This is an article [0] summarizes what happened. It is however in Chinese. So let me put a simple summary here:
Baidu has Baidu Analytics, a service similar to Google Analytics. In short, a website includes a javascript file from Baidu and Baidu will report some basic analytics to the site manager like how many visitors per day, how much time they spent on average per page etc.
Someone in the middle between a client outside China and Baidu, allegedly it should be the Great Fire Wall, changed the javascript file from Baidu and added some code so that any client executing the javascript file will periodically access https://github.com/greatfire/ and https://github.com/cn-nytimes/. This means any user who is accessing a site using Baidu Analytics will be an attacker to github.
Here is a simple solution: Block any javascript from Baidu if you do not use it. For chrome users, add the pattern [*.]baidu.com. See here[1].
Edit 1: Added a solution.
Edit 2: Format.
Edit 3: Oh, it's not only Baidu Analytics. Baidu Ads' javascript is also being hijacked and changed [2]. Imagine that all sites containing Google Ads use their visitors as attackers to attack github. Now it is literally what is happening to Baidu and its customers (and their customers' visitors.) The javascript is only changed for visitors outside China. This is why people believe that is done by Chinese government --- the only entity who has total access to all out-going routers in China. Since many Chinese users use VPN or other types of proxy to access Internet, they are all considered as visitors outside China.
According to this[1] post GitHub (or someone else in between) started changing the responses to alert("Malicious Script Detected")[2]. That's an awesome counterattack - this stops the script from looping indefinitely and annoys the users.
But, really, you can hardly negotiate with Chinese government. I'm pretty sure that they will deny this attack and re-emphasize their so-called Internet policy.
If I were github, instead of a warning message, I would redirect the workload to some Chinese government's website and let them suffer what they've created. Let's face it, they are waging a war on the Internet first.
Edit: Disclaimer: I know that my post is quite biased, especially this one. I'm not suggesting that people should wage a war to Chinese government. Please take my words just as a (biased?) sample from an ordinary Chinese citizen who is really tired of the government's censorship.
Let's face it, they are waging a war on the Internet first.
The two most important aspects in war are casus belli and plausible deniability. China has the latter and github lacks the former. Thus github would lose by default in any 'war' against the Chinese government.
Generating a 301 is likely more work. Profile pages are simple database hits, and they may be dynamically or even statically cached (for popular pages). You're probably severely underestimating how much traffic China can produce [1].
A 301 avoids a database hit, and avoids having to go through the cache framework all together.
It just says given this URL, we return an header that tells the browser to redirect. The only thing faster would be just dropping the connection as soon as its given to you.
If verizon and the like can hold up traffic to/from Netflix... couldn't they just do the same for chinese traffic? Maybe redirect requests for baidu to a chinese version of google?
I'm not saying this is a great idea, just that something could be done.
The Chinese government is for sure a plausible culprit here, but consider that the American government (NSA, or another TLA) is also a plausible culprit. If this ends up successfully blamed on the Chinese, it builds support for "cyberwar" defence funding in the US.
kardos, that is fair. I do not know which government entity paid for this poster, just that as usual someone is trying to sway online opinion with their workforce.
If the message had some information about the Tiananmen Square massacre or some other censored information, the attack would probably stop. At least temporarily.
Very interesting defense. It seems that it works because the attacking AJAX call is done with content dataType 'script'. I don't think it'll be too hard for the attacker to fix that.
It's either that or call a jsonp endpoint, which could still throw up the alert. CORS protects standard AJAX from requesting anything outside the current domain.
They're using neither. It's a cross-domain call so Github could block a regular AJAX GET by just not including ACAO headers. So they are using $.get with dataType 'script'. This is basically like JSONP without the callback - it adds a script tag with the remote URL to the page which means the client has no choice but to run the contents.
JSON.parse takes a string of "JSON" and turns it into a JS object. It doesn't evaluate the string in a JS context at all, which is what eval() does.
Some people have used eval() to do JSON parsing because JSON is a subset of JS, but if the user has any control into making malformed JSON, they could do so to create JS that can do anything the page can from the context of another user, otherwise known as Cross-Site-Scripting (XSS).
Wikipedia suggests the English-reading Chinese population is in the hundreds of millions (much higher than the English-speaking Chinese population), and I would guess that group overlaps quite a bit with Baidu users.
They have no choice. If they used an AJAX call it could be blocked by (lack of) ACAO headers. The only way to hit a remote URL that cannot be blocked is by adding a <script href="//github..." /> tag to the URL, which means the client has no choice but to run the contents.
The JavaScript used is very amateurish with many outmoded features, poorly optimized. I couldn't believe they were loading jquery, for example. This looks to be the work of a script kiddie rather then a superpower's cyber warriors.
I agree - but it might just be deflection. The Chinese could use the same argument to assert they bore no responsibility. Besides - everybody has jquery cached. Why create an ajax from scratch and add to the weight of the crap they are injecting into the script?
For quick and dirty I like it. Its not exactly long term or really destructive - but its kind of a cute and clever attack.
Github's response to pop an alert was priceless. Sure it probably annoyed the hell out of millions of Chinese people - and their government will probably claim Github attacked them --- but the truth will out... maybe.
Probably, yes. But considering that CNNIC, a root CA from China, is issuing unauthorized certificates [0], I cannot help to connect these two events together. I won't be surprised that Chinese government is using unauthorized certificates to initiate MITM attack specifically targeting TLS traffics. If that is the case, there will be really bad days for the whole Internet.
CAs aren't geographically limited. Any CA trusted by your computer is trusted for any domain anywhere (with the exception of certificate pinning, which isn't commonly used). That means that a single rogue CA is enough to make HTTPS worthless everywhere.
Mozilla actually has done this (sort of), once. They restricted French agency ANSSI's root CA to only be valid for TLDs ending in .fr, .gp, .gf, .mq, .re, .yt, .pm, .bl, .mf, .wf, .pf, .nc, .tf.
They could also strip the https and serve everything over http through the firewall. The fact that the firewall exists is accepted in China so I don't see why they couldn't pull that off too.
Personally, the content I'm usually interested in when I visit a page is just the text and images. There are some exceptions, but that's what a whitelist is for. Even if you don't count the numerous security benefits, denying scripts by default has made my websurfing much more enjoyable.
It's a great filter for nonsense. Usually sites that cause problems for NoScript are crap anyways. Not always, but often enough that I see it as a net benefit.
I use NoScript as well (and I wish more people would) but to be fair I doubt the users who were part of the botnet even noticed it at all. It's only github who would've benefited from these users running NoScript.
Yeah, it was obviously a lighthearted comment, but the larger issue is that every web user is running someone else's untrusted code on every website they visit. Frankly I'm surprised these kinds of attacks aren't more common. NoScript helps mitigate this issue, and while it has lots of other incidental bonuses that a nerd like myself cares about, I freely admit it results in a worse end-user experience for almost everyone else.
What I don't get is why they didn't inject a script into all html passing through the firewall. That would have achieved a much greater effect if they really wanted to take out GitHub - the Baidu Analytics tracker is just a single script.
This is just my theory: I think that GFW is currently entering its next stage, which probably includes MITM attack to TLS traffic and some attack specific to websites outside China. I suppose that since everything now is in a "research" stage, they are just trying to see if the technique works and how much it could go.
Disclaimer: I was an user inside China and being blocked from the real Internet. So please take my words with a grain of salt.
This is actually the most plausible explanation I have seen so far: they just finished implementing this new injection feature and they needed something to test it on. For lack of a better target, they chose those two github projects.
Everybody's talking about how this is a targeted attack against GH, but I'm starting to think you might just have hit the nail on the head...
Using jQuery to send this request is really kind of amateur. They could just append a <script> tag to the page which is effectively what that $.ajax call is doing.
Wow this must be a major blow to Baidu. This time their scripts was hijacked to DDoS, not that bad.
Since we all know that the Chinese government would never do a thing like this, it must mean that there is a very powerful hacker group behind this. And they are probably DDoSing for profit. Who knows what they may do for profit next? Spy on users? Steal passwords? Credit cards? Impersonating users?
Until Baidu implements a secure crypto solution that can prevent this malevolent hacker gang from sending corrupted scripts, it would be very irresponsible to use baidu analytics!
I'm kind of amazed that these trolls are so obvious. It makes me wonder how much user generated content is really government generated content that we miss because it's not as apparent.
Something bothers me about this post. It's obvious astroturfing, but this user has a large amount of legit comments. They are in perfect English, while this is clearly not, and uses a totally different tone and voice than their previous comments.
Baidu has Baidu Analytics, a service similar to Google Analytics. In short, a website includes a javascript file from Baidu and Baidu will report some basic analytics to the site manager like how many visitors per day, how much time they spent on average per page etc.
Someone in the middle between a client outside China and Baidu, allegedly it should be the Great Fire Wall, changed the javascript file from Baidu and added some code so that any client executing the javascript file will periodically access https://github.com/greatfire/ and https://github.com/cn-nytimes/. This means any user who is accessing a site using Baidu Analytics will be an attacker to github.
Here is a simple solution: Block any javascript from Baidu if you do not use it. For chrome users, add the pattern [*.]baidu.com. See here[1].
Edit 1: Added a solution.
Edit 2: Format.
Edit 3: Oh, it's not only Baidu Analytics. Baidu Ads' javascript is also being hijacked and changed [2]. Imagine that all sites containing Google Ads use their visitors as attackers to attack github. Now it is literally what is happening to Baidu and its customers (and their customers' visitors.) The javascript is only changed for visitors outside China. This is why people believe that is done by Chinese government --- the only entity who has total access to all out-going routers in China. Since many Chinese users use VPN or other types of proxy to access Internet, they are all considered as visitors outside China.
0. http://drops.wooyun.org/papers/5398
1. http://www.howtogeek.com/tips/how-to-block-javascript-and-ad...
2. http://www.solidot.org/story?sid=43489