This story is over 5 years old.


China Is Behind DDoS Attack on GitHub, Activists Say

An anti-censorship group says all evidence points to China.

​A well-known group of activists that has fought Chinese online censorship for years is publicly accusing China of launching the massive distributed denial of service attacks against the coding website GitHub.

On Monday, as GitHub was still under attack, the Internet activist group GreatFire published a forensic re​port written by an independent security researcher. The report analyzed evidence left behind by the attack on GitHub, as well as a previous attack against GreatFire, and alleges that China is the culprit.


"We now have proof," Charlie Smith, a member of GreatFire who goes by a pseudonym to protect himself, told Motherboard. "The Cyberspace Administration of China is behind both of the recent DDoS attacks."

"The Cyberspace Administration of China is behind both of the recent DDoS attacks."

The forensic analysis shows that both attacks relied on the same technique: malicious code injected within China's network, between users and the so-called Great Firewall, where China can tamper with Internet traffic going into or out of the country.

On March 18, GreatFire revealed that its websites hosted on Amazon's cloud hosting service AWS were being hit by a large and unprecedented DDoS attack that was costing the group as much as $30,000 a day in bandwidth.

At the time, GreatFire refused to point fingers.

But roughly a week later, two GreatFire pages hosted on GitHub were targeted by another DDo​S attack. In this attack, websites that had been infected with malicious JavaScript code were found to be sending traffic from thousands of visitors to the two pages on GitHub—without those users knowing—in an attempt to overload those pages with traffic. The Javascript code replaced legitimate code, such as regular analytics or tracking scripts, from Chinese Internet giant Baidu.

The two pages targeted were GreatFire's GitHub page as well as their New York Times mirror, which effectively "unblocks" the paper's website, which is normally not accessible in China.


"Hijacking the computers of millions of innocent internet users around the world is particularly striking as it illustrates the utter disregard the Chinese authorities have for international as well as even Chinese internet governance norms," Smith said.

The group uses GitHub, as well as Amazon's cloud services, to avoi​d China's Internet censorship—an approach they call "collateral fr​eedom." By hosting content, or apps, on those services, which are encrypted, it makes it impossible for the government to block them without blocking access to the whole site.

These DDoS attacks, experts concluded, were likely an answer to this "collateral freedom" strategy.

As a security researcher who analyzed the attack pu​t it, by using malicious javascript code that targeted potentially anyone on the Internet, "people outside China are being weaponized to target things the Chinese government does not like."

For the last two weeks, GreatFire has been collecting evidence of the attack. A security researcher, who wishes to remain anonymous, analyzed the data that had been gathered and concluded that more than 10 million computers all over the world were sending traffic to GreatFire's Amazon sites.

The attack against GreatFire relied on the same technique used against GitHub: malicious javascript code injected "someplace between when the traffic enters China and when it hits Baidu's servers," according to GreatFire.


This, for GreatFire, is the smoking gun, since only the Chinese government, in theory, has the ability to manipulate traffic in that part of the network.

"This is consistent with previous malicious actions and points to the Cyberspace Administration of China (CAC) being directly involved in these attacks," Smith wrote in a blog p​ost accompanying the report.

Evidence shows Cyberspace Administration of China compromised millions in cyberattacks against GitHub and GreatFire — (@GreatFireChina)March 30, 2015

Ofer Gayer, a security researcher at Incapsula, a firm that offers anti-DDoS services, seemed to reach the same conclusion—though without explicitly accusing China.

"Given the fact that the attacker was able to inject the malicious code at a very large scale, it would take someone with high-level clearance in Chinese Internet infrastructure to tamper with the data and initiate the attack," he told Motherboard before GreatFire's report was published.

Not everyone, however, is so sure.

Jaime Blasco, the director of security firm AlienVault Labs, who reviewed GreatFire's report for Motherboard, said that there just isn't enough evidence to prove that the attacker was the Chinese government.

"There's not enough data to blame the government."

"There's not enough data to blame the government," Blasco told Motherboard. "But it's either the government, Baidu or Chinese Internet Service Providers who are modifying content."

"But given how things work in China," Blasco added, "it's very likely the pressure comes from the government."

The Chinese embassy in Washington D.C. did not respond to a request for comment by the time of publication.