
The Great Cannon has been deployed again - robbya
https://cybersecurity.att.com/blogs/labs-research/the-great-cannon-has-been-deployed-again
======
upofadown
Browsers really have to be a lot more skeptical about the code they run.
Running code should not be able to randomly attack any IP address on the
internet. Code from non-TLS pages should not be able to run at all. Perhaps
that should also apply to code loaded from 3rd party sites.

Connecting to a web page should not be consent to allow the operators of that
web page to make my computer/phone do whatever they want on the net. It
certainly should not be consent to delegate that power to others, either via a
embedded link or a MITM attack.

~~~
TheRealPomax
This sounds like a knee-jerk reaction that doesn't take into consideration the
ramifactions of the suggested policy. It won't stop DDoS attacks, because
those exist _because the internet exists_ and unless you dismantle the very
concept of interconnected "everyone can reach everyone" networking, all you're
doing is locking down access to more and more people until only technical
experts or the people with enough money to hire those experts get to use it.

Advocate the other direction: more freedom, including the freedom to say
"thank you, browser, for being locked down by default, but I trust this
website and I am okay with everything it wants to do".

Instead of locking the web down, let's give users the freedom to put on or
remove as many locks as they want to live with. And letting make mistakes with
that, too: you don't make things better by taking away important life lessons,
either.

~~~
jstummbillig
This, on the other end of the spectrum, seems overly and naively liberal, when
not being paired with a workable solution to the massive body of education
required to provide adequate technical sophistication to (what has to be most
of) 8 billion people.

~~~
chachachoney
>> a workable solution to the massive body of education required to provide
adequate technical sophistication

The problem doesn't have to be one of education if it is tackled as a
legitimate UI/UX problem and served by a WC3 that supports the needs of end
users over corporate partners.

------
ngcc_hk
“a web site Lihkg.com” is really an understatement as its title indicated.
Given the “be water” and no leader, lihkg is really the only way to try to
have some sort of info among possible noise (which popo is likely also post
their confused Messages). There were discussion to cut off access by hksarg
and a rush to install vpn is promoted. Guess they cannot firewall hk given its
financial centre status.

The evil empire and culture will try and try to harm liberty and human rights.
If it is not so important you would not see many of hkers like me instead of
posting in here and other places, but in concentration camp as northern Turks
up north.

------
jacquesm
So, maybe firewall off China for a couple of days? Sure, it would hurt on both
sides but at least it would be clear that abuse at this scale leads to being
blackholed.

~~~
dmead
that's what they want. a bifurcation of the internet.

~~~
jacquesm
No they don't. They want to use it as a weapon against targets of their
choosing and co-opt the rest of the net in doing so. The economic importance
of the internet to China can not be overstated.

~~~
logfromblammo
They want a semipermeable membrane that money can cross, but uncontrolled
information can't.

------
nullc
The web needs to start moving towards a strong same-origin policy for all
embedded content-- require sites to proxy requests if they want third party
content.

The first step could be sending CORS preflight, then requiring it, then just
not allowing cross origin to different domains (but allow sub-/sibling-
domains).

~~~
1shooner
How would this be different than the CNAME cloaking[1] currently being used by
data collectors to circumvent ad blocking software?

1\.
[https://news.ycombinator.com/item?id=21604825](https://news.ycombinator.com/item?id=21604825)

~~~
mrgreenfur
I agree that this is the next step in the ad-tech / spy-tech war.

uBlock recently found an approach for blocking cnamed origins:
[https://github.com/gorhill/uBlock/commit/3a564c199260a857f3d...](https://github.com/gorhill/uBlock/commit/3a564c199260a857f3d78d5f12b8c3f1aa85b865)

------
crazygringo
I'm curious: is it technically and politically possible for the operators of
all internet cables receiving traffic from China to filter _out_ malicious
scripts?

AT&T's writeup says the injection is only possible because it's HTTP (not
HTTPS), and that there are two specific JavaScript files which sometimes serve
up the malicious code.

So in case of known malware like this being served from within a geographic
region... is there any way to filter this out at scale? Or is that
computationally infeasible at scale, so it would have to be built into the
browser or something?

The article also doesn't make clear -- is this DDoS coming _exclusively_ from
outside of China? Or is it injecting the same malicious code inside of China
as well, and they're just not bothering to distinguish between requests coming
from inside or outside the country? (In which case, the DDoS will continue
regardless, just not with the rest of the world's help.)

~~~
gruez
>I'm curious: is it technically and politically possible for the operators of
all internet cables receiving traffic from China to filter out malicious
scripts?

Considering that the halting problem is undecidable, it's impossible to filter
out the malicious scripts with complete certainty. The best you can do is use
blacklists/heuristics which lead to an arms race.

>So in case of known malware like this being served from within a geographic
region... is there any way to filter this out at scale? Or is that
computationally infeasible at scale, so it would have to be built into the
browser or something?

foreign ISPs can block port80 or http requests from coming into china. sure,
it's going to break a lot of sites, but it's relatively simple for any site to
get unblocked - all they need to do is set up letsencrypt.

~~~
mlyle
> Considering that the halting problem is undecidable,

This doesn't mean that you can't prove a big subset of scripts safe.

> The best you can do is use blacklists/heuristics which lead to an arms race.

You can also allow the scripts that automatically prove safe, plus other
popular scripts you decide to explicitly allow, plus other scripts that are
low-rate enough that you don't believe them to be a concern.

------
pkilgore
So if the cannon is created using the great firewall, how does the Chinese
government establish any sort of plausible argument that this isn't state-
sponsored activity?

Do they just not care?

Some day soon a war will not be started with an assassins bullet but with a
tool like this. I wonder when we start looking at them the same way?

~~~
MR4D
War seems to progress as follows:

0 - Peace 1 - Trade War 2 - Financial War 3 - Electronic War 4 - Shooting War

Note that 1 & 2 are different types of Economic war, and could be grouped
together. The steps occur in order, but steps can be skipped.

From a US-centric point of view, North Korea and Iran seem to be at #3. China
& Russia are at a limited version of #2.

Chinese/HK seem to be at #3 with each other.Given how invisible Electronic War
can be, it's possible that they are deep in #3. It's also possible that #4
might be initially fought with HK Police forces as a proxy. Think of that as
"4a".

~~~
chewbacha
I don't know who to attribute this to but I've heard a saying:

"Countries that trade with each other don't make war with each other."

As we isolate countries and disrupt trade we definitely are increasing the
risk of conflict.

~~~
_red
Yes, who cares about the forced labor camps and suicide nets around factories.
I want my cheap plastic consumer devices!!

~~~
oblio
> Yes, who cares about the forced labor camps and suicide nets around
> factories.

Nobody really cares, except for those directly involved. Sad but true, nobody
will ever go to war for that, for foreign citizens.

> I want my cheap plastic consumer devices!!

People do actually want that. And their cheap shoes and clothes and...

------
DyslexicAtheist
This should be mitigated by browser vendors by integrating HTTPSEverywhere as
a core functionality of the browser that needs to be explicitly turned off
(instead of the current state of affairs where we have a tiny minority on the
web who are familiar with installing security add-ons). Visiting a HTTP site
should come with a scary warning. I understand this throws old sites under the
bus, but there could be other solutions here such as restricting 3d party
resources as a second layer defense once the user clicks through the first
warning to access the HTTP content.

and in case I'm totally wrong, what mitigations are feasible? More trade war
such as by compelling ISP's to null-route Chinese businesses like Baidu.com as
a form of sanction?

~~~
LeftHandPath
I recently (4 or 5 months ago) joined an online community of aircraft owners
and pilots that is primarily focused around a single brand of aircraft
(although it's not an official site of, property of, that brand nor is it
endorsed by that brand).

When I signed up, they emailed me to welcome me to the site (they actually
require manual authorization of users by an admin, which is... refreshing, but
uncommon). The email ended by stating that if I lost my password, they could
"recover it" and send it back to me.

I raised a thread about it in one of their off-topic sections, and got
harassed - "How secure do you need your browsing to be?" (And hey, I mean, I
was asking them to do more work)

But it stands out that most of the public doesn't know, and doesn't care to
know. Even a site that's populated by people with net worths and/or incomes
that average in the six-to-seven figure range, that they probably signed up
for with the same email address and password that they use for their bank and
brokerage accounts.

HTTP should come with a warning. Furthermore, it would be fan-fucking-tastic
if there was some generalizable way to (automatically) audit a website's
security practice. Like, a crawler that just runs standard OWASP-style attack-
vector checks, and sends an email to the site's owners when one succeeds. And
then put that data into a database and warn users (with a browser plugin) when
they are creating credentials for sites with bad security.

~~~
unethical_ban
I'll top that. I used TABCPermit.com to get licensed to serve alcohol in
Texas. Their signup form says "no special characters in password". I used one
anyway, putting in "password$1" for example. It accepted it, and I worked on
the test.

Next day, I can't login. I use the "forgot password" link. They send me and
email, and it has my password in it! Bad, right?

That isn't all. My password, they said, was "password1". They silently
stripped out the special character.

I just about flipped a table at how security-shallow people who build websites
can be.

~~~
mgerdts
Are you sure your password has a $ in it? What makes you think that they don't
strip the $ when you set and enter your password?

If it seemed like they were doing a hash then compare, I would wonder if they
are using the legacy unix crypt that truncates passwords at 8 characters.

~~~
unethical_ban
I know when I registered and typed twice that my password had "$" in it. And
they mailed me back my password without it. Finally, it wasn't just a truncate
because there were characters after the position where "$" should be.

And if they did strip it out, that is bad. That's the point.

------
fortytw2
I didn’t see this anywhere in the article (maybe I missed it), but because
this utilizes the Great Firewall, it’s undoubtedly done by the Chinese
government, right?

~~~
romaaeterna
No. "Behind the Great Firewall" is another way of saying "served from China".
Perhaps -- or even most likely -- it is the government. But this is hardly a
smoking gun. There are plenty of people on the mainland that hate what's going
on in HK, and who are not the government.

~~~
polityagent
This is not true, the traffic for the previous github incident with the great
cannon was co located[0] with the great firewall (which is indisputably under
the control of the chinese government).

[0] [https://citizenlab.ca/2015/04/chinas-great-
cannon/](https://citizenlab.ca/2015/04/chinas-great-cannon/)

~~~
romaaeterna
Colocated with the Great Firewall is an entirely different claim, and not one
that ATT makes. Your citizenlab article provides a possible case for it, but
that's a different discussion.

And even then, it could be some third party cache poisoning attack, etc. The
citizenlab evidence would look exactly the same.

This is likely China, as I said, but let's not pretend that we know more than
we do.

~~~
erikpukinskis
Why does it matter whether ATT made the claim?

------
brenden2
This is a good counter example for whenever you find yourself in an argument
with anti-adblocker folks.

~~~
Someone1234
But these folks still have no answer for how free websites they consume daily
(e.g. news) are to be funded, they don't pay, and don't want to see ads
either. Yet they still expect these websites to exist.

I use Firefox's built Enhanced Tracking Prevention, that some sites call "ad
blocking" but in reality it is super easy to have ads that don't get blocked
by it, just make them non-creepy.

~~~
andrewprock
On the contrary, people pay for Netflix. People also pay for the ad-free
upgrade to Hulu. Speaking to text websites, people are also using Brave,
though I don't know how that experiment will work out in the end.

~~~
csunbird
When it is reasonably priced, people will pay for legal alternatives. If there
was a Netflix for paid websites, which would provide subscriptions in a
convenient way to all websites in bulk, people would pay for that. Current
options are:

> Manage subscriptions of 10 plus websites manually

> Pay by your privacy

It is clear that both options suck, so people opt in to ad blockers instead.
Legal options are just overpriced for the demand.

~~~
kevin_thibedeau
Ad blocking is not illegal.

------
hamhand
DDoS attacks against business competitors are common and rarely punished in
China.

Injecting ads/affiliate or whatever js in webpages, stealing social media
tokens to do follower boosting business and selling optic fiber traffic dump
is also common for Chinese ISPs.

------
blackearl
[https://outline.com/8BBX3b](https://outline.com/8BBX3b) due to obnoxious
header and footer

------
clubm8
I can't read the OP because I'm using Tor, if anyone else is having similar
issues wayback has it cached:

[https://web.archive.org/web/20191206074255/https://cybersecu...](https://web.archive.org/web/20191206074255/https://cybersecurity.att.com/blogs/labs-
research/the-great-cannon-has-been-deployed-again)

Too often I cannot browse anonymously because people abuse Tor to aggressively
scrape things. Don't do that!

------
yumraj
Can/shouldn't the rest of the world create a _Greater_ firewall to block the
traffic from China?

Let China enjoy it's solitude and we'll enjoy our openness.

~~~
rahuldottech
Yeah except we will effectively be cutting off _all_ outside information from
the Cinese citizens, who already have to face incredible amounts of
censorship.

Cut them off completely, and we will never find out about all the human rights
violations taking place in their country, and their government will be able to
brainwash its citizens even more easily.

~~~
yumraj
I'm OK with that.

Today we're just finding about them, not able to do anything, so that won't be
much different from the status quo but the benefits would be immense.

------
ignoramous
> It is unlikely these sites will be seriously impacted. Partly due to LIHKG
> sitting behind an anti-DDoS service, and partly due to some bugs in the
> malicious Javascript code that we won’t discuss here.

If I get the attack scenario right, valid user IPs from behind the great
firewall are driving traffic to the webservers, and so what are some examples
of anti-DDoS mitigations that are effective in filtering out the adversarial
traffic?

~~~
saagarjha
Probably whatever Cloudflare uses, like JavaScript challenges.

------
dfawcus
That page generates no response for me,
[https://archive.is/I1WO6](https://archive.is/I1WO6) does.

~~~
degenerate
Thanks. For others using CTRL+F to find this link, some keywords... [
_archive, site down, 404, error page, mirror_ ]

Edit: better/cleaner version:
[https://outline.com/8BBX3b](https://outline.com/8BBX3b)

~~~
emilfihlman
Probably want to add the actual error code of 504 gateway timed out timeout

------
abathur
I've wondered about this, in the years since.

Does anyone else have a sense of what (if any) pragmatic technical steps could
effectively deter or neuter this tactic?

If the network can't demonstrate the ability to at least pump the brakes on
this, it's hard to imagine other states or even the owners of large safe-
monopoly ISPs won't get a little jealous of the tool.

~~~
revicon
Block all traffic from China?

~~~
gruez
Collateral damage aside, that doesn't really solve the issue. The attack goes
something like this:

1\. non-chinese user visits a chinese site

2\. the traffic goes through the gfw, which inserts malicious javascript

3\. the user executes the malicious javascript and starts ddosing the victim
site

Blocking chinese users won't help, since non-chinese visitors will still ddos
your site.

~~~
alfalfasprout
If China is cut off, then people can't download the malicious JS either.
Granted, it sets a pretty bad precedent and would have massive economic
consequences.

------
LatteLazy
I had no idea this thing existed but it's actually a smart and relatively
straightforwards thing for the PRC to do, shitty as it is...

I was especially impressed with their getting the target to retrieve, resize
and transmit an image: that's a smart way to waste time...

------
thepete2
It's bad that there are enough plain http connections for this to be possible.

~~~
mminer237
Although Baidu does still default to HTTP, the Chinese government has the root
certificates for every Chinese certificate authority. It can MITM traffic for
anybody in China, even over HTTPS, so that wouldn't solve the problem.

~~~
cryptozeus
Wow really? Any source for this ? That is like everyone can lock their house
but gov has the master key.

~~~
mminer237
I suppose I probably overstated the situation a bit. The PRC National
Intelligence Law (
[http://cs.brown.edu/courses/csci1800/sources/2017_PRC_Nation...](http://cs.brown.edu/courses/csci1800/sources/2017_PRC_NationalIntelligenceLaw.pdf)
) requires, "Any organization or citizen shall support, assist and cooperate
with the state intelligence work...", and China was observed making its own
certificates for foreign sites before this (
[https://news.ycombinator.com/item?id=5124784](https://news.ycombinator.com/item?id=5124784)
), but there's no direct evidence that China actually has all the root
certificates currently or has used them maliciously. Of course, the law
requires citizens to preserve secrecy and Westerners can't observe what China
is doing, so that wouldn't be unexpected.

------
SamuelAdams
> These attacks would not be successful if the following resources were served
> over HTTPS instead of HTTP:

Can someone explain how using HTTPS would mitigate this attack?

~~~
theptip
HTTPS makes a MiTM attack much harder, because you need to have a valid cert
for the host you are spoofing.

~~~
3JPLW
Doesn't the Great Firewall mandate (or at least strongly suggest) that those
Chinese-controlled root certs are installed for devices behind it?

~~~
dehrmann
If this were a root cert, OSes and browsers could ban that CA. If you want
this to work with SSL, giving the Great Firewall a domain cert would be
enough.

------
lawrenceyan
The fact that you can see these malicious scripts being served directly from a
Baidu domain is a good reminder that effectively all major Chinese tech
companies are totally at the whim of the Chinese government.

It makes using any product / service from a Chinese based company basically
never worth it just because of the security concerns.

------
ai_ja_nai
How about interrupting BGP traffic from/to China by nearby western AS
everytime the Cannon is used?

~~~
zer00eyz
What would happen if we black hole all of china's IP range from all over the
USA?

I suspect that a lot of businesses would flex muscle on both sides to get that
to stop really quickly.

It would be a hard policy to implement on our side, but likely very effective.
Its almost like we need someone in power smart enough to ASK telco's and
carriers to DO such a thing.

------
sgc
Browsers should prompt user and require confirmation before sucking down
resources repeatedly in this way. Especially since this is grabbing
images/content that are then not going to be displayed.

------
maxfan8
I'm not experienced in DDOS mitigation techniques, but is it possible to
redirect malicious traffic to the malicious JS-serving website?

Is this feasible/computationally worth it?

------
FDSGSG
If baidu.com is distributing the script, why is baidu.com not being flagged as
malware by the various mechanisms used to block this kind of nastiness?

Are the vendors just cowards?

~~~
CrazyStat
baidu.com is not distributing the script. A proxy is taking advantage of
unsecure connections (http) to serve the malicious script instead of baidu's
script.

~~~
FDSGSG
It's 2019, what excuse does Baidu have to not support https for these scripts?

~~~
simias
As far as I can tell many CDNs will gladly serve their scripts over HTTP if
requested:
[http://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.mi...](http://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js)

I don't know if what's the reasoning behind that.

~~~
FDSGSG
When visited over HTTP that CDN sets "Alt-Svc: h3-23=":443"; ma=86400",
telling the browser that (encrypted) HTTP3/QUIC is available.

If you ever manage to load that CDN over HTTPS/QUIC it sets a HSTS header so
all further pageloads will go over HTTPS.

------
bcoates
Am I the only one disappointed this wasn't about someone refurbishing the
Dardanelles Gun?

------
Steltek
What DDoS protection are they using? AT&T didn't say other than it was
present.

~~~
saagarjha
I'd guess Cloudflare:

    
    
      $ nslookup -type=soa lihkg.com
      Server:  8.8.8.8
      Address: 8.8.8.8#53
      
      Non-authoritative answer:
      lihkg.com
       origin = kevin.ns.cloudflare.com
       mail addr = dns.cloudflare.com
       serial = 2032679273
       refresh = 10000
       retry = 2400
       expire = 604800
       minimum = 3600
      
      Authoritative answers can be found from:

------
pysxul
I am still amazed by how genius of an idea this is to DDOS at large scale

~~~
FDSGSG
The RPS isn't that great compared to some IoT botnets and this also gives the
attacker rather limited control over the requests. It's a cool idea but I'm
not really convinced that it's actually worth the trouble.

China has better tools, like XORDDoS.

------
ct520
and then the hacker news cannon took down att's site..

------
classified
The Chinese government attacks websites which support a free Hong Kong.

------
vandal_at_your
Fuck the idea of the browser as interpreter for untrusted code.

------
johnchristopher
"Across the Great Wall we can reach every corner in the world."

------
inimino
I see a lot of arguments for specific technical mitigations for the specific
implementation of this attack. All these technical approaches are doomed to
fail.

The attack uses network-level injection to add malware to HTTP requests for
resources served from inside China. This malware then runs on hosts anywhere
in the world and effectively DDoSes the targets. It is true that if these
specific requests were made over HTTPS rather than HTTP, this particular
attack would be mitigated.

Unfortunately the point that is being missed here is that if these resources
had been served over HTTPS, this attack simply would have been implemented in
a slightly different way. The suggested mitigations would work post-facto.
However, if had they been in place prior to this attack, which is the
alternative we have to consider, other means would have rendered them useless.

The fact is that any website hosted in China is directly accessible to the CCP
for hosting these attack payloads. There is an ICP registration system and a
chain of access to hosting environments that grants full network control and
full access to any server to the authorities at any time they choose. Servers
that are not part of this system are simply not allowed to host websites on
the Chinese internet. Further, there is direct political control over every
major internet company.

This is such a fundamentally different situation that it can be hard for
American observers to understand what range of potential responses are
meaningful.

The reality is that any network request that is served from China is fully
within the political power of the CCP to alter. Whether this involves HTTP or
HTTPS or whether implemented via the GFW or by direct changes to endpoints
within internet companies is immaterial. Beyond the logistical costs of these
actions within China, nothing of any consequence is changed by such minor
technical mitigations.

What these attacks show is not just the capability but the willingness to use
that capability in an offensive capacity against political targets.

The difference between the internet of independent sites in the US and the
situation of near-total political control over resources on the network in
China can hardly be overstated. This is why technical solutions that seem
completely reasonable from an American perspective are pointless in reality.
The threat model of the world's largest online population with all network
resources under direct political control is simply too unfamiliar. If the
political will exists to use those resources offensively, technical
countermeasures will always be ineffective, unless they are so seemingly
disproportionate that they become essentially political acts, like depeering.

Meaningful responses are those that affect the political willingness of the
CCP to weaponize the internet. Weaponization will destroy the internet as we
know it, and raising awareness before this kind of thing becomes routine may
be the last chance we have to avoid it.

This is a political problem, and does not have a technical solution.

------
Pvalencia2413
Silent is not a consent.

------
GrumpyNl
i get a 500.

------
branon
Interesting article, shame it happens to be on a site where undismissable
hovering banners on the top and bottom of the screen gobble up 30% of real
estate.

