Hacker News new | comments | show | ask | jobs | submit login
GitHub under ongoing DDoS attack (github.com)
652 points by MosheZada 757 days ago | hide | past | web | 334 comments | favorite

The PRC's DDoS of GitHub seems a little risky.[1] If GitHub is inventive (or desperate) enough, they could call on their users for aid. The perpetrators would immediately draw the ire of vast numbers of talented programmers. And GitHub is positioned to direct this ire toward useful ends. They could encourage users to contribute to GreatFire, or even start other initiatives and projects to stymie censorship. The outcome could easily be worse for the PRC than if the attack had never happened.

1. Even if this isn't a PRC-ordered or sponsored attack, large parts of their infrastructure are being co-opted. If they aren't criminally involved, they're criminally irresponsible.

Looks to me like it's time for a DDoS X-Prize.

1. SSDP Flood 21%

2. SYN Flood 19%

3. UDP Flood 13%

4. UDP Fragment 12%

5. NTP Flood 8%

6. GET Flood 7%

7. CharGEN Attack 5%

8. DNS Flood 5%

9. ICMP Flood 2%

10. SNMP Flood 2%

Eliminating these 10 attack vectors would account for 94% of DDoS attacks according to this visualization[1], as witnessed by Akamai over the last 30 days. Just the top 3 is more than 50%. Seems like a reasonable start on a way to measure success.

Who'd like to sponsor? Or should I just spin up a GitHub repo for the code and a kickstarter for the prize money?

[1] http://www.stateoftheinternet.com/trends-visualizations-secu...

SYN Flood is already mitigated a long time ago with SYN cookies. The rest ..... well, it's basically just packets.

I see this latest development as good news. The Javascript MITM trick was very clever because forcing github to render and serve a page is a lot more resource consuming than just firing packets at servers that ignore them (like a UDP or SYN flood). The latter can saturate network links until the sources are blocked, but those sources tend to be somewhat focused and don't shift much. An HTTP level attack driven by random web users means every request might have a different IP and it requires running way more of the app stack to be able to filter them out. If China is now resorted to SYN flooding then it means they ran out of better techniques.

synflooding is not mitigated by syncookies. the attacker can encode information inside the packets in exactly the same way as the server, meaning they don't have to maintain any state, see: http://insecure.org/stf/tcpdos/outpost24-sect-sockstress.ppt (slide 18 onwards)

That's not a syn flood though. A syn flood is purely syns. So there is no need for the attacker to encode information if they are just doing a syn flood.

> well, it's basically just packets

Is "DNS flood" a DNS reflection attack though?

Usually no.

There are generally two types of floods against DNS infrastructure:

- Flood of "valid" requests, to a large number of open DNS recursors. To avoid caching they usually contain random prefix. Flood against large number of open DNS recursors basically causes the recursors to not work, and many authoritative servers to be overwhelmed.

- Flood directly against authoritative servers, to fill the network or use up all the CPU.

Traditional reflections aren't that popular any more.

You aren't going to make ddos attacks go away by offering prizes for a miracle software solution. It amazes me that there are so many programmers here who don't understand this basic principal. I think the only way we can get people to understand the situation is with an analogy.

Let's say your pipe can receive 1 Liter per second of water. There are some impurities that you can filter through your faucet, this is analogous to the software firewall. However what happens when someone starts piping 99 L/s of sludge through the other end? No matter how sophisticated the filter you have on your faucet, the water you will get out of it is going to slow to a trickle.

Now I can already hear you asking, why does the Internet allow people to send whatever sludge they want? And the answer is because that's the way the internet is made. There has been a push to stop spoofing called BCP38, but this requires EVERYONE to do extra work and spend extra money which is why relatively little progress has been made since it was released 15 years ago, and is likely to never succeed.

If it was as easy as creating a piece of software to deal with, large businesses like Prolexic wouldn't be banking their future on a problem that would be so easily solved.

I think there are plenty of people, myself included, who understand how DDoS attacks work.

Do you know how X-Prizes work?

Hit: Did I say anything about software?

[edit: It's odd to me that this would get down voted. Is it offensive? Or are downvoters really that opposed to thinking outside of the box?

The X-Prize encourages participation from unexpected directions, precisely where innovation is often found. As the parent post demonstrates (almost as if on queue), it's quite common for skilled experts within a field to become overly focused on specific classes of solution. I was careful not to say anything about how the above goals might be achieved.]

I didn't downvote you but I can see why they did. The way you act is similar to someone running a contest to disprove Turing's proof on the halting problem.

If your bandwidth is being filled from the other end, it doesn't matter how sophisticated the filter is at your server. Even if it is theoretically perfect and able to tell which packets came from real requests with 100% accuracy, it will not solve the problem. This limitation also applies to hardware firewalls.

Many smart people have already tried to solve the DDoS problem and they all came to the same conclusion. Either everyone does BCP38, which is never going to happen, or you buy more bandwidth than your attacker can throw at you.

To suggest that all we have to do to solve this is dangle chump change for some random coder to solve it is rather silly especially when companies like Cloudflare and Prolexic have bet their entire futures on DDoS not being fixed any time soon.

As someone who deals with DDoS attacks every month it is rather obvious that you don't have a very good idea of how ddos attacks work when everything in the list you copied off a random website except for SYN could be classified as attacks that overflow your bandwidth. UDP fragments and Chargen are also bandwidth attacks.

I understand your position, and I don't want to be offensive. I simply want to be clear.

The X-Prize is intended precisely for this type of industry stagnation, and has been very successful at that goal so far. Winners solve unbelievable problems in unbelievable ways.

I am, if not an expert, nearly so, and I can say that my first thought is not better filtration. As you rightly point out that is a very hard problem, technically impossible too if you limit the framing of the problem to only information available to the server and consider each event in isolation.

I am a little surprised that you as a self professed expert keep harping on the futility of better serverside filtration when your very argument is that it isn't a good approach. Why are you assuming that others would choose a poor approach when you would not?

For example my first thoughts go to ideas like: a home firewall auto configuration / lockdown tool and associated marketing campaign; inexpensive home network security hardware; better anti bot software; a police botnet; browser and os patch sets; political campaigns to change regulatory requirements; graphic design, video and other media to improve understanding and provide easy to implement solutions, economic/business models that naturally incentivise users and/or device vendor to prefer better security features on devices. In the end perhaps it would be none of these things are perhaps it would be some particularly spectacular bit of server filter coding.

The point of prize systems like the X-Prize is to efficiently solve hard problems. It is not to solve it in any particular way. Is there no better algorithm to recommend movies? No there isn't, until you consider human factors (The Netflix Prize). Is human space travel truly only the domain of nation states? Yes it is, until the Ansari X-Prize.

Before these prizes were won, their solutions were impossible, afterwards they are simply solved problems.


P.S. In addition to your mistaken impression of my inexperience in the filed you are also mistaken that the information I posted is "off a random website". The information is from Akamai's State of the Internet site and represents Akamai's "real-time 24-hour global attack data: sources, targets, and types of attacks". It is linked to directly from Prolexic's home page. Though, I'm sure as an expert you knew that.

> The X-Prize is intended precisely for this type of industry stagnation

No. Take a look Ansari X-Prize, the first of this kind.

The theoretic foundations for spaceflight were laid out about a century ago, the first flight took place in 1961. So this is something which is very well understood. The prize was, basically, for tweaking the components to make it cheaper.

But you're asking somebody to invent a new method, without providing a theoretical foundation for it to work in.

So this would be like asking to invent a teleporter or faster-than-light travel.

Besides that, other x-prizes were formulated as a contained experiments. E.g. demonstrate that your spacecraft can fly, or provide a program which offers better recommendations.

But what you describe is not an experiment. You actually want participants to go an change how the Internet works. This isn't contained.

So you're being downvoted for being extremely naive. You seem to believe that a kickstarter campaign and a github repo can solve any problem.

Everything you've suggested requires all networks to cooperate/spend extra time and money, or that no one makes an exploitable protocol in the future (as likely as humans never making mistakes). If you can already get all networks to cooperate/spend extra time and money, then you can make them do BCP38 which would be a more complete solution.

> In addition to your mistaken impression of my inexperience in the filed you are also mistaken that the information I posted is "off a random website". The information is from Akamai's State of the Internet site and represents Akamai's "real-time 24-hour global attack data: sources, targets, and types of attacks". It is linked to directly from Prolexic's home page. Though, I'm sure as an expert you knew that.

And all of this doesn't disprove anything I said.

That website is a marketing piece made for laymen such as yourself.

The fact that you are categorizing those attack vectors as seperate problems instead of being in the same class proves what I claim.

>Did I say anything about software?

Well, you did say:

"Who'd like to sponsor? Or should I just spin up a GitHub repo for the code and a kickstarter for the prize money?"

Indeed I did, still no software implication. I was being fairly deliberate about that.

What I'm confused about is what the argument is.

Is it we shouldn't try to find a solution?

I'm sorry if I was unclear that I did not intend to limit the scope of solutions to software, but frankly so what even if I had?

In any case the X-Prize proposal seems quite popular so I'd be happy to set it up, help someone else set it up or in general do anything I can to encourage innovative solutions of any kind, but..

...never tell me the odds.

Please stop defending yourself , accept what other know what they talking please.

You cannot setup a github repo for that.

Most of these attack vectors just mean a great amount of a specific traffic of some sort. Traffic volume is not something that you can, or would want to, eliminate.

You have to somehow identify and separate the unwanted requests from you regular traffic. That's why these cases are unique and needs to be handled manually, in cooperation with your uplink(s).

To be clear these are attack vector prevalence relative to each other, and represent 'known' attack traffic identified by Akamai, not general traffic in these protocols.

However, this is no doubt not a complete list of DDoS vectors as it doesn't account for application level exploits like demonstrated in the GitHub attacks. And obviously not everything that is a DDoS is a protocol flood.

Either there is a way to identify those types of attacks now, or improved attack identification should be included as a requirement for the X-Prize.

> they could call on their users for aid

You gotta be kidding. Calling on their paying customers to commit a crime on their behalf? Really?

When did writing ddos protection tools become a crime? Was that shortly after it became illegal to try to stop someone from stabbing you?

Maybe I misinterpreted the "or desperate enough," I don't know, but quite a lot of people in this thread seem very trigger happy.

// Fun fact: Depending on what jurisdiction you're under and how the tool is implemented writing a DDoS protection tool might actually be considered a crime.

Yeah you did misinterpret his comment. Also, you can be "desperate" for help so I don't understand what you meant.

What jurisdiction or tool-implementation would consider DDoS prevention a crime? We're talking about mitigating a flood of traffic here.

> Yeah you did misinterpret his comment.

Don't rub it in. I had a long night.

> What jurisdiction or tool-implementation would consider DDoS prevention a crime?

That depends on how the tool is implemented. Nobody cares what you use it for; what it does and what that (potentially) enables you to do is usually the deciding factor. I can't give you a concrete example because I'm not a judge and these kind of laws are way too vague anyway. We're obviously not talking about "traditional" methods here (hence the fun fact). Note that the problem is not you using a tool, it's you distributing a tool that can be used for ... well ... I don't know.

As a paying customer of Github I want them to know they have my undivided support in staying strong against "the bullies".

"Bully" is rather too weak a label for the perpetrator. This attack is criminal. If carried out by a sovereign nation, perhaps an act of war. We don't allow foreign raiding parties to enter our country to loot private businesses. Neither should we treat this attack as a simple act of "bullying".

GitHub should get the full support of federal law enforcement, if not the military.

We should never take up arms for a thread that has no human casualties, especially when there are alternatives. If your neighbour enter your home uninvited, because the door is not locked, the first thing you do is ask nicely not to do that. The next thing you do is lock the door. You don't start shooting at them first ...

So if a government shut down US airports for 72 hours but resulting in no loss of life, should we just sit back and do nothing? A risk to human life isn't the only threshold that determines retaliation. A risk to economic activity is just as provocative as physical violence. How about if they attacked the power grid? A huge number of companies's businesses depend on services like github. Do we just hold hands and choose to pray for a solution or do we hit the perpetrators in the gut? If the Chinese are behind it, we should immediately start seizing their US assets until such time as they put an end to the nonsense. If the Chinese can thwart Google, they sure as hell have the means to stop a cyber attack from their soil: even if they are directly the ones doing it. Alternatively, their cables could be cut (there are only about 7 that connect China with the outside Internet.) if someone is spraying you with a firehouse, cutting off their water supply is a just and reasonable response.

They didn't just enter an unlocked door. They're smashing GitHub's windows, kicking GitHub's dog and flipping over furniture.

I don't think they're breaking into their system at all. They're just abusing a public interface on their sight. A more apt analogy would be repeatedly calling their phone, or ringing their doorbell nonstop. Your analogy implies they are destroying GitHub's property, which they aren't.

Bit further than that. They're crowding your front porch with the explicit purpose of preventing any of your friends, family or customers actually getting to your front door. I think the intent is important to note. It's not a child who likes the sound of a doorbell, but an adult employed to achieve a very negative outcome.

Except in Texas ;)

I wouldn't be averse to depth charging a fiber optic cable (more specifically - damaging their ability to operate the great firewall) so long as there are no human casualties. Even better if it could be done without disrupting Chinese Internet.

Unfortunately, most people's response would be "What's a GitHub"?

This wouldn't be the first time China has hacked US-based organizations.

Do you think the reverse isn't happening?

I was addressing the assertion that this is the first time China attacked the U.S. Whether or not the U.S. reciprocates is off-topic, but to answer your question: I don't know about any evidence that would suggest the U.S. reciprocates.

I'd say cut the internet trunk lines to China... period.. end of story. That would seem to be an appropriate response. Blacklist China's internet traffic completely.

This is why hacker news users are not in politics

@vacri, can't reply directly to you... but here goes.

If China was loading missiles into cargo ships that fire at northern california, we wouldn't continue to let ships enter/leave China. As to the debt that China owns, they're already in a position of playing games with currency and resources to assert a dominant position.

Eventually you have to stand up for yourself. As to the do-dad manufacture costs, well I think we'd be okay if we had to go a couple years without any new do-dads.

Cut off internet contact with the country that holds a ton of US debt, and manufactures all the little doo-dads we all use in our day-to-day lives?

It's become clear to me over the past 5-10 years or so that we're in some sort of weird undeclared war on the Internet. Nations are doing exactly what you describe, and it seems there is little to no repercussions for them doing so.

I agree...it seems much more akin to sport than militaristic action.

Since sport is pretty much a direct offshoot of war, I think the analogy works ok.

I agree that it's criminal but that doesn't make it a terrible offense, and far from an "act of war". The damages to GitHub are probably minor in the long run. Nobody will have died or have even been injured. Any one violent crime would rank above this in severity imho.

Bandwidth don't come for free. That's a shit-ton of junk data battering their servers.

I hope that by "full support of federal law enforcement, if not the military" you mean whatever cyber defense and possibly offense forces they have. I really hope that nobody thinks this is worth starting a shooting war with a rival nuclear superpower over.

On further thought, you're right. I would not condone any sort of violent response. But a criminal investigation should be made, even if it leads to Chinese authorities.

(Just as we should have criminal investigations over US surveillance programs...).

PRC is not (yet) a superpower.

sigh go look up the definition

> We don't allow foreign raiding parties to enter our country to loot private businesses.

Really? The US government does just that, by mass spying of telecommunications.

Both are unethical, but there is a difference between spying (sitting with some binoculars by a window, or snooping around inside the building) and destructive actions (blowing up the entrance with a constant stream of TNT so no one else can get in). US does the former, China does both.

[Citation needed]

We've been hearing propaganda for ages about China & Russia doing evil things in the cyberspace and USA promoting freedoms and such but the NSA revelations among other things have shown that USA is just as guilty of all the spying, attacks, weakening of hardware and software even if it hurts american companies, economic espionage (which was also a difference people here used to make with China and was proven false), etc.

And I'm not even touching Stuxnet and Flame.

> The US generally does not engage in destructive actions with the intent of restricting the rights of their own citizens... just other country's citizens. China does both. Both are very bad, but I think the US still has a slight moral highground here.

If it does. It's not much higher. You're completely restricted in your rights to do anything that the government finds a matter of "national security". Even if it's not related to any official entity [1]

It's time we stop thinking about Us vs Them and who is winning or has a moral high-ground and start thinking in terms of citizens of the world united against injustice.

Opposing attacks like the Chinese against GitHub and the surveillance, propaganda and violence of all the other big powers.

Feeling good about "our side" being slightly better (Subjective and irrational) won't change the fact that it's still unacceptable.

[1] https://firstlook.org/theintercept/2015/03/26/new-low-obama-...

I do pretty much agree with all your points. The revelation that NSA was engaged in economic spying definitely brought their moral highground way down to earth, even if the nature of the spying was somewhat more geopolitical than what China was doing (going after national energy companies, in NSA's case). But a few caveats:

>You're completely restricted in your rights to do anything that the government finds a matter of "national security". Even if it's not related to any official entity [1]

There are very few countries where this is not the case, even supposed extremely liberal countries like the Nordic ones. State secrets and national security are always going to be a monolith hanging over us for centuries. What needs to improve is the internal regulations and auditing behind these processes, to ensure strict adhere to public (not classified) laws and regulations.

I am not nationalistic or even patriotic in the least. I don't like a lot of what the US government and intelligence community does. However, I do see it as the lesser evil when you compare other superpowers like Russia and China.

The US does damaging unethical things. https://news.ycombinator.com/item?id=9285146 They aren't just observing.

They do, but usually those actions are done against "belligerent" entities.

And though it's certainly not a great defense, the router bricking was unintentional.

The US generally does not engage in destructive actions with the intent of restricting the rights of their own citizens... just other country's citizens. China does both. Both are very bad, but I think the US still has a slight moral highground here.

I don't think this qualifies as an act of war, not by a long shot. But that does raise an interesting question: what would be considered (or rather should) an act of war in cyberspace?

Should the target be a whole nation? Or maybe enough of it to affect their ability to function? How much commerce disruption equates an act of war, even if no shots are fired?

You'd need some pretty good proof and how would you respond? With another cyber attack? Or escalate into a shooting war? Or by disconnecting the attacking country from the internet?

How much commerce disruption equates an act of war, even if no shots are fired?

I'm pretty sure blockading ports (as in cities where ships go, not network ports) counts, so that's a starting point. But on the other hand, blockades do tend to be backed up by at least threats of actual physical violence, so.... ?

> GitHub should get the full support of federal law enforcement, if not the military.

With a few exceptions, the US military has atrocious "cyber" readiness and capability. This isn't yet in their wheelhouse, and any public assistance they might provide would just be risking embarrassment.

The military?

If this is an act of war then most of the NSA revelations would mean that the rest of the world has eons of Casus Belli's against USA.


This goes well into flamewar territory. Please stay on topic and be civil.

I was anticipating the second half of your sentence being something like "they better maintain 100% uptime or I'll be pissed off". Glad it wasn't.

I assumed it was implied.

As a non-paying customer I have seen nothing but 100% uptime and perfect service. If it weren't for HN and Twitter I wouldn't even know Github was under attack.

OAuth seem to have sporadic issues, which, I guess, may cause failures to "Log in with Github" auth on some occasions.

At least I've seen a few "connection refused"/"timeout" error notifications from one of the sites I manage. Don't know the successful login counts, so no idea how high the error rate is.

Seriously, I had one page hang for about a second before responding, and honestly thought that was just my crappy wifi card(and may very well be).

How many of us have websites that we can publish this story ourselves on? http://www.blog.joelx.com/ddos-attack-on-github-could-be-act...

Too bad they bent over for Russian government though. I wouldn't bet on Github growing a spine anytime soon. If these attacks continue, Github will delete the material China wants them to. They already shown weakness once when they censored what Russia wanted to censor.

The difference was that the russian government did actively attack them, it merely was trying to block illegal content. Github didn't remove the repo, they simply blocked that page for russian users. Also the material they were blocking was a suicide poem, and while free speech was being minorly impacted, all in all it's removal didn't affect very many people.

In this case china is attacking them directly, and removing the repos in question would affect people's ability to use that software, greatly affecting freedom from censorship for many many people.

I generally don't buy subscription software for personal use, but when I do, I buy from Github.

And paying Github as a business is a no-brainer.

From looking at the Javascript injection code (http://www.theregister.co.uk/2015/03/27/github_under_fire_fr...) it seems like the quality of the script is pretty amateur.

They inject jQuery not once, but twice, and only use jQuery to make a simple XHR request. Perhaps they are worried about one instance of jQuery being taken down or made unavailable to them, but they really don't need jQuery at all for something this simple.

It's not even an XHR request. It's a JSONP-style insert-<script src="someurl"></script>-into-the-body "request".

The fact they used jQuery to do this is incredibly amateurish. Especially since they didn't seem to realise they could do the same trick with <img> without creating an XSS vector.

I think it is an XHR request, despite that not being the best option, as you later explain. As in, it includes the jQuery script and then does a `$.ajax()` call.

I love that even PRC's DDoS attacks on U.S. technology resources invoke jQuery twice.

I think that it needs more jQuery. http://www.needsmorejquery.com/

the jQuery is being injected from 2 different sources. The first being from a Baidu CDN, I suppose they anticipate some kind of attack on Baidu and included the 2nd one as fallback.

As for jQuery being unnecessary for this job; agreed, but hey, it got the job done.

They might be using jquery because it abstracts away the quirks of different browsers (I seem to remember that old versions of firefox and IE had different APIs for making XHR requests).

But in this case there are no meaningful browser differences:

  var tag = document.createElement('script');
  tag.src = 'https://github.com/greatfire/';
This works on any browser. Even IE6.

Which, ironically, is not so different from what they are doing to get jQuery in the first place.

Ah, you're right. Then it really is stupid. I misunderstood what it was doing.

Can Github ask for US Government help with it, since it's an attack by [presumably] foreign sovereign entity? It's paying taxes in US, right — so it may expect some kind of protection, isn't this what taxes are about?

That service only extends to the MPAA /s

""Cybercrime"" and ""cyberterrorism"" resources are only deployed (a) for securing more funding (b) for expanding US surveillance or sometimes (c) on behalf of big donors like the copyright industry.

The US has no interest in saying "international cyberattack should be illegal" because then other countries might insist that it stop. They could go for a trade war escalation, but that would at some point have Apple as a casualty.

That's not true at all, what the hell?

Realize you're talking to folks who do this kind of stuff for a living, rather than just the random Internet denizens of most other websites.

The FBI will regularly inform and assist companies who've been breached, for example. The US government is very interested in protecting US companies.

That said, they don't quite have any guidance from congress on how to do that, so right now the assistance is limited. It is most certainly there, however, and your tinfoil-hat nonsense doesn't really fly.

When I was an admin of an IRC network we regularly reported large scale DDoS attacks to an FBI agent assigned to us. He didn't care. Some of those attacks took the network down for a while and resulted in many users moving to other networks. In at least two cases we even figured out the identity, address, and phone numbers of the people doing it and there was no movement on it.

Then one day one of the people we had the identity of boasted on how he had briefly brought down the website of one of the democratic primary candidates. We forwarded that information and our case was reassigned to another agent and the person was arrested immediately. I absolutely think it's true that the US government is only interested in protecting established and powerful figures. I suspect the reason is career driven - defending the little guys isn't glamorous and probably has no promotion impact.

Its a matter of finance more than anything - if the people of the United States are paying you to protect national interests that is exactly what they should be doing. I can't speak for your specific situation but my time on the internet leads me to believe they have bigger fish to fry. Sorry though man I know that had to suck.

How did the new agent perform for other cases? Was he/she more attentive than the first agent?

Please don't write such baseless assertions; we are trying to keep the post quality high here.

Your other responder works in this field, and I have been on the other side (worked for a company that got this sort of help). We also regularly had the FBI come in and give talks on the sorts of things they were working on in this space.

I would be shocked if the Feds were not helping GitHub in some capacity, and I would also be shocked if either GitHub or the Feds talked about that.

Well, the DDoS target, github.com/greatfire is funded by US government. So US government is fueling the DDoS in certain aspect.

> 0:50 UTC - Into hour 71 defending the attack. Mitigation is holding and service is stable.

Wow, this has been going on for quite some time now!

> 8:18 UTC - The ongoing DDoS attack has changed tactics.

Someone knows more about this new tactics?

I saw this on Weibo earlier, NOT from a trusted source. But the first and third rounds have been confirmed.

> 第一轮外域JavaScript,一个alert防住;第二轮外域img,Referer挡外面;第三轮GitHub Pages被D;第四波正在进行,是TCP SYN Flood攻击。

My translation:

> The first round was cross-domain JavaScript, stopped with an "alert()". Second round was cross-domain <img>, stopped with referrer. Third was DDoS-ing GitHub Pages. Fourth is the ongoing TCP SYN Flood attack.

What about inserting invisible iframe to affected sites? I think it can not be prevented.

Since GitHub (and other sites) can modify their webpages, something like:

<script> if (window != top) top.location = 'http://www.google.com'; </script>

returned as a static webpage would do the trick.

This script can be disabled with the sandbox attribute on <iframe>: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/if...

Scorch the earth if it doesn't work then:

    function fork() {
      setTimeout(fork, 2);
      setTimeout(fork, 2);
    setTimeout(fork, 1000);
    if (window != top) top.location = 'http://www.google.com';
If the redirect doesn't work, then the browser (or just the tab) slows to a halt.

Too late, they should have done that first. Nice idea though.

In that case maybe the other solution is better. Wow HTML5 is crazy...

You can serve an X-Frame-Options:"DENY" (or "SAMEORIGIN") header to prevent browsers from loading the iframes.

But this is a response header, so server shoud respond and that is the goal of attack. Browser doesn't send any request headers saying that site is opened in the iframe.

Sure, but at least the browser won't render the page, so it won't download the additional content like images and scripts. It's partial mitigation.

The fact that someone would target GitHub for a massive DDoS attack makes me sick to the stomach.

Any company that makes most or all of its money online is the subject of DDoS attacks for blackmail purposes, github a bit more so because the Chinese government doesn't like it.

It's unfortunately a very normal thing these days.

What is the PRC's problem with Github?

Its due to these two repost most likely.



Access to them is currently no possible though.

Had that wrong. thanks.

so we should all fork them ? I mean, they can't block us all can they ? Or am I missing something ?

They host the 'GreatFire' org and other software to bypass their censorship firewall.

Probably because Github is hosting code they don't like (e.g. code used to bypass censorship).

This attack is perhaps just a taste of something nastier. The GitHub infrastructure is rock solid and gives valuable real time information via its status dashboard . This seems ideal for measuring the impact of an attack before choosing a more critical target.

An interesting theory and I'm sure the attackers are savvy enough to collect data, but github is a pretty good target in its own rights.

Hi, foreigner working in Chinese high tech company here. I wonder a bit, on which ground is this attack attributed to Chinese gov? It looks a bit unlikely to me. China has some cyber military but they are more likely to be pragmatic and choose wisely their targets. There's a bunch of script kiddies but they would choose also something else. However it seems possible that many servers hosted in China are not secured and could be used for this attack, by some other people.

Just my first thought as an insider...

The MITM on HTTPS traffic that seems to be involved in the first attack stages is actually pretty good evidence.

Do you have a link to this? I haven't seen anything regarding HTTPS injection. Just injection of code into javascript resources hosted by Baidu CDN, over HTTP.

If there is a MITM on https then browsers need to untrust those certs.

This might be part of the attribution:


Thanks, so if I understand well, every js gotten from baidu cdn from outside China has a malicious code attacking github. Weird. It could be some test gone wrong, but I still don't buy Chinese gov attacking purposely and openly github like that. It's like showing your one time secret weapon way too early and on some wrong target. Or maybe it's a way to make some big noise to the left while the real target is discretely owned on the right.

> Weird. It could be some test gone wrong, but I still don't buy Chinese gov attacking purposely and openly github like that.

A "test" that specifically targets two projects that promote anti-censorship. Yeah, that's some "test"...

In same way Trinity was a test, I assume ;)

> It could be some test gone wrong... Or maybe [misdirection]

There's a MITM injecting malicious javascript causing a prolonged DDoS for several days now. There have been times in the past where BGP "misconfigurations" have redirected large amounts of internet traffic, and we used to think, oh, Hanlon's razor, now we know better.

What convinces me this is not Hanlon is the precisely targeted nature and significant duration of the attack. Whoever controls these servers and routers knows this is happening and wants it to happen.

This isn't the first time [0] China has been accused of using it's filtering to DDoS enemies. It's not a secret weapon really, it's an obvious capability of being able to redirect a large majority of your country's internet traffic at will.

[0] http://furbo.org/2015/01/22/fear-china/

China and Chinese have been accused of all sort things. From ten years spent there I can tell you accusing their gov to be stupid is really dumb. Attacking github is the most useless attack they could invent. Therefore it's not them. Or it is a side effect.

Never underestimate the stupidity of a bureaucrat.

I agree it seems to be a stupid move for a government, and maybe someone else has gained access to the right routers. But "some test gone wrong"? You can't be serious. This is a carefully targeted attack and includes packets that can't be generated from a web browser.

No one is buying that.

There's no secret weapon, and how do you know it's the "wrong" target?

I don't see why there are so many downvotes to this. This is a clear and obvious counter-argument to people jumping the gun and saying it must be the government. While it doesn't _prove_ that it wasn't the government, there's certainly a lot of room for doubt.

Edit: and this post adds even more doubt: https://news.ycombinator.com/item?id=9285343. There's no clear reason why the PRC's first move would be to turn toward DDOS. As other people have written, it's way too powerful of a weapon for them to use it on something so foolish. Keeping an open mind on this one.

The official cyber force of China is not the biggest suspect in most attacks like this. The loosely controlled civilian hacker force (think privateer pirates) launch most ddos-style attacks on foreign soil.

Why would they care about protecting the great firewall?

> China has some cyber military...

China has approximately 2 million people in its 'cyber army'. Not all of them are going to be experts, but sheer volume makes them probably the most effective 'cyber army' out there.

If that's true (which I don't know) then just directing those people manually visiting websites would bring quite a few targets to their knees, some basic automation and you have a real problem.

NSA, etc. doesn't count as an army ?

Interestingly enough, if the attacks never stop (which is a possibility), the engineers at GitHub might still come up with a way to effectively nullify DDOS and continue their normal operations.

Which would be a massive advance in cyberdefense. It's unlikely, but it would be a great example of "natural selection" (via their intelligent engineers' efforts) at work.

It will no doubt take ingenuity, but I don't think any other website than GitHub is in the position to do this. Especially right now.

Nullifying DDOS doesn't take ingenuity, it takes a big wallet, which Github no doubt has, but let's not pretend that its some engineering feat. If it was, a small company being ddosed would have a chance at fending it off all the same, but that's just simply not the case.

> Nullifying DDOS doesn't take ingenuity, it takes a big wallet

The problem in this instance relates not to the absolute size of Github's wallet, but the relative size of its wallet compared to whoever is sponsoring the attack. State-sponsored actors (if that is what is happening here) have many dollars at their disposal.

I'm not well-versed in the technical details of defending from DDOS, but unless it's a mathematical NP-complete problem, they have a chance.

Honestly, if you start by saying you're not well versed, how can you confidently make a statement about whether it is possible or not?

Large scale DDOSes are usually the most damaging when they're high bandwidth (Layer 7 attacks can usually gradually be mitigated by well written firewall rules placed on the proximity of the network). When a DDOS is just maxing out the bandwidth coming into your network or sometimes even data center, no amount of clever algorithms can make your pipes bigger. For that, you need money.

*edit fixed a minor typo

I'm not confident. I'm saying there could be a way to mitigate DDOS that we don't understand yet.

It's unlikely, but possible.

It can be a weakness in a widely deployed, vital protocol and that would be technically impossible to fix- not because of the technology but because altering the protocol would either require everyone on the Internet to change their software, or it'd preclude certain types of communication, or both.

What does NP have to do with it? NP-problems are perfectly solvable, it's just that they take more than polynomial time to solve them relative to the size of the inputs. You were probably looking for something like "not computable" for when there is no possible algorithm to solve a problem.

DDoS attacks are a dynamic and changing problem. It's usually like playing whack-a-mole.

There's no way GitHub is going to develop a solution that magically "prevents all DDoS attacks".

Ha this is actually interesting. I'm doing a research project at school on DDOS mitigation with AITF. This seems like exactly something github could use right about now.

It would be interesting to compute the value (in MWh for example) of the energy used for this attack. Seems massive to me. Not just the traffic but the job performed by each computer.

I really wish they would post what the attacker wants removed so we could mirror it, post it, etc. The streisand effect is a good response to things like this I think.

It appears that the first attack was targeted at https://github.com/cn-nytimes/ and https://github.com/greatfire/ [1]. Accessing these two pages still responds with `alert("WARNING: malicious javascript detected on this domain")` which is supposed to be executed on the (innocent) client's browser.

[1] https://news.ycombinator.com/item?id=9275381

You can access those pages by removing the final slash.

I think among the sites is the GreatFire repo: https://github.com/greatfire

If this is China doing this, it makes me so upset the US has spent years and billions of dollars building up their economy instead of countries like Mexico.

Our relationship with them is almost as bad as our middle-eastern oil addiction.

> US has spent years and billions of dollars building up their economy

China is the one "funding" the US actually.

From https://en.wikipedia.org/wiki/National_debt_of_the_United_St...:

> $6.1 trillion or approximately 47% of the debt held by the public was owned by foreign investors, the largest of which were the People's Republic of China and Japan at about $1.3 trillion and $1.2 trillion respectively.

This news about attack make me wonder why isn't GitHub just blocked these repositories for all Chinese IPs. It's would be logical after they censored certain repositories for Russian IPs:


Just in case anyone who try to access repos from Russia get something like that:


And no I'm don't support any of this and strictly against any censorship, but still it's looks weird why GitHub agree to deal with Russians, but not Chinese.

Its because the requests aren't actually coming from China. China is redirecting worldwide users from Baidu to GitHub. Sorry, I don't have the link handy, but it was in that WSJ article on the front page.

I do understand this, but if it's Chinese government behind attack the reason why they doing this it's these anti-censorship projects hosted on GitHub. Considering GitHub already supported censorship in Russia I see no reason why don't they just block access from China to projects that Chinese gov don't like.

Because Github does not want to be complicit in Chinese government censorship, and if they blocked what that government obviously wants them to block, then they would be.

> Because Github does not want to be complicit in Chinese government censorship

I think you are missing the guy's point: what is the difference between Russian censorship and Chinese censorship? Github made a deal with Russia - why not also China?

I know this might soUnd Kafkaesque but here it goes: Internet censorship is extralegal in China and the official stance is to deny its existence. They are known to be somewhat proud of the fact that "we respect internet freedom and never took down any websites hosted overseas". There is going to be no deal because that would be an admission of responsibility.

So fact that great firewall exist isn't officially documented?

Didn't know about that, that's make the difference. Usually in totalitarian countries everything is well documented as everybody want to put responsibility on someone else.

Out of curiosity, would Cloudflare be able to sustain the amount of inbound requests they're handling?

Haven't seen many stats, but I'm pretty sure they could. If I remember correctly they deflected one of the largest we've ever seen which even made trouble for the Internet's infrastructure.

This [1] is what you're referring to, I believe.

[1] https://www.youtube.com/watch?v=w04ZAXftQ_Y

Is there any data on the size of the traffic?

Anyway, even assuming the traffic is infinite, (to my understanding) most of the flooding IP's are from china. If that's the case it would most likely only affect the datacenter handling Chinese traffic. So even if it's really bad, only a (relatively small)[1] part of the world would notice.

[1] relatively small in terms of the size of internet, not number of people

L7 attacks come down to how much you can cache. If GitHhub was a purely static site, they wouldn't have trouble serving the requests themselves in any case.

Github can solve this problem with CloudFlare to the same extent that Github's product can be replaced with a hundred nginx servers with 10Gbit uplinks, large RAM caches, and effectively zero CPU time spent on each request.

Git well soon!

I'm looking forward for a post from GitHub describing what exactly was thrown at them and how they were able to mitigate it.

For what it's worth there's an article[1] from Craig Hockenberry. His servers were hit by massive amounts of traffic from China earlier this year, targeted (randomly?) at Iconfactory's website. The charts are quite impressive.

[1] http://furbo.org/2015/01/22/fear-china/

That (52 Mbit/s) was extremely small in comparison to modern DDoS attacks (which can be in the hundreds to thousands of Gbit/s).

It could have been launched from a single raspberry pi with a 100 Mbit/s residential uplink.

Agreed about the extremely small attack, but one pi couldn't have done it. You'd need at least two or three. A pi will only get you to ~3Mb/s sustained ethernet. That's because ethernet is tacked onto the USB subsystem in a funny way.

That doesn't look anything like the attack on GitHub. His server buckled from a couple of thousand requests because his webserver was misconfigured. GitHub probably handles an order of magnitude more requests on any normal day.

I'm not sure you understand the concept of "order of magnitude". Taken literally, you're saying you think Github handles 10 000 requests per day, which is about a factor of 10 000 to 100 000 (4-5 orders of magnitude) too low.

No. Per second. That would work out to ~ 1 M req/day. I have absolutely no idea if that's in the right ballpark or not, my point was that the misconfiguration that took down some guy's web server has absolutely nothing in common with what Github faces.

Ok, per second it makes more sense. I couldn't find hard stats either, but one semi-dubious-looking traffic tracker said github.com sees 10 million req/day. It looked like that was for just the front page; how do we even define what a request is? For more reliable sources such as Alexa you have to pay to get these numbers.

As convenient as GitHub is, let this be a lesson to ensure you have multiple remotes for your repositories. The more popular GitHub gets, the more it will become a target from a wide range of vectors.

All your devs already have copies or your repos, and setting up a common server to share over ssh is easy (first thing we did on Friday). The bigger issues are dependencies, most people's builds these days depend on pulling dependencies from github.

I'm confused - what is the reason behind it ?

Gizmodo has some info. but I wanted to find a less trashy source; the register has a story [1]. In short, it's suspected that the Chinese government is behind the attack because there are some projects hosted on GitHub that it ideologically disagrees with.

[1] http://www.theregister.co.uk/2015/03/27/github_under_fire_fr...

Which raises the question: when will the rest of the world kick China of the internet? First it was redirecting Chinese internet users to random IPs, if the government didn't like their DNS queries and now they're doing ddos attack on a site that host a large percentage of open source code, used for a whole host of service and products.

At some point it's going to make more economical sense to kick China of the internet.

>when will the rest of the world kick China of the internet?

One day we're advocating net neutrality and the next day we want to ban entire countries from the internet? I still prefer net neutrality, thank you.

I don't think banning countries from the Internet is the answer, but net neutrality seems like a completely separate issue.

Net neutrality is about carriers treating all traffic equally. Banning a country from the internet is discriminating traffic by origin. That sounds like a net neutrality issue if there ever was one. Whether the discrimination happens in the hardware or in the software stack is a mere implementation detail.

> Net neutrality is about carriers treating all traffic equally

If it was simply "about" that, then that would include DDOS traffic. Which no one in their right mind wants to treat equally.

Sure it is, but if some carriers are a state-sponsored arm of a bad actor and are told by their masters not to treat traffic equally, thus breaking the net neutrality pact, then what are the responsibilities of the the other carriers?

Worms, meet can.

So because the Chinese government are being hostile, all the chinese companies innocently doing their own business should have their comms cut off as well? Chinese families should not be able to contact their travelling members? This is definitively the exact same issue - the Chinese government is not the only entity to use the Chinese intertubes.

Did you miss the part in my 20-word comment where I said "I don't think banning countries from the internet is the answer"?

I worded it poorly, but my point was that this is the exact same issue.

I disagree with parent but I have learned from this case that anyone with access to a major CDN or the great firewall can take down any website. There is unbalanced power. What if I don't have access to the OPs team of github?

> > Which raises the question: when will the rest of the world kick China of the internet?

Well, that's exactly what the DDoS wanted, so the government could just happily control all access to Internet in mainland China

The DDoS targets github.com/greatfire and github.com/cn-nytimes by their so called "collateral freedom" [1]

Suppose github could just ban Chinese IP all together, but @greatfire could easily jump to another host and abuse ToS to hosting "neutral" political content, like bitbucket[2]

Many webmasters have already banned all Chinese IPs, so gradually, every public hosting service will eventually ban all Chinese IPs, Chinese government could easily destroy the rest of circumvention methods

[1]: https://en.greatfire.org/blog/2014/jan/collateral-freedom-fa...

[2] https://bitbucket.org/greatfire

The first attack based on the Javascript wasn't actually using Chinese IPs to do the attack. As otherwise it'd indeed be very easy to block by just blackholing Chinese traffic.

What it was actually doing was a massive MITM attack against non-SSLd HTTP connections from inbound connections to China, from Chinese users abroad visiting Chinese websites. It's an extremely clever trick that is only possible if you have the ability to mount mass MITM attacks on an entire country, but what it gives you is a massive ever shifting botnet.

The lesson I draw from this is that we need more SSL, we need it everywhere and we need it yesterday. I hope this stuff puts to rest the idea that some websites aren't worth being encrypted.

I agree in general, but in this specific case, Beijing can just demand access to Baidu's private keys and MITM all traffic passing through the GFWoC.

Chinese government already has a root CA in all browsers.

> Chinese government* already has a root CA in all* * browsers.

* For definitions of "Chinese government" that includes the Beijing non-profit China Internet Network Information Center, which isn't technically part of the government, but presumably is easily pressured.

* * For definitions of "all browsers" that excludes some minority browsers and those browsers run by users who have disabled the CNNIC root cert.

I have no doubt that the Chinese government has access to the CCNIC root certificate private key if it so chooses, but demanding the private key for an existing domain certificate would provide slightly less traceability and slightly more deniability.

That would be the death of Baidu among the Chinese diaspora.

Buh? Encryption is de-facto illegal in China. To the extent SSL is used, you can be sure that the government already has a copy of the master key. I've worked on Chinese deployed train systems, and we were banned from encrypting train control signals (signing was allowed, though), just in case someone might try to sneak in a political message in an ATO control telegram...

Not breaking encryption itself. Breaking encryption to serve malicious scripts.

So breaking encryption is accepted; serving malicious scripts is accepted (it's what happened in this attack), but breaking encryption to serve malicious scripts would be out of limits? That doesn't make much sense.

Serving malicious scripts is very bad, and may not actually be accepted. I know I would hesitate to use baidu analytics after this. But people might come around if they say something about SSL and wont happen again.

If the encryption is then broken and it is done again, then a) it will prove that China did it. Because you can see who signed the certificate. b) it will prove that technical countermeasures are not enough, since the problem is deeper than that.

Why is encrypting train control signals a good idea? What reasons were given for the ban?

> Why is encrypting train control signals a good idea?

Because someone might like to mess with train signals, and in the off chance that some weakness is found in the MAC/signature scheme you're using, forcing an attacker to guess at which messages they're manipulating and how will make their attack more difficult.

If you're working with a networked application, even if it's on a non-public network, you should be asking yourself "why not encrypt?" instead of "why encrypt?". This is doubly true of critical infrastructure that's expensive and slow to replace.

If that was what the Chinese government wanted they could simply block all access from China to github. In fact they did that once but had to undo that because the damage to the IT sector would be too big. China doesn't want github inaccessible, they want github to take down repos which the Chinese censor doesn’t like.

Hmm, maybe Github could block all access from China except for these two projects, serve a special home page with install instructions, and make it so that with either of these installed you can access all of Github from China?

They can't selectively block parts of github when it's going over HTTPS. All they see is an encrypted connection from inside China to github.com.

Hopefully never. IMO access to the internet is a basic human right, like clean water and immunization. I wouldn't choose to deny these things to citizens of any country.

What happens when providing those things to another country means denying them to your own country?

> Which raises the question: when will the rest of the world kick China of the internet?

Careful with that, because the moment some nation can kick out another nation out of the internet for whatever reason we're toasted.

Plus, it's better to wait and see some hard evidence (if any can be found) before jumping into conclusions.

The internet is how we maintain dialogue between peoples when our Governments behave like posturing (arse|ass)+holes. The worse a Government behaves the more (not less) internets the country should receive.

I think you meant "(arse|ass)?holes".


Taking your question at face value, some people say "arseholes", some people say "assholes", and some people just say "holes". We can factor out the "holes" to get that some people say "arse", some people say "ass", and some say nothing extra. We get alternation in regular expressions by separating them with a vertical bar, so we have a regular expression:

    arse | ass
That's optional, so we have the regular expression:

Put back the "holes" and we get the regular expression:


Taking your confusion at face value, what you should have done is to use a question mark ‘?’ instead of a plus sign ‘+’. Otherwise, the string which oneeyedpigeon posted also matches your regexp.

Hah! That explains it! Yes, the "+" usually means "1 or more" rather than the "optional" which I assumed. I rarely use either, because in my computing history I've used RexExp engines that didn't use those symbols consistently.

I'll leave my comment there as a testament to writing from memory and experience, rather than taking the time to check modern standards, and how things might have changed.

Thank you.

Now we have 2 problems.


Is how i would write it, +/- a case insensitive flag.

China will be kicked from the internet at about the same time US and their NSA will be kicked.

Which is quite unlikely. We don't kick out USA because NSA breaks into backbone routers, steal encryption codes from sim cards, and steal traffic from google search, Gmail and Facebook. China attacks github, and the reaction will be likely the same.

At some point, it is going to make a economical sense to issue a treaty against this kind of behaviors. A treaty that forbids attacking fellow nations infrastructure and businesses over the Internet will benefit everyone, and it is going to take a long time before it is commonly understood.

If the PRC were merely snooping, and not actively attacking, that equivalence would work.

I was also under the impression that this is already in violation of treaty, the only saving grace for the PRC being that it hasn't been proven it's them.

I'm sorry, snooping?

Remotely transmitted malware.

Hardware caught in transit and infected by malware.

Firmware infected with malware at factories.

Bricked backbone routers, causing widespread outage during civil war.

Hacked phone companies.

Stuxnet, a computer worm designed to sabotage industrial centrifuges.

A $6 billion trade contract being manipulated in favor of Boeing.

A $1.3 billion contract trade contract being manipulated in favor of American defense contractor Raytheon.

Weakening products and standards that Internet users.

Should I continue? The list goes on and on and on as more leaks are reported on. Using that definition of snooping, we can just call PRC action snooping too.

> Remotely transmitted malware.

For data acquisition (snooping).

> Hardware caught in transit and infected by malware.

For... hmm... backdoors to data? (Laptops with Stuxnet covered below)

> Firmware infected with malware at factories.

For, yes, transmission snooping. The PRC has also altered routers and other computerized electronics, including those intended for use by militaries in various Western countries.

> Bricked backbone routers, causing widespread outage during civil war.

Yes, by accident [1] while attempting to surveil (snoop). Not sure if disabling Syria's internet is worse or better than China's DNS poisoning which affected everyone... by accident.

> Hacked phone companies.

For what purpose, I wonder?

> Stuxnet, a computer worm designed to sabotage industrial centrifuges.

A. Not done over the internet, done by sneakernet. B. Nuclear reactor facilities in Iran are really not the same as GitHub.

> A $6 billion trade contract being manipulated in favor of Boeing.

That's nefarious, I'll agree... except, the NSA just blew the whistle on Airbus who was bribing Saudi officials. The information was indeed gained from--wait for it--snooping. [2]

> ...Raytheon

Same deal there... The CIA was the whistle blower against the French competition. [3]

> Weakening products and standards that Internet users.[sic]


Of the two actions you do cite that aren't surveillance, one has nothing to do with the internet and the other was for the purpose of surveillance. So no, the U.S. government's surveillance program is not the same as the PRC performing a DDoS attack on Github.

  [1] http://gizmodo.com/snowden-the-nsa-turned-off-syrias-internet-1621068611
  [2] http://news.bbc.co.uk/2/hi/europe/820758.stm
  [3] http://en.wikipedia.org/wiki/ECHELON#cite_note-60

>>> For... hmm... backdoors to data?

Backdoors has a lovely side effect, in that they are backdoors. They can be used to take control over devices, as in. That they can also be used for data transfer is a side effect of the active attack called "implanting an backdoor".

But okey, if all those are just snooping and not active attacks, let just assume that PRC gained the information to attack github by snooping. DONE. It is now just snooping as per your definition.

> A DDOS attack on github.

>> except, the PRC just used information, information which was indeed gained from--wait for it--snooping!

In computer security, we have terms to distinguish this. Its called passive and active attacks. PRC and NSA both perform active attacks on other nations infrastructure, businesses, governments and military. The purpose: To gain political, economic and military benefits.

Well if it isn't proven it's them, just let's not assume guilty, right?

I think it's reasonable to say the PRC is doing it. I believe the PRC is doing it. That doesn't mean it can be legally shown that the PRC is doing it.

It would be a huge mistake to cut of China from the internet. Whatever power the US wields militarily as well as economically is an absolute joke compared to the power it wields culturally. American culture through movies, tv and music dominates global culture, allowing it define what normal society looks like.

You want the people in China consuming more and not less of it.

> You want the people in China consuming more and not less of it.

Want all you wish, the Chinese government is actively stopping and blocking the outside internet at an alarming rate. I was in Beijing a few weeks ago and couldn't load google, youtube, gmail, gmaps, instangram, facebook, twitter, various chatting apps, imgur, and on and on. Even using VPNs were difficult. I don't see this stopping anytime soon since it allows 1) control of the people and 2) growth from copying a western products and forcing the people inside the firewall to use the Chinese cloned version.

I spend about 6 months of the year in China. Yes, I am forced, as you say, to use the Chinese versions of everything, but, to be honest, it doesn't worry me. I use Baidu to put my teaching notes online for my students - it is as good as DropBox. Bing is allowed and works fine as a search engine, even if it blocks any results for "naughty" words. It becomes a bit of a game to see which double entendres it doesn't recognise. Conversing on English corner one night, a student asked me what I thought about their government blocking Google. I think my answer surprised him: I said, "Do you want Google to rule the world?" My implication is that I think services like Baidu are good competition for Google. I honestly think that the governments blocking of Western services is a business decision. It's highly likely sites like Bauidu pay the government a cut to continue the blockade. Imagine a world where you don't get continually served with Google ads. That's pretty close to Nirvana in my opinion.

Are you really serious? Adblocking is trivial and does not require government censorship. And how does allowing access to Google let them rule the world?

I think you miss my point. As I see it, the Chinese government are basically blocking Google as a business decision. Take a look at Baidu. You will be amazed at the number of services they offer. On the roads in China you see a lot of Audis and Mercedes. These are mostly driven by Government officials. There are many avenues for Government officials to earn money. I don't know the size of companies like Baidu and Ali Baba, but I would warrant they are many times the size of Google and Amazon. Government officials want a piece of that action. If you really think this all about freedom of speech, you seem somewhat naïve to me. It's money, money, money.

Your 2 statements has nothing to do with each other. Here take another 50 cent.

I am sorry. I have to let you connect the dots. I have a university job in China and I don't want to be kicked out of the country. Just follow the money.

The valuation of Baidu is currently around $50 billion. Compare this to Amazon which is valued at $125 billion, and Google at $375 billion. Apple is at $600 billion. So you're basically wrong.

50c well earned.

Well, the USA engaged in a mass spying operation. Should we kick the USA off the internet?

* is constantly engaged in...


And turn China into North Korea?

Think about it: the government wants to cut us off from the rest of the world, that would make them happy, but would PISS a lot of people off. Anyways, if the westerners did it for the Chinese government, the people would be angry at them rather than the government...

If you try to complain to China Telecom about not being able to access Facebook, they already blame it Facebook since none of these sites are "officially" blocked. This would just play into that lie big time.

> the government wants to cut us off from the rest of the world, that would make them happy

Chinas ability to manufacture and sell hinges critically on internet connectivity. Of all the sanctions that would be effective I think an internet blockade is one of the more practical and effective ones.

I don't think they would be too concerned about an internet blockade, it would work to their advantage EVEN if it would hurt the economy and make a lot of the people's lives harder. That they could blame the "imperialist westerners" for this means that they can easily deflect any dissent outwards (as often happens in hard times...e.g. see the most recent anti-Japanese protests).

Let's just please not go there.

Highly same-minded swarm at this size is very dangerous. The controller is using it for its own purpose. The best strategy might be waiting for the swarm loosing it's basic power supply and falling apart. But this would affect the world economy as well, especially after 2007.

> when will the rest of the world kick China of the internet?

By "rest of world" do you mean the USA? Or Europe? Or basically "the west"?

When does it sound like cultural imperialism?

Are countries (and their citizens) only permitted to be connected to the internet if their culture matches that of your country/federation?

How is that not an offensive idea?

Usually, I reverse statements and if I find them offensive in reverse they are probably offensive full stop. This one is pretty offensive.

> Are countries (and their citizens) only permitted to be connected to the internet if their culture matches that of your country/federation?

Don't be so easily offended. Nobody said anything about their culture. The reason the question is being raised is because of the unignorable number of DDOS attacks being launched from their Internet space. Stop that, and you'll have less calls for cutting their connection.

It has nothing to do with culture. It has to do with committing crimes against the global infrastructure. Nobody is calling for the disconnect of Japan, Vietnam, South Korea, or even North Korea because none of those countries are taking a dump in the swimming pool we are all trying to use.

In fact, we have kick out from github pages.(Chinese users cannot open *.github.io now.)

BTW: Here is the Cloudflare way:


This speculative attribution seems a bit fishy to me.

This attack is a clumsy way to harass those projects. It's not sure to work, and is bringing the specific projects more attention in the meantime. As an official (or easily-attributable) extra-territorial action, it seems both unprecedented and disproportionate.

It's also drawing extra attention to the border machines and their capability to do man-in-the-middle tampering. I'd have thought CNGov would want to be miserly with that capability, to suppress awareness of the risk or development of countermeasures/workarounds.

I wouldn't completely rule out that this might be an action by some other party that intends, in a roundabout way, to raise an alarm about Chinese net borders.

They also have a pretty good weapon to aid them in this - their internet users.

They've been redirecting traffic of its user to load GitHub, which is a very smart/evil tactic to use - this is what certain sites did years ago to take down their smaller competitors.

I doubt the Chinese government is behind the attack - except for maybe not caring enough to do anything about it.

Basically the government doesn't really care what other people do outside the Chinese Internet, and just block anything they don't want local people to read.

Far more likely is a 'red hacker', e.g. Someone hacking for patriotic reasons and has taken issue with those projects hosted on GitHub.

It may well be that the person has government connections or works in some way for the government but I'd be surprised if it was a government sponsored/sanctioned attack - especially because there are far more likely candidates who will be far easier to take offline than GitHub.

The Chinese government's strategy has generally been about keeping things out, not taking things down.

Your comment is flatly wrong. 完全不对。 I've lived in and researched China for 28 years.

It's not flatly wrong.

I might not have lived in and researched China for 28 years, but I'm not exactly a stranger to the place and have spent the better part of a decade in China and the greater China area and have been circumventing the great firewall for almost 15 years.

Unless your China research has been limited to something like the tea cultivating habits of the Bulang minority, you should be able to list off the top of your head a half dozen better targets than the current attack, which is two relatively small projects, largely unknown to the Chinese people, and hosted on another website (GitHub) that is once again largely unknown to majority of Chinese Internet users.

I still stand by my statement that the Chinese government doesn't really care what the rest of the world reads/watches so long as they can control what their local citizens have access too.

If the Chinese government wanted those projects gone they would just block those project pages. Their current infrastructure is more than sufficient to do that both from a technical perspective in blocking just those projects rather than the entire GitHub domain, and from a man power perspective (tens of thousands of people employed to monitor the web for 'objectionable' content).

If the government was really interested in knocking material they find objectionable off the internet through a DDoS then thanks to the GFW they already have a big list of sites and content they don't like and they could take the total GitHub DDoS traffic and proportion it among the top however many sites they don't like and bring them down far more easily than bringing down GitHub, and with far less people caring about it.

P.S. If you want me to take you seriously as an expert on China, you probably shouldn't put google-translated Chinese messages on your twitter feed.

If the PRC solution was blocking the project pages, then Chinese users could just fork clones to circumvent the block. Forcing foreign organizations to anticipate some cost in supporting anti-censorship software is precisely about controlling their own citizens. Your personal attacks do nothing to support your argument. The use of these tools, at large, by the Chinese people may not be what the attack is about. It could very well be a an effort against some select group that are known users of these tools.

The GFW is advanced enough to do automated blocking based on content. People could keep forking and those projects would keep getting blocked automatically.

Yes you could change wording up, but then you run the risk of either obfuscating it too much that users of the program don't how to find it, or the government updating filters to block the changes content also.

Groups with real desire to circumvent the GFW have other ways to do it. I've been use ssh tunnelling for almost 15 years without major issues.

My view - based on no evidence, just reasoning from what we know - is that China are scared of Github.

They can't shut it down fully, because doing so would shut down their software engineering capability (it has got that important). And people can host basically anything there, including anti-censorship software.

Attack feels like a power play to me. Either to pressurise Github into censoring for the PRC - "block the repos we hate, or we DOS your whole service again".

And/or to build a local competitor. The more Github is down, the more it is considered "anti-China" in China, the easier to build a local competitor.

This is all just my immediate hypothesis from the news. I'd love to see somebody who knows more about software development in China to say what might be really going on.

And/or to build a local competitor. The more Github is down, the more it is considered "anti-China" in China, the easier to build a local competitor.

Or even globally. GitHub is, as you say, very important for the IT industry. Maybe China thinks it's too important. Make Github unusable for everyone else in the world and people, even outside China, might start looking elsewhere.

Can we be sure it's not Chinese hacktivists seeking justice via a digital sit-in?

I would imagine that they would have spoken up about it in that case.

Why would Chinese hacktivists want to attack a project which increases their ability to get past the GFW?

Hactivist by itself doesn't imply anti censorship. Just people who hack as a form of activism.

In china there are hacktivists that are against the government and hacktivists that support the government's agenda and who hack for patriotic purposes and to avenge perceived slights against china.

It's a well known phenomenon in china known as red hackers (or the Honker Union: http://en.wikipedia.org/wiki/Honker_Union )

And it's far more likely that they are behind this sort of thing.

People with the skills to be a member of that sort of group have no need for either of the two relatively obscure projects hosted on GitHub to circumvent the GFW.

I'd say it's far more likely to be hacktivists rather than the government.

Thanks (China) for doing this on a weekend! Works out well for what I imagine are a large portion of Github's paying users.

Please stop by tomorrow morning.

Anybody else like me who doesn't understand why China is really doing this? Fun? The closest explanation I found is this - http://www.wsj.com/article_email/u-s-coding-website-github-h...

Perhaps, if a country is shown to launch these kind of attacks[1], a second "great firewall" could be installed at peering points with that country, to filter out this kind of attack before it can reach the internet as a whole ...

[1] assuming, of course, this is the work of a government, and not simply some disenfranchised actors inside said government

That wouldn't work here, from what I understand. This attack is only using hosts outside of China, not within.

That could be made to work. The altered files are being served from ips within China even if the attack comes from those external to China downloading the altered files.

With as much ddos mitigation as github has to deal with, those developers/admins have even brighter futures ahead of them.

This explains why I was unable to reach Github for a few minutes yesterday. But, I appreciate how they are handling everything.

It seems governments are both protagonist and defenceless in cyber war.

Nothing another surveill...I mean cyber law can't "fix".

Yeah, if we had a way for governments to legally and openly block arbitrary IP traffic we could prevent this. It's all necessary to fight against these commu... terrorists. It's totally necessary if we want to keep our freedom.


Commu-terrorists? It sounds like they're members of an Abelian terrorist group

They've had 0 technology for a millennium, so more properly they would be a revolutionary integral domain.

Most blog updates like this post the traffic they're experiencing, is there a reason Github wouldn't do that?

I think the lack of traffic numbers speaks volumes.

What does it say?

That the traffic numbers are much less than other DDoS attacks.

Maybe they've just too been busy to post it yet.

Maybe, but they have 272 employees, I'm sure most of those will be capable of a quick "we got this many requests in this many seconds". Though their team page doesn't list job titles.

So.. Every website running baidu analytics is going to show a warning popup to all visitors, on every page?

That was an early issue, but - according to the GitHub status page - the attack has changed many times since that. Has anyone found any info. regarding what behaviour the attack is now exhibiting?

What I would like to know is why they used a generic malware warning. Couldn't they send an alert with an actual explanation (in Chinese and English) of what's going on, so users are made aware of the issue?

To some visitors. According to previous reports, only visitors from outside of China are sent the DDoS-ing version of analytics script.

Github could respond to requests that match the attack pattern with compression bombs: http://www.aerasec.de/security/advisories/html-bomb/

Each time i hear about DDoS attacks i wonder why we don't have serious effective mitigation strategies even though there are brilliant computer scientists out there who always come up with very smart solutions, this is a genuine question and not a rhetorical one.

Most of it comes down to shoving 10X traffic down a 1X pipe. You can write smart fast software, but if your wires are saturated...

There is one common problem, and that is that the major transit carriers/ISPs allow you to spoof your source IP. That allows some attacks to be done easier than otherwise. But that's more of a special case and doesn't matter when there is hijacking going on like in this attack.

Blocking attacks at the source is probably not a solution either, since you'd have to have a distributed way of getting filtering rules out to every ISP.

If it were possible to stop some of that 10X before it even got to the pipe, would be the only kind of mitigation for that kind of attack. For something like that though, would require some pretty sophisticated firewall technology that lives outside of your infrastructure.

Before it got to who's pipe? ISP's have very little interest in filtering outbound traffic. Most clients have limited upstream, and they would have to pay for the expense of this filter. If you botNet 100,000 computers in different places each ISP they are on suffers very little, the target suffers a lot, and the carrier in between has very little interest in spending CPU time on fixing the issue.

Well let's brain storm! How can one improve on what is currently out there? Faster recognition and diversion of traffic flow?

I think the main difficulty is how to determine whether traffic is legitimate or not. Banning ranges of IP addresses is effectively denying service to non-attackers as well, so they win. The game is to soften their traffic's load on your system as much as possible while keeping things available.

looks like github is announcing via prolexic for protection now?

How can you tell?

If this is being funded and/or perpetrated by a foreign government with China-like resources, I wonder how much extra capacity they have to expand the attack? Are they throwing everything they have at it now? I kind of doubt that.

If the attack crosses certain lines, it could be considered to be an act of war[1]. Considering many government agencies use GitHub[2], where are these lines drawn?

[1] http://www.forbes.com/sites/reuvencohen/2012/06/05/the-white...

[2] https://government.github.com/

What is Github's backend like? Do they use cloud service providers or do they manage their own infrastructure?

Highly curious to know how Github is preventing the site from crashing down.

In an old post (in 2009)[1] from their blog, they host their stuff on Rackspace.

[1] https://github.com/blog/530-how-we-made-github-fast

While many seem to immediately yell out that the PRC did it, conversely a hacker could just intend to make it seem like PRC was responsible by diverting the attention away from themselves and there to... I simply just don't feel like PRC would be as stupid as to so openly DDoS a target, it doesn't take much to be a bit more elaborate than that.

I'd be interested to hear what this attack ends up costing GitHub in man power, bandwidth fees and so on. I wonder if any cost will be waived - I could see, for example, a large cost if they host DNS with AWS (although it sounds like they may host DNS at Akamai - I haven't checked as I'm writing on the go).

Maybe not the best tactic, but they can selectively issue a 301, and point to a page that contains a new link to the project? The new page can be cached. In the future they can issue another 301 to point back to the original page. Hopefully web browsers will cache the new url.

I wonder what happened if Google put Baidu Ad javascript into the Safe Browsing list...

I think they should: traffic through the Great Firewall of China has been compromised, it's getting injected with malware and therefore cannot be trusted.

Browsers and all safe browsing software should treat any traffic through the Great Firewall of China as malicious and show a scary warning in your browser asking to confirm before going there.

The drop of traffic to Chinese servers and therefore customers would create such a big outcry it might make them stop.

I must say I wonder a lot of the volume of generated traffic. Is that hundreds of connections? Thousands? Millions? What is the number of unique IP's hitting them, bandwidth, etc.

Does anyone have any data on that?

high level - how does one mitigate against a DDOS attack?

Make each "hit" cost as little to you in bandwidth/resources, and as much as possible to the attacker.

National solution is to stop known bad nodes at the ISP level.

For the basic attack,

1) Webserver - Set threshold and block offending IP [1]

2) TCP/DNS/SYNC/SSL/HTTP - Get DDoS-filtered IP and create GRE tunnel back to your server. You can get one for less than $10 from OVH, BuyVM or Ramnode.

[1] http://deflate.medialayer.com

Egress filtering in ISPs and backbone providers. People should not be able to syn flood in 2015.

In brief, you have more bandwidth than your attacker.

This is having a knock on effect on HEROKU deployments with custom buildpacks, as I believe the deployer fetches the buildpack from github.

How would these kinds off DDOS attacks affect a service that is behind a major CDN like cloudfront or cloudflare? Would this affect those?

Why are there so many condescending comments about "saving the Chinese people". Ask yourselves, are you really qualified to judge the Chinese people? Have you been to China? Have you been to different parts of China? What are the main sources that you obtain news? Are you reading the "assumptions" over and over again until they are "assumed" as facts? I liked this place when it used to be just about technologies.

HN was never just about technology, for the same reason hackers don't only hack. That's part of what makes it so great.

Which comments are you talking about?

Does "PRC" refer to People's Republic of China? Not clear.


1) Fork everything you need. 2) Fuck up GitHub 3) Profit?

This has been going on since early Friday for me.

There are a few comments about China being involved. Is there any indication of that? I haven't seen anything from Github themselves or elsewhere, just the comments here.

shit! no wonder why I'm constantly receiving error messages. why attack github? github is so great.

sorry for that. Fk GFW.

Shame on GFW

Why can't GitHub just serve up pages with javascript that causes the user to re-attack the source of the initial attacks?

Or mine bitcoins for them on the attacking user's machine, to pay for the increased bandwidth.

(Probably hard to do it in a way that wouldn't backfire in some way or another, but the idea still makes me smile).

Donate those bitcoins to groups that deal with the GFW

We will probably found out it was a mistake the the programmer has been "fired".

Guess you don't understand diplomacy.

The github service is nice, but do you really want to put your [code|website|etc] somewhere that can become inaccessible if some [person|group|criminal|government] decides they don't like something about it?

What service wouldn't be susceptible to such an attack? The only way to avoid it would be to not put your [code|website|etc] on the internet. That seems a bit extreme.

It is not the DDos that I have a problem with. It is the centralization of the Internet that I have a problem with. Host your own shit, pay your own costs. This way if somebody gets pissed at you for your shit code, you don't cause problems for me and my shit code.

Yes. The nature of git means this has not stopped our workflow. Just because we can't update a central source doesn't mean we can't continue to get things done. Also, if a large enough entity doesn't like what you're doing, you're better off putting your code in Github/Bitbucket/etc because chances are you can't mitigate a DDoS of this scale by yourself.

If you host your code on this "free" service and you cause a DDos because someone doesn't like what you are doing, are you going to pay for the mitigation costs to the free provider?

Why would I? That someone should pay. What you seem to suggest is DDoS victim blaming :P

Downvoter, why did you down vote this? What I said is absolutely true. Sometimes the truth hurts.


Are you saying that GitHub have failed?

Could you explain why? Have you not been able to commit/push/pull/browser github because of the attack?

Time to DDOS the entire Chinese IP space. Once the citizens experience network outages, they'll be able to direct their anger at the PRC who started this bullshit.

PRC wins if Github null-routes the Chinese IP space, Github must stay up no matter what.

Yes, just like "North Korea" hacked Sony's servers...

Misinformation will happen on a large scale due to media outlets publishing the most enticing headlines. It will also push more anti-<insert country of choice> behaviour.

How much do they pay you to post here?

The proof that it's China is irrefutable. Baidu's JS gets modified intercepted and modified. Target of the attack is the greatfire repository. I wonder who's behind this?

> Time to DDOS the entire Chinese IP space. Once the citizens experience network outages, they'll be able to direct their anger at the PRC who started this bullshit.

Sigh. I'm referring to Chinese citizens... Your post was wrong in every way, in stating that DDoS'ing Chinese citizens will make them angry with their government.

Freedom of speech isn't as forward there (you know the whole GFW), so whatever the media pushes (I.e. what the government feeds them) will be what the vast majority of the public think... Even if you wanted to search for the "truth", the GFW could easily censor it like they already do.

Gitchain needed please, if we can stop ignoring the root of the problem is the habit to preserve corporal central force.

http://Gitchain.org links with http://Factom.org and needs complement not ignore the deep research and development environment we need to profoundly edit safed social structure.

(Their author failed to secure funding for Gitchain and then made Factom, while the issue needs equally relate each part as a side of research, expression, development log, proof, and safety machinations important to combine.)

Was that markov text?

Reading is painful? Reading painful? Reading too painful to count?

(Pain even if it matters the odd variables are resistance to and war away from sharing and hosting collective change logs?)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact