
Pin-pointing China's attack against GitHub - zmanian
http://blog.erratasec.com/2015/04/pin-pointing-chinas-attack-against.html
======
whoopdedo
To say that the "Chinese government" is involved I think understates the
situation. We know as fact that their army has invested considerable time and
money in a cyberwarfare unit. And that the company that operates the Firewall
is a military contractor.

When Sony was hacked a few months ago, the media couldn't wait to label it a
"terrorist act" by North Korea.

I just now searched Google News for "github terrorism".

1\. [http://www.itpro.co.uk/security/24319/github-falls-victim-
to...](http://www.itpro.co.uk/security/24319/github-falls-victim-to-possible-
chinese-cyber-attack)

2\. [https://grahamcluley.com/2015/03/github-ddos-
attack/](https://grahamcluley.com/2015/03/github-ddos-attack/)

That's all, even though the evidence appears more clear that the Chinese
government is involved. Whereas North Korea's responsibility was in doubt. The
silence speaks volumes.

But is "terrorism" even the correct word for this? When Saddam invaded Kuwait,
was that a terrorist act? Consider this quote written by a Chinese military
analyst 30 years ago:

    
    
      those who take part in information war are not all soldiers. Anybody who
      understands computers may become a "fighter" on the network. Think tanks
      composed of non-governmental experts may take part in decision-making;
      rapid mobilization will not just be directed to young people; information-
      related industries and domains will be the first to be mobilized and enter
      the war..
    

(From
[http://fmso.leavenworth.army.mil/documents/chinarma.htm](http://fmso.leavenworth.army.mil/documents/chinarma.htm))

However, the Chinese may respond by claiming this was a preemptive defense.
That GreatFire.com was designed to weaken their security and they were
justified in taking action to protect the sovereignty of their computers.
Haven't western nations done the same when they were threatened by terrorism
or nuclear arms?

It seems to me that we have officially entered the era of a weaponized
internet.

~~~
JonnieCache
_> But is "terrorism" even the correct word for this?_

Don't use that word. It's barely even a word any more, its become one of those
weaponized magic symbols used for mind control. See also "freedom",
"globalization", "sharing", "choice" and so on.

Instead, you can just use words like "murder", "destruction of infrastructure"
and the like.

~~~
jacquesm
You forgot 'communism'.

~~~
tripzilch
And what about "hackers"? :)

------
Ashwinning
"blocking GitHub is not really a viable option" he said. Tell that to the
world's craziest democracy - India, which banned GitHub, Vimeo, Pastebin and a
bunch of others in December last year. Some bans were lifted later. Source :
[http://www.zdnet.com/article/india-blocks-32-websites-
includ...](http://www.zdnet.com/article/india-blocks-32-websites-including-
github-internet-archive-pastebin-vimeo/)

~~~
imron
Agree with this. Anyone who thinks blocking GitHub is not really a viable
option has never been on the other side of the GFW.

The Chinese government will happily block any site they want to and they have
little/no regard for the popularity or usefulness of the site in question, and
often they will block popular foreign sites to help copycat local versions
thrive.

Off the top of my head they block Facebook, Twitter and Youtube entirely and
Wikipedia selectively (used to be permanently also). I can tell you they don't
care about blocking GitHub.

The also have the ability to dynamically block sites based on page content
rather than just entire domains, so it would be perfectly feasible for them to
block just the project pages and not the entirety of GitHub.

~~~
mckoss
You can't selectively block content on an SSL connection w/o having a back
door to the encryption keys used to secure the connection. A man in the middle
attack would be detectable unless the root certificates were compromised.

~~~
flyinghamster
That's where CNNIC comes in. All they need to do is issue their own fake
certificate for (insert blocked site here).

~~~
imron
Isn't it wonderful to have your own certificate authority.

------
methou
I have a question with the method, hypothetically, if I am the attacker, I
know the ttls of each packets tha tis passing through, right?

So when I get a packet with ttl so small that won't survive long enough to
reach the target, instead of altering, I just leave it along. So the probe
will never know where I am in the route.

~~~
jacquesm
But upstream providers within the TTL range will. And during a DDoS like this
you can bet that everybody in the chain that is on the good side is in
constant communication.

~~~
brudgers
A sufficiently sophisticated man in the middle can be anywhere between origin
and destination and have arbitrary distribution. Proving that a particular
node is responsible for a particular alteration requires using a trusted trust
computer to send packets into the great wall on their first hop.

The experiment in the article required trusted trust of packets destined for
the great wall passing through US infrastructure. That this infrastructure can
generally be considered neutral is no guarantee that it was in this case. Any
router or switch can use arbitrary tables and conditional logic on any packet.
The purpose of the experiment was prosecuting a particular suspect not arm's
length analysis.

~~~
jacquesm
So that experiment would need to be repeated in a distributed manner from as
many points of origin as possible.

A friend of mine runs a honeypot service that uses servers all around the
planet, someone like him would be in a good position to run analysis like
this.

~~~
brudgers
Logically, sufficient distribution of testing doesn't negate sufficient
distribution of evil demons. Practically, if the evil demon has state actor
level resources, it is more likely to have sufficient distribution than an
ordinary commercial or private interest.

On the other hand, I don't think it's really necessary to prove with
technology that the 中國人民解放軍 is behind this. Diplomatic logic is sufficient.
The behavior is simply an internet equivalent to jamming the Voice of
America.[1]

Github is broadcasting. The 中华人民共和国 has a sovereign's policies regarding
broadcasting. The 中國人民解放軍 executes those policies. Github operates with a
business model that ignores sovereigns at its own peril. Calling one sovereign
for aid when dealing with another sovereign also carries peril.

Allowing political content in an online community always comes with the risk
of trolling and flamewars. A hands off editorial policy only means Github
hasn't made a tough decision about what the Github community is _not_.
Decision day can only be put off so long.

[1]:
[http://en.wikipedia.org/wiki/Voice_of_America](http://en.wikipedia.org/wiki/Voice_of_America)

~~~
jacquesm
That's the odd thing, they could jam it instantly if they so chose to. The
GFWs primary purpose is to limit access to certain urls from within China.

Now of course those repos are intended to circumvent that but once someone has
them they are out of reach of the GFW. So blocking those urls at the GFW would
seem to be all that's really needed.

Tools like these should be accessible from as many places as possible.

~~~
brudgers
Diplomatic logic suggests Github is serving as an object lesson:

    
    
      1. 中华人民共和国 has laws.
      2. 中华人民共和国 is well connected to the internet.
      3. 中华人民共和国 can project its interests 
         around the world easily in rather nasty ways.
      4. 中华人民共和国 can project its interests from
         within its borders.
      5. 中华人民共和国 has an interest in controlling
         commerce within its borders.
    

I believe this is an act of foreign policy, not domestic. It's not about
unplugging citizens from the internet. It is about achieving some parity with
other state level actors in regard to what is and isn't allowed on the
internet.

中华人民共和国 's interests are orthogonal to those of the US and UK. It is not so
much interested in the internet as an organ of a surveillance state or as an
alternative source of foreign intelligence in lieu of boots on the ground.

The mechanics of the attack are entirely within the realm of sanctioned
internet behavior: visiting a site places javascript in the browser without
explicit approval of the end user. The javascript may do something not in the
user's interest. The javascript may generate unnecessary internet traffic. The
purposes for which the javascript does so are solely the purposes of the site
injecting it.

The great wall comes with terms and conditions.

~~~
jacquesm
> The great wall comes with terms and conditions.

I don't consider myself subject to those terms and conditions and attacking
github affects me in a very direct way. As such this is not acceptable and I
hope that sufficient work will go into un-ambiguously determining who did
this.

~~~
brudgers
Github is a commercial interest. 中华人民共和国 has in recent years worked with
commercial interests to mutually acceptable solutions. From 中华人民共和国's
standpoint, what the internet's surfs want is Github's concern and they can
make their business decisions accordingly.

Consider it a DCMA takedown notice.

~~~
jacquesm
Why do you use '中华人民共和国' instead of China?

~~~
brudgers
Besides being batshit crazy?

For the same reason I use "Github" instead of saying "distributed version
control ddos'ed" or "git unavailable on the internet". It picks out a more
precise set of attributes and methods and limits the likelihood of slipping
into anthropomorphisms such as "The Chinese." In particular it limits the
range of what is historically relevant: ground combat against the US Army in
the 1950's is, against the USMC in 1900 not so much.

Since I believe this is a matter of foreign policy and international trade,
the sovereign and the corporation are the appropriate level of abstraction for
analysis and language should reflect that in order to be clear.

Was it the 中國人民解放軍 or the 中华人民共和国?

------
mfkp
While this is a very interesting read (learned a thing or two), the author's
conclusion is a bit suspect.

 _Using my custom http-traceroute, I 've proven that the man-in-the-middle
machine attacking GitHub is located on or near the Great Firewall of China._

Although suspicious, it seems one would need to know a lot more about China
Unicom and their infrastructure to say this conclusively.

~~~
snowwolf
I think the thing everyone is forgetting is that if it isn't state
sponsored/approved then why hasn't it been turned off (as far as I am aware
the attack is still ongoing).

If it was a hack, surely China Unicom should have fixed it by now?

~~~
SyneRyder
Hasn't it stopped as of March 31? Github system status now shows green,
whereas they previously said "We will keep our status at yellow until the
threat has subsided":
[https://status.github.com/messages](https://status.github.com/messages)

------
peterwwillis
_> While many explanations are possible, such as hackers breaking into these
machines, the overwhelmingly most likely suspect for the source of the GitHub
attacks is the Chinese government._

Correlating the circumstantial facts that China has a giant firewall, the
content being blocked is getting around China's firewall, and an attack came
from somewhere deep in one of China's largest backbone providers, does not
make an 'extreme likelihood'; it makes a weak correlation. Likelihood requires
reviewing known outcomes to determine a likely result. What other known
evidence of specifically these three behaviors by the Chinese government are
you basing this conclusion on?

 _> This is important evidence for our government._

You've taken a massive leap in logic from a machine inside China manipulating
global traffic to attack servers in the US, to conclude that _it is more
likely to have been the Government than anyone else_. This is exactly the same
as saying any attack originating from the US which appears to be related to US
interests must be from the US government. If this was the basis for how we
concluded all investigations into illegal actions, anyone who 'looked like'
they did it would be found guilty, sans evidence. That may be how other
nations' justice system works, but not ours.

Furthermore, in no way is either Github or Baidu's analytics considered 'key
US Internet infrastructure'. I mean, Git is even a decentralized system -
people can still get work done if it's down!

This is not evidence of the Chinese government's complicity, and pretending it
is creates a dangerous logical fallacy that could improperly shape public
opinion.

------
nickodell
When TPB was pretending to be in North Korea, someone proved that they
weren't, [1] because of how quickly they responded to a ping. Could someone
narrow down the physical location of the firewall similarly?

[1]: [https://rdns.im/the-pirate-bay-north-korean-hosting-no-
its-f...](https://rdns.im/the-pirate-bay-north-korean-hosting-no-its-fake-p2)

~~~
mirashii
You can really only use a method like this to say where a server is not (it
can't be halfway around the world because the speed of light limits it), but
this is assuming you're communicating directly with the server. The method
used to inject these packets on the wire makes this sort of analysis even
harder to do this sort of analysis (and if there was concern, appropriate
amounts of random delay and noise could be added).

~~~
nickodell
>The method used to inject these packets on the wire makes this sort of
analysis even harder to do this sort of analysis

I was under the impression that this was a man on the side attack, so they'd
sent a bogus SYN-ACK back to you the moment that they saw a SYN.
Theoretically, you should still only be dealing with one RTT.

>(and if there was concern, appropriate amounts of random delay and noise
could be added).

I don't think China cares if it gets traced back to them.

~~~
methou
> I don't think China cares if it gets traced back to them.

No they don't, and when time arrives, they deny whatever the accusation is,
and claims it's a defamation.

~~~
flipp3r
They already did this a couple days ago when someone asked them about it
[http://www.fmprc.gov.cn/mfa_eng/xwfw_665399/s2510_665401/251...](http://www.fmprc.gov.cn/mfa_eng/xwfw_665399/s2510_665401/2511_665403/t1250354.shtml)

"On your second question, it is quite odd that every time a website in the US
or any other country is under attack, there will be speculation that Chinese
hackers are behind it."

------
zombination
_This is important evidence for our government. It 'll be interesting to see
how they respond to these attacks -- attacks by a nation state against key
United States Internet infrastructure._

It seems a bit of a stretch to say that Github is "key US Internet
infrastructure"...

~~~
Daishiman
If GitHub were down for two days that's a metric shitload of projects that
can't get deployed. There's a significant number of software projects with
dependencies on Github-hosted stuff.

~~~
a3n
If github were down for two days, you're probably right, those projects can't
be deployed.

But if github were down for two months, the nature of git suggests that
deployment for those many individual projects would shift either to the
originators' infrastructure, or some other aggregating service.

~~~
jonalmeida
This is true but very limited as well. GitHub isn't used for just git now,
it's also an issue tracker, a wiki (yes, those are repos as well, but you
don't usually have them sync'd), Github-only services (e.g. Travis), package
managers (e.g. Cocoapods and Crates).

There is a lot riding on GitHub that developers use. Hell, even closed-source
companies sometimes use empty GitHub repos so they can use Issues for openly
available tracking.

------
cschramm
There's absolutely no proof in this.

The fact that a request with a TTL smaller than 12 does not trigger a response
does not mean the responder is the host after 12 hops. Assuming none of the
previous hosts misbehaves (they could be increasing or at least not decreasing
the TTL) you can only conclude that it is none of the later hosts, but it can
still be any of the previous ones.

That leaves you with Comcast AND China Unicom hosts and, considering that the
replies you see in the traceroute results can easily be spoofed, it can be any
third party as well.

Possible scenarios include (I don't say they are more likely):

1\. Comcast is producing the responses, but only does so if the request TTL is
large enough to make you blame China Unicom.

2\. China Unicom hands the packets over to a third party after just a few hops
in their backbone. The third-party sends ICMP Time exceeded messages looking
like they are from other China Unicom hosts to make you blame China Unicom.

Conclusion: This is either an obvious attack from within the China Unicom
backbone OR a more sophisticated attack where the attacker wants to a) hide
his identity and b) blame China Unicom for it (I can't think of a scenario
where b) would be a by-product and not on purpose).

Just saying. The sentences in the post that include the words "prove" and
"proven" are simply wrong.

------
brudgers
The article is titled:

    
    
       Pin-pointing China's attack against GitHub

------
dexcs
Is there a statement from github what they think who did the ddos?

~~~
kiliankoe
No and there probably won't be. Them publicly saying they were being attacked
by the Chinese government would put them on some seriously questionable legal
ground. They definitely went the right route by not saying anything.

~~~
stevenh
Which laws would they be violating by announcing they were attacked by China?

~~~
ptaipale
A number of Chinese laws, or executive orders or whatever, actually might be
violated.

------
BhavdeepSethi
I don't get it. Why doesn't GFW just block those github pages in particular? A
lot of people can fork these repos but they won't be anywhere popular to the
current pages.

~~~
shaftoe
HTTPS. They can't tell what URL a user is requesting.

~~~
y0ghur7_xxx
> HTTPS. They can't tell what URL a user is requesting.

I am sure they have a private key of some of the CAs shipped with major
browsers lying around somewhere...

~~~
fabulist
I believe the chinese government actually operates a CA. But it isn't worth it
to them to expend such a valuable asset on an operation like that.

------
finnn
That's cool, I didn't know how traceroutes work. Is he planning on releasing
the http traceroute tool?

~~~
itistoday2
Here ya go:
[https://github.com/robertdavidgraham/masscan](https://github.com/robertdavidgraham/masscan)

    
    
        @collinrm I just took masscan, changed the HTTP request,
        then tweeked the code to generate a small TTL.
    

Source:
[https://twitter.com/ErrataRob/status/583433175302479872](https://twitter.com/ErrataRob/status/583433175302479872)

~~~
blacksmith_tb
On OSX, it's available via Homebrew, brew install masscan

------
eaxitect
I don't agree with author's conclusion, having a server in a chinese ISP does
not mean it's orchestrated by chinese gov. Also, I don't suppose MITM attack
organizers have no clue about how TTL works.

~~~
orf
They didn't have a clue about $.ajax with a 'script' data type did they?

~~~
eaxitect
So they should be chinese gov, right?

------
jokoon
In the end, I wonder if the purpose of the great firewall is not for China to
defend itself against foreign cyber attacks or because "free internet" might
not benefit China currently.

I'm sure computers are now mainstream enough that it would matter for any
country to put cyber warfare as a key strategy. The US and the west dominate
through open trade and easy communications and free speech. Maybe that makes
China vulnerable, and they're trying to defend themselves economically.

You can accuse China all you want, but if you're an american, it's harder to
listen to those accusations.

~~~
brudgers
The US spent more than 50 years protecting its residents from Cuban sugar and
Cuban cigars and sunburns on Cuba's beaches. Such are the absurdities of
powerful sovereigns.

------
phelmig
That the server is located in China doesn't proof anything.

~~~
simonh
This analysis doesn't just prove the attack orriginated in China, it shows
that it takes place immediately inside the first Chinese network the
connection reaches on it's way into China. The second piece of analysis shows
that this is the same network layer in which the network blocking performed by
the Great Firewall occurs. So the great firewall and this attack are both
being implemented at the same point in the network infrastructure.

~~~
maxerickson
I think an interesting question is how likely it is that some of the great
firewall is compromised.

(It could be by some party outside of China, or by some group inside of the
Chinese government that does not have an official mandate to use it for things
like the Github attack)

~~~
smilekzs
Extremely unlikely. GFW is, ironically, considered "critical infrastructure"
and is closely monitored.

~~~
dragonwriter
Ironically? How is it ironic that a centerpiece of the he Chinese Government's
control and monitoring of information is considered critical infrastructure
and closely monitored by the Chinese Government?

~~~
smilekzs
I was saying "ironic" as this article classifies GitHub as important
infrastructure. But anyway I totally agree with you.

------
simula67
China is the second most powerful country in the world. Do people really think
they are that stupid ? They are not going to attack an American company using
infrastructure that anyone can track back to them. This Github DDoS has got to
be the work of someone trying to frame the Chinese government. Has _anyone_
considered that angle ?

~~~
stefantalpalaru
Take a look at this brand new executive order authorizing economical and
financial sanctions against global "cyber threats":
[https://www.whitehouse.gov/blog/2015/04/01/our-latest-
tool-c...](https://www.whitehouse.gov/blog/2015/04/01/our-latest-tool-combat-
cyber-attacks-what-you-need-know)

This GitHub business looks more and more like a false flag operation.

~~~
jacquesm
How does 'economical and financial sanctions' equate to 'Whitehouse gives
order to start false flag operation against github'?

The more that comes out and the more silence there is from the Chinese
government the _less_ it looks like a false flag operation. Usually the victim
of a false flag operation (China in this case, not github) would be very
adamant about its non-involvement and would work very hard to expose the
originator.

~~~
stefantalpalaru
Yes, just like if Glenn Beck really did not rape and murder a young girl in
1990 he would be very adamant about his non-involvement and would work very
hard to expose the actual culprit:
[http://en.wikipedia.org/wiki/Beck_v._Eiland-
Hall](http://en.wikipedia.org/wiki/Beck_v._Eiland-Hall)

~~~
jacquesm
I'm sorry, I _really_ do not see the parallel here.

A parody is just that, we're talking about a several day long real attack
here.

And if you read that article you'll see Beck sued to get the domain. So it's
not like he ignored it, and besides it was obvious from the beginning that he
wasn't the one that registered the domain.

------
moe
This mouth-breathing Bullshit really needs to stop.

 _the overwhelmingly most likely suspect for the source of the GitHub attacks
is the Chinese government._

Why would the "Chinese government" carry out an open attack against an
american company for absolutely no potential gain at all?

Do you really think they are stupid enough to believe such an attack could
remove these two software packages from the internet?

~~~
wnevets
What is the diplomatic downside for china exactly? If China can occupy & claim
other countries territory in the face of international pressure without a
problem, what makes you think a convert op to DDoS github is out of the
question?

~~~
moe
_what makes you think a convert op to DDoS github is out of the question?_

The fact that this attack doesn't pass even a most cursory risk/reward
analysis.

Anyone with the technical smarts to carry it out must be well aware that there
is zero upside potential for China. The targeted projects are not gonna
disappear, github is not gonna disappear.

All possible outcomes are negative; The targeted projects get extra media
attention (Streisand effect), the "Cyberwar" narrative in the west is fueled
(cf. this HN thread), in the worst case there could even be a minor diplomatic
quarrel with the US.

What do they have to win here?

~~~
wnevets
I see several wins for china, the first one is showing off the offensive power
of their "great firewall". Not everyone has the ability to withstand such an
attack, the chilling effect is real.

~~~
moe
What chilling effect?

Github is up and running after all. Both targeted projects are online:

    
    
      https://github.com/greatfire
      https://github.com/cn-nytimes
    

Looks like if you want to mess with China then all you have to do is put your
material on Github. You think that is the lesson China wanted to teach the
world?

~~~
wnevets
You dont see a chilling effect when the choice is either host your content on
github or be blasted off the internet?

Lets not forget this wasnt an easy thing for github to handle. Their service
still isnt running at 100% normal. Not to mention the cost burden they're
currently dealing with.

~~~
moe
_You dont see a chilling effect when the choice is either host your content on
github or be blasted off the internet?_

Was there any doubt about China's ability to blast sites much bigger than
Github off the internet to begin with?

They're the second largest economy in the world. They don't need to play
painfully obvious MITM tricks on their own infrastructure to carry out an
attack - which then doesn't even have enough oomph to make a dent on a large
but probably not particularly hardened site.

 _Lets not forget this wasnt an easy thing for github to handle._

That doesn't change the message that this random, half-assed neck-slap sends.

If this was really done by Chinese authorities and if I was a Chinese
dissident then I'd be thrilled rather than chilled. Who knew keeping my stuff
online could be as easy as uploading it to Github!

~~~
pekk
Nobody ever said China couldn't run DDOS tools. This is a deterrent signal
sent to businesses outside of China. It publicly demonstrates that China has
the will to punish businesses for serving certain kinds of content. Although
it's obvious who benefits, it's just deniable enough that they have avoided
international censure; today nobody can reasonably think "China wouldn't do
that because they fear reprisals," since they just did it; which helps China
maintain a credible threat to businesses. They aren't trying to destroy
GitHub, just to exert control over businesses which are out of their
regulatory reach.

~~~
moe
_It publicly demonstrates that China has the will to punish businesses for
serving certain kinds of content._

Do you really think anyone concerned with these things (activists, VPN
providers, companies doing business with China) needed a half-assed,
unsuccessful Github attack as a "deterrent signal"?

------
baconschizer
Is this April fool joke? Or are you guys really taking this whole Chinese
government theory seriously? If you were leading a 1.6bn populated country how
much you would care about a programmer's code site?

To give all those conspiracy theorists a clear picture, what really happened
is merely the scale of problem you have never worked on or dreamed to be
working on outside China.

This happened year ago when a Chinese state funded train ticket booking
website accidentally deployed to production with a opensourced Javascript
vendor file still linked to github. And first day that site went live, 30
billion visitors tried to secure a ticket for coming Chinese New Year, when
took down github for a good while. Yes it was a DDOS attack from China, by
train ticket buyers.

Last November, Chinese online c2c marketplace TaoBao.com, saw 16.7bn
transactions in one day, with more than 1 billion CNY settled in a minute. If
any of the web dev responsible for even a small promotion page left a link of
cool jquery plugin from GitHub, you could have written another holy crap evil
government attack post here.

~~~
snowwolf
I made a similar comment elsewhere in the thread, but lets assume it's not the
Chinese government and it's something accidentally deployed or a hack by some
unknown entity.

Why is the code still running a week later? It doesn't take that long to find
the offending server/s code and remove it. Especially as it is making the
Chinese government look bad, there would be added incentive to fix this pretty
quickly.

~~~
weberc2
If it was an "accident" that made the Chinese government look bad, we would be
hearing about the "unrelated" murder of magistrates by now.

