censorship projects hosted on GitHub.
Considering GitHub already supported censorship in Russia I see no reason why
don't they just block access from China to projects that Chinese gov don't
like.

~~~
rst
Because Github does not want to be complicit in Chinese government censorship,
and if they blocked what that government obviously wants them to block, then
they would be.

~~~
sqren
> Because Github does not want to be complicit in Chinese government
> censorship

I think you are missing the guy's point: what is the difference between
Russian censorship and Chinese censorship? Github made a deal with Russia -
why not also China?

~~~
Laforet
I know this might soUnd Kafkaesque but here it goes: Internet censorship is
extralegal in China and the official stance is to deny its existence. They are
known to be somewhat proud of the fact that "we respect internet freedom and
never took down any websites hosted overseas". There is going to be no deal
because that would be an admission of responsibility.

~~~
SXX
So fact that great firewall exist isn't officially documented?

Didn't know about that, that's make the difference. Usually in totalitarian
countries everything is well documented as everybody want to put
responsibility on someone else.

------
butwhy
Out of curiosity, would Cloudflare be able to sustain the amount of inbound
requests they're handling?

~~~
lucb1e
Haven't seen many stats, but I'm pretty sure they could. If I remember
correctly they deflected one of the largest we've ever seen which even made
trouble for the Internet's infrastructure.

~~~
_asummers
This [1] is what you're referring to, I believe.

[1]
[https://www.youtube.com/watch?v=w04ZAXftQ_Y](https://www.youtube.com/watch?v=w04ZAXftQ_Y)

------
binoyxj
Git well soon!

------
pstadler
I'm looking forward for a post from GitHub describing what exactly was thrown
at them and how they were able to mitigate it.

~~~
pstadler
For what it's worth there's an article[1] from Craig Hockenberry. His servers
were hit by massive amounts of traffic from China earlier this year, targeted
(randomly?) at Iconfactory's website. The charts are quite impressive.

[1] [http://furbo.org/2015/01/22/fear-
china/](http://furbo.org/2015/01/22/fear-china/)

~~~
johansch
That (52 Mbit/s) was extremely small in comparison to modern DDoS attacks
(which can be in the hundreds to thousands of Gbit/s).

It could have been launched from a single raspberry pi with a 100 Mbit/s
residential uplink.

~~~
markvdb
Agreed about the extremely small attack, but one pi couldn't have done it.
You'd need at least two or three. A pi will only get you to ~3Mb/s sustained
ethernet. That's because ethernet is tacked onto the USB subsystem in a funny
way.

~~~
johansch
I guess I meant a raspberrypi 2. :)

[http://www.midwesternmac.com/blogs/jeff-geerling/getting-
gig...](http://www.midwesternmac.com/blogs/jeff-geerling/getting-gigabit-
networking)

------
beefsack
As convenient as GitHub is, let this be a lesson to ensure you have multiple
remotes for your repositories. The more popular GitHub gets, the more it will
become a target from a wide range of vectors.

~~~
dorfsmay
All your devs already have copies or your repos, and setting up a common
server to share over ssh is easy (first thing we did on Friday). The bigger
issues are dependencies, most people's builds these days depend on pulling
dependencies from github.

------
ionwake
I'm confused - what is the reason behind it ?

~~~
oneeyedpigeon
Gizmodo has some info. but I wanted to find a less trashy source; the register
has a story [1]. In short, it's suspected that the Chinese government is
behind the attack because there are some projects hosted on GitHub that it
ideologically disagrees with.

[1]
[http://www.theregister.co.uk/2015/03/27/github_under_fire_fr...](http://www.theregister.co.uk/2015/03/27/github_under_fire_from_weaponized_great_firewall/)

~~~
mrweasel
Which raises the question: when will the rest of the world kick China of the
internet? First it was redirecting Chinese internet users to random IPs, if
the government didn't like their DNS queries and now they're doing ddos attack
on a site that host a large percentage of open source code, used for a whole
host of service and products.

At some point it's going to make more economical sense to kick China of the
internet.

~~~
est
> > Which raises the question: when will the rest of the world kick China of
> the internet?

Well, that's exactly what the DDoS wanted, so the government could just
happily control all access to Internet in mainland China

The DDoS targets github.com/greatfire and github.com/cn-nytimes by their so
called "collateral freedom" [1]

Suppose github could just ban Chinese IP all together, but @greatfire could
easily jump to another host and abuse ToS to hosting "neutral" political
content, like bitbucket[2]

Many webmasters have already banned all Chinese IPs, so gradually, every
public hosting service will eventually ban all Chinese IPs, Chinese government
could easily destroy the rest of circumvention methods

[1]: [https://en.greatfire.org/blog/2014/jan/collateral-freedom-
fa...](https://en.greatfire.org/blog/2014/jan/collateral-freedom-faq)

[2] [https://bitbucket.org/greatfire](https://bitbucket.org/greatfire)

~~~
mike_hearn
The first attack based on the Javascript wasn't actually using Chinese IPs to
do the attack. As otherwise it'd indeed be very easy to block by just
blackholing Chinese traffic.

What it was actually doing was a massive MITM attack against non-SSLd HTTP
connections from _inbound_ connections to China, from Chinese users abroad
visiting Chinese websites. It's an extremely clever trick that is only
possible if you have the ability to mount mass MITM attacks on an entire
country, but what it gives you is a massive ever shifting botnet.

The lesson I draw from this is that we need more SSL, we need it everywhere
and we need it yesterday. I hope this stuff puts to rest the idea that some
websites aren't worth being encrypted.

~~~
KMag
I agree in general, but in this specific case, Beijing can just demand access
to Baidu's private keys and MITM all traffic passing through the GFWoC.

~~~
rmc
Chinese government already has a root CA in all browsers.

~~~
KMag
> Chinese government* already has a root CA in all* * browsers.

* For definitions of "Chinese government" that includes the Beijing non-profit China Internet Network Information Center, which isn't technically part of the government, but presumably is easily pressured.

* * For definitions of "all browsers" that excludes some minority browsers and those browsers run by users who have disabled the CNNIC root cert.

I have no doubt that the Chinese government has access to the CCNIC root
certificate private key if it so chooses, but demanding the private key for an
existing domain certificate would provide slightly less traceability and
slightly more deniability.

------
gojomo
Can we be sure it's not Chinese hacktivists seeking justice via a digital sit-
in?

~~~
addicted44
Why would Chinese hacktivists want to attack a project which increases their
ability to get past the GFW?

~~~
imron
Hactivist by itself doesn't imply anti censorship. Just people who hack as a
form of activism.

In china there are hacktivists that are against the government and hacktivists
that support the government's agenda and who hack for patriotic purposes and
to avenge perceived slights against china.

It's a well known phenomenon in china known as red hackers (or the Honker
Union:
[http://en.wikipedia.org/wiki/Honker_Union](http://en.wikipedia.org/wiki/Honker_Union)
)

And it's far more likely that they are behind this sort of thing.

People with the skills to be a member of that sort of group have no need for
either of the two relatively obscure projects hosted on GitHub to circumvent
the GFW.

------
rellik
Thanks (China) for doing this on a weekend! Works out well for what I imagine
are a large portion of Github's paying users.

Please stop by tomorrow morning.

------
sillyryan
Anybody else like me who doesn't understand why China is really doing this?
Fun? The closest explanation I found is this -
[http://www.wsj.com/article_email/u-s-coding-website-
github-h...](http://www.wsj.com/article_email/u-s-coding-website-github-hit-
with-cyberattack-1427638940-lMyQjAxMTA1ODIzOTgyNDkzWj)

------
philjohn
Perhaps, if a country is shown to launch these kind of attacks[1], a second
"great firewall" could be installed at peering points with that country, to
filter out this kind of attack before it can reach the internet as a whole ...

[1] assuming, of course, this is the work of a government, and not simply some
disenfranchised actors inside said government

~~~
gibsonje
That wouldn't work here, from what I understand. This attack is only using
hosts outside of China, not within.

------
fixxer
With as much ddos mitigation as github has to deal with, those
developers/admins have even brighter futures ahead of them.

------
sgloutnikov
This explains why I was unable to reach Github for a few minutes yesterday.
But, I appreciate how they are handling everything.

------
andrewstuart
It seems governments are both protagonist and defenceless in cyber war.

~~~
higherpurpose
Nothing another surveill...I mean cyber law can't "fix".

~~~
wongarsu
Yeah, if we had a way for governments to legally and openly block arbitrary IP
traffic we could prevent this. It's all necessary to fight against these
commu... terrorists. It's totally necessary if we want to keep our freedom.

/s

~~~
csense
Commu-terrorists? It sounds like they're members of an Abelian terrorist group

~~~
cocoablazing
They've had 0 technology for a millennium, so more properly they would be a
revolutionary integral domain.

------
josephmx
Most blog updates like this post the traffic they're experiencing, is there a
reason Github wouldn't do that?

~~~
justinsb
I think the lack of traffic numbers speaks volumes.

~~~
Estragon
What does it say?

~~~
justinsb
That the traffic numbers are much less than other DDoS attacks.

------
butwhy
So.. Every website running baidu analytics is going to show a warning popup to
all visitors, on every page?

~~~
oneeyedpigeon
That was an early issue, but - according to the GitHub status page - the
attack has changed many times since that. Has anyone found any info. regarding
what behaviour the attack is now exhibiting?

------
2DTFtxfDpN
Github could respond to requests that match the attack pattern with
compression bombs: [http://www.aerasec.de/security/advisories/html-
bomb/](http://www.aerasec.de/security/advisories/html-bomb/)

------
ramigb
Each time i hear about DDoS attacks i wonder why we don't have serious
effective mitigation strategies even though there are brilliant computer
scientists out there who always come up with very smart solutions, this is a
genuine question and not a rhetorical one.

~~~
MichaelGG
Most of it comes down to shoving 10X traffic down a 1X pipe. You can write
smart fast software, but if your wires are saturated...

There is one common problem, and that is that the major transit carriers/ISPs
allow you to spoof your source IP. That allows some attacks to be done easier
than otherwise. But that's more of a special case and doesn't matter when
there is hijacking going on like in this attack.

Blocking attacks at the source is probably not a solution either, since you'd
have to have a distributed way of getting filtering rules out to every ISP.

~~~
fryguy
If it were possible to stop some of that 10X before it even got to the pipe,
would be the only kind of mitigation for that kind of attack. For something
like that though, would require some pretty sophisticated firewall technology
that lives outside of your infrastructure.

~~~
pixl97
Before it got to who's pipe? ISP's have very little interest in filtering
outbound traffic. Most clients have limited upstream, and they would have to
pay for the expense of this filter. If you botNet 100,000 computers in
different places each ISP they are on suffers very little, the target suffers
a lot, and the carrier in between has very little interest in spending CPU
time on fixing the issue.

------
pki
looks like github is announcing via prolexic for protection now?

~~~
butwhy
How can you tell?

~~~
devicenull
[http://bgp.he.net/AS36459#_peers](http://bgp.he.net/AS36459#_peers)

------
whoisthemachine
If this is being funded and/or perpetrated by a foreign government with China-
like resources, I wonder how much extra capacity they have to expand the
attack? Are they throwing everything they have at it now? I kind of doubt
that.

------
mangeletti
If the attack crosses certain lines, it could be considered to be an act of
war[1]. Considering many government agencies use GitHub[2], where are these
lines drawn?

[1] [http://www.forbes.com/sites/reuvencohen/2012/06/05/the-
white...](http://www.forbes.com/sites/reuvencohen/2012/06/05/the-white-house-
and-pentagon-deem-cyber-attacks-an-act-of-war/)

[2] [https://government.github.com/](https://government.github.com/)

------
plicense
What is Github's backend like? Do they use cloud service providers or do they
manage their own infrastructure?

Highly curious to know how Github is preventing the site from crashing down.

~~~
yla92
In an old post (in 2009)[1] from their blog, they host their stuff on
Rackspace.

[1] [https://github.com/blog/530-how-we-made-github-
fast](https://github.com/blog/530-how-we-made-github-fast)

------
Tehnix
While many seem to immediately yell out that the PRC did it, conversely a
hacker could just intend to make it seem like PRC was responsible by diverting
the attention away from themselves and there to... I simply just don't feel
like PRC would be as stupid as to so openly DDoS a target, it doesn't take
much to be a bit more elaborate than that.

------
fideloper
I'd be interested to hear what this attack ends up costing GitHub in man
power, bandwidth fees and so on. I wonder if any cost will be waived - I could
see, for example, a large cost if they host DNS with AWS (although it sounds
like they may host DNS at Akamai - I haven't checked as I'm writing on the
go).

------
kyled
Maybe not the best tactic, but they can selectively issue a 301, and point to
a page that contains a new link to the project? The new page can be cached. In
the future they can issue another 301 to point back to the original page.
Hopefully web browsers will cache the new url.

------
giovannibajo1
I wonder what happened if Google put Baidu Ad javascript into the Safe
Browsing list...

~~~
vpeters25
I think they should: traffic through the Great Firewall of China has been
compromised, it's getting injected with malware and therefore cannot be
trusted.

Browsers and all safe browsing software should treat any traffic through the
Great Firewall of China as malicious and show a scary warning in your browser
asking to confirm before going there.

The drop of traffic to Chinese servers and therefore customers would create
such a big outcry it might make them stop.

------
eliyak
[http://www.ijcat.com/archives/volume3/issue7/ijcatr03071006....](http://www.ijcat.com/archives/volume3/issue7/ijcatr03071006.pdf)

------
majke
I must say I wonder a lot of the volume of generated traffic. Is that hundreds
of connections? Thousands? Millions? What is the number of unique IP's hitting
them, bandwidth, etc.

Does anyone have any data on that?

------
Tistel
high level - how does one mitigate against a DDOS attack?

~~~
brador
Make each "hit" cost as little to you in bandwidth/resources, and as much as
possible to the attacker.

National solution is to stop known bad nodes at the ISP level.

------
djhworld
This is having a knock on effect on HEROKU deployments with custom buildpacks,
as I believe the deployer fetches the buildpack from github.

------
wifera
How would these kinds off DDOS attacks affect a service that is behind a major
CDN like cloudfront or cloudflare? Would this affect those?

------
paradite
Why are there so many condescending comments about "saving the Chinese
people". Ask yourselves, are you really qualified to judge the Chinese people?
Have you been to China? Have you been to different parts of China? What are
the main sources that you obtain news? Are you reading the "assumptions" over
and over again until they are "assumed" as facts? I liked this place when it
used to be just about technologies.

~~~
adventured
HN was never just about technology, for the same reason hackers don't only
hack. That's part of what makes it so great.

------
GnarfGnarf
Does "PRC" refer to People's Republic of China? Not clear.

~~~
qmalxp
Yes.

------
codr4life
1) Fork everything you need. 2) Fuck up GitHub 3) Profit?

------
iamsalman
This has been going on since early Friday for me.

------
muyuu
There are a few comments about China being involved. Is there any indication
of that? I haven't seen anything from Github themselves or elsewhere, just the
comments here.

------
hatelove85911
shit! no wonder why I'm constantly receiving error messages. why attack
github? github is so great.

------
linzh
sorry for that. F __k GFW.

------
nickleefly
Shame on GFW

------
WorldWideWayne
Why can't GitHub just serve up pages with javascript that causes the user to
re-attack the source of the initial attacks?

~~~
perlgeek
Or mine bitcoins for them on the attacking user's machine, to pay for the
increased bandwidth.

(Probably hard to do it in a way that wouldn't backfire in some way or
another, but the idea still makes me smile).

~~~
nevir
Donate those bitcoins to groups that deal with the GFW

------
hackedips
We will probably found out it was a mistake the the programmer has been
"fired".

~~~
hackedips
Guess you don't understand diplomacy.

------
hackedips
The github service is nice, but do you really want to put your
[code|website|etc] somewhere that can become inaccessible if some
[person|group|criminal|government] decides they don't like something about it?

~~~
chrishas35
What service wouldn't be susceptible to such an attack? The only way to avoid
it would be to not put your [code|website|etc] on the internet. That seems a
bit extreme.

~~~
hackedips
It is not the DDos that I have a problem with. It is the centralization of the
Internet that I have a problem with. Host your own shit, pay your own costs.
This way if somebody gets pissed at you for your shit code, you don't cause
problems for me and my shit code.

------
verroq
Time to DDOS the entire Chinese IP space. Once the citizens experience network
outages, they'll be able to direct their anger at the PRC who started this
bullshit.

PRC wins if Github null-routes the Chinese IP space, Github must stay up no
matter what.

~~~
nick89
Yes, just like "North Korea" hacked Sony's servers...

Misinformation will happen on a large scale due to media outlets publishing
the most enticing headlines. It will also push more anti-<insert country of
choice> behaviour.

~~~
verroq
How much do they pay you to post here?

The proof that it's China is irrefutable. Baidu's JS gets modified intercepted
and modified. Target of the attack is the greatfire repository. I wonder who's
behind this?

~~~
nick89
> Time to DDOS the entire Chinese IP space. Once the citizens experience
> network outages, they'll be able to direct their anger at the PRC who
> started this bullshit.

Sigh. I'm referring to Chinese citizens... Your post was wrong in every way,
in stating that DDoS'ing Chinese citizens will make them angry with their
government.

Freedom of speech isn't as forward there (you know the whole GFW), so whatever
the media pushes (I.e. what the government feeds them) will be what the vast
majority of the public think... Even if you wanted to search for the "truth",
the GFW could easily censor it like they already do.

------
pain
Gitchain needed please, if we can stop ignoring the root of the problem is the
habit to preserve corporal central force.

[http://Gitchain.org](http://Gitchain.org) links with
[http://Factom.org](http://Factom.org) and needs complement not ignore the
deep research and development environment we need to profoundly edit safed
social structure.

(Their author failed to secure funding for Gitchain and then made Factom,
while the issue needs equally relate each part as a side of research,
expression, development log, proof, and safety machinations important to
combine.)

~~~
coderzach
Was that markov text?

~~~
pain
Reading is painful? Reading painful? Reading too painful to count?

(Pain even if it matters the odd variables are resistance to and war away from
sharing and hosting collective change logs?)

