Github Under JS-Based "Greatfire" DDoS Attack, Allegedly From Chinese Government 116
An anonymous reader writes: During the past two days, popular code hosting site GitHub has been under a DDoS attack, which has led to intermittent service interruptions. As blogger Anthr@X reports from traceroute lists, the attack originated from MITM-modified JavaScript files for the Chinese company Baidu's user tracking code, changing the unencrypted content as it passed through the great firewall of China to request the URLs github.com/greatfire/ and github.com/cn-nytimes/. The Chinese government's dislike of widespread VPN usage may have caused it to arrange the attack, where only people accessing Baidu's services from outside the firewall would contribute to the DDoS. This wouldn't have been the first time China arranged this kind of "protest."
Re: Centralized on GitHub! LOL! (Score:2)
You can't compensate your evident lack of technical understanding with being condescending. Those are two different contexts for the word 'decentralized' that you are mixing up.
Re: (Score:1, Insightful)
The modding here is atrocious.
The GP is right, and you are wrong.
There is only one form of decentralization involved here.
Even if git users have their own copies of a repo, it is not trivial to share changes among more than a couple of users, especially if they are on distinct networks with firewalls and other hindrances.
That is why GitHub is used.
GitHub negates the decentralization of git in order to make it practical for real world use.
GitHub being down may not be a problem for your rinky-dink one-man Jav
Re: (Score:1)
But for real projects with distributed teams consisting of numerous people the decentralization of git is a big problem.
Not really. Any real project with a reasonably sized team will have their own servers.
Re: (Score:1)
It does not matter who hosts and manages the centralized server(s).
Maybe it is GitHub.
Maybe it is the development team itself.
The important point is that it is centralized.
Centralization is the only way to make git useful for projects with more than one developer.
Re: (Score:1)
Actually you can also distribute the central servers of git.
I personally have some projects located on two servers and some on three.
You can push and pull changes on multiple servers and let git figure out the mess.
Re: Centralized on GitHub! LOL! (Score:5, Insightful)
You really don't understand what decentralized version control is, do you?
The whole point isn't to avoid any centralization at all, it's that you're not utterly reliant on it. It's somewhat similar to the argument between a big server and thin clients (where nearly all computation is on the server) and "thick clients" (PCs) and less-capable servers (for sharing files, etc.). With a big server, if that server goes down or the connection to it goes down, you're screwed, and can't do anything. With today's more common thick-client paradigm, if your office file server goes down, you can't easily share files with your coworkers and other things are inaccessible, but you can still get some work done using whatever local copies you have.
This is what DVCS is all about. With Git, you have a full copy of the repo just by virtue of having "checked out" a copy. You can still get some work done without access to the central server, whether it's down or your WiFi connection is down or your VPN is down. You can't do everything obviously, nor will you ever be able to, but that's not the point. And, in a worst-case scenario, if the central server just disappears one day without accessible backups, everyone with a copy checked out has the full repository, so it's possible to rebuild easily.
Re: (Score:2)
You can still get some work done without access to the central server, whether it's down or your WiFi connection is down or your VPN is down.
Same is true for subversion. In both cases you can develop and test your code and review your changes against what was last seen original copy. All the rest (preparing commits early so you can push them faster when connectivity is restored) is just a detail.
Github changes git into centralized subversion-like system, just with a lot better branching/merging mechanism (which is a HUGE difference, don't get me wrong) - but if it is down, your cooperation workflow is going to suffer badly.
Re: (Score:2)
Same is true for subversion. In both cases you can develop and test your code and review your changes against what was last seen original copy
Subversion has gotten better recently... but in the past nearly every command required a round-trip to the central server. Like I say, that has recently changed for a few (like 'svn stat') but there are still MANY that require a live link to the central server.
Contrast this with Git where the _only_ time you need to access a server is for sharing.
When GitHub is down it only takes one command to push your whole repo to BitBucket so you can keep working with peers. Sure, you don't have access to any *data*
Re: (Score:2)
It does seem like it'd be really nice if we had some easy way of replicating wikis and bugtrackers, so we could move those around as needed, like we do with Git.
Re: (Score:2)
Well... on GitHub the wiki _is_ actually stored in a Git repo... and all of the pages are simply Markdown. They are VERY easy to move to many other systems (or even to view locally).
GitHub even publishes an open source version of its wiki renderer to make it even easier: https://github.com/gollum/goll... [github.com]
NOW: The bugtracker stuff is a little more difficult. You can use the GitHub API to pull out all of the info easily enough and store it locally... but you have to do some sort of transformation to get it i
Re: (Score:2)
Same is true for subversion. In both cases you can develop and test your code and review your changes against what was last seen original copy.
It's admittedly been a while since I last used SVN, but it was not at all like Git; it was entirely centralized and required server access to do almost anything. Not every developer has a full copy of the repo, as they do with Git. It was pretty slow when I used it too (though nothing like ClearCase).
With Git, you can check in changes, create branches, etc. all you
Re: (Score:3)
# git remote add newupstream git://new.server/my-project
# git push master newupstream
Aaaaand, done.
You're not going to do that with Subversion anytime soon. Sorry - I like SVN. But to claim that having a central repository is anything like *requiring* a central repository is just missing the point.
Re: (Score:1)
Same is true for subversion. In both cases you can develop and test your code and review your changes against what was last seen original copy. All the rest (preparing commits early so you can push them faster when connectivity is restored) is just a detail.
Depends on how you use commits and what you think they are for. As they say, the devil is in the detail... in this case, the area you've marked out probably contains enough room for the entirety of hell ;-)
The key advantage of git is that if the central server goes down, I can spin up a complete copy (using git itself, emails, or an existing open source git server) and restore a large portion of collaboration. Subversion can't do that.
Re: (Score:2)
When the big changeover from SVN being the #1 VCS to git taking the crown happened, SVN did not have those features. You couldn't check in changes without talking to the server. If the server was down, you'd have to wait and check in all your changes at once. That was one of the big features of git that had people excited; they could still do local checkins. The only thing they were missing when the server was down was sharing the code and handling any conflicting changes. But actually checking the changes
Re: Centralized on GitHub! LOL! (Score:4, Informative)
With Git, you have a full copy of the repo just by virtue of having "checked out" a copy.
Quick nitpick: that would be a clone, not a checkout.
For the non-git-users among us:
git clone: copy that repository to my local file-system. (All branches are copied across. This is normally over ssh or https.)
git checkout: give me the specified branch. (Doesn't require use of the network.)
git fetch: update the local store of the repository to reflect the current state of the repository on the server.
Re: (Score:2)
With Git, you have a full copy of the repo just by virtue of having "checked out" a copy. You can still get some work done without access to the central server
sure, as long as you aren't collaborating on anything, or if you are, you have a mirror. my guess is that most github users don't create mirrors.
Re: (Score:2)
The modding here is atrocious.
The GP is right, and you are wrong.
There is only one form of decentralization involved here.
Even if git users have their own copies of a repo, it is not trivial to share changes among more than a couple of users, especially if they are on distinct networks with firewalls and other hindrances.
That is why GitHub is used.
All true.
GitHub negates the decentralization of git in order to make it practical for real world use.
GitHub being down may not be a problem for your rinky-dink one-man JavaScript library project that nobody uses.
But for real projects with distributed teams consisting of numerous people the decentralization of git is a big problem.
GitHub is the only practical solution to the problems of decentralization.
This can actually be mitigated by several different means:
Re: (Score:2)
GitHub negates the decentralization of git in order to make it practical for real world use.
Negates? No - it just provides a single location through with to share code. You're confusing "using a central repository" with "requiring a central repository." It is just above trivial for any git project to switch to a new "central" server through with to share code.
Re: (Score:2)
GitHub is the only practical solution to the problems of decentralization.
did you mean git? or github? you don't need github to setup a git remote.
Re: (Score:2)
There's a world of difference between having an agreed-upon repository of record, and having a centralized system. A big part of the difference is that setting up a pro-tem repository of record can be done trivially from any up-to-date repository.
GitHub is convenient. It's not necessary.
Re: (Score:2)
As opposed to what? Subversion would be completely unusable in this situation, at least git users can push and pull from each other peer to peer, which you would only do if you REALLY need it, because it is kinda of a pain in the ass compared to push/pulling to origin. Plus you CAN carry on your own work keeping a normal commit history as long as you don't want to share it with anyone until the servers come back online.
Really, it is "the greatest thing ever (for source control)".
Comment removed (Score:5, Insightful)
Re: (Score:2)
Or ... More likely, the story is complete bullshit.
China would really sanction such a petty operation against github ... WHY?
GitHub is suddenly target because of what?
It makes no sense for the Chinese to use their own primary connectivity to the rest of the world to run a half assed DDoS against a company that almost no one outside the OSS world even knows exists.
And if they wanted to do it, they'd take github down and be done with it. China has WAY more bandwidth than github, even taking AWS into account.
Re:Ancient Chinese wisdom (Score:5, Funny)
Re: (Score:2)
Re: (Score:3)
Gunpowder. Navigation. Paper. Writing. Printing. Silk. The compass. Noodles.
In fact, a staggering list [wikipedia.org].
And you being incompetent enough to not be able to eat with them means that China didn't achieve much?
Get a life.
What the hell have you invented?
Re: (Score:2)
They archived a lot, then stagnated. Same for the Middle East.
Re: (Score:3)
Writing.
I had no idea Mesopotamia was part of China.
Re: (Score:2)
It was a tongue in cheek comment. Obviously you and the pre-school moderators were too fucking stupid to see that.
Re: (Score:1)
Any civilisation that in 5000 years never managed to invent the fork and carried on using 2 sticks to eat with isn't that great.
Any civilisation that after 5000 years still makes food so hard to eat that it needs to be poked, chopped, ripped, etc AFTER the chef is done, isn't that great. Chopsticks are not a symptom of lack of refinement, the food that passes as "prepared" in western cultures is.
/flame on
Re: (Score:2)
You need your food mashed up like a baby or something?
Re: (Score:2)
Any civilisation that in 5000 years never managed to invent the fork and carried on using 2 sticks to eat with isn't that great.
Really? You're sure that they just couldn't figure a fork out?
Here's the story of chopsticks. Having potential weapons at the dinner table became a real problem in times of tension, and it became a violent, rude spectacle to stab or slice your food at dinner with others - think state functions or otherwise. It implies what you might be thinking to do to others present. Hence, leave the knives in the kitchen with the cooks. Hence, you don't use those stabby forks. Spoons and chopsticks become the socia
Re: (Score:3)
Re: (Score:1)
Re: (Score:2)
can't we all just get along... to block China? (Score:4, Insightful)
knock them off the web for 12 hours, open it up... if they continue, block 'em again...
Socialism (Score:1)
This is where socialism leads: Authoritarianism.
Re: (Score:1)
Re:Socialism (Score:4, Funny)
Well, the acronym for Socialist In Name Only is "sino".
Re: (Score:3)
See, that's a serious image problem right there. Since absolutely no self-described socialist or communist government in the world is considered "true" socialism or communism by those philosophy's respective defenders (who then go on to praise "socialist" European nations that are, in fact, simply capitalism plus robust welfare), it leads the rest of us to believe that those philosophies are simply impossible to implement in reality.
Re: (Score:2)
While you are correct, I defy you to come up with an example of a form of government (that has been in use) that doesn't/didn't lead to authoritarianism.
In the US it took less than 10 years (see "The Whiskey Rebellion"). The only thing that slowed down the process was the existence of an "open border" along the west. Closed borders foster authroitarianism, whatever the form of government.
Actually, I believe that there ARE forms of government that don't necessarily drift towards authoritarianism, but they
Comment removed (Score:4, Interesting)
Re: (Score:2)
Re: (Score:2)
Re your weird assed comments (Score:2)
Re: (Score:1)
Re: (Score:2, Flamebait)
Github is scary for critical code (Score:2, Interesting)
I have a coworker who advocates GitHub as the solution to all of our needs. He wants us to store all of our production code there. I asked him if he had a plan for backing up the GitHub repo, and his answer was along the lines of, 'someone will have the latest version on their PC, so we don't need a backup.' I asked him how we would work in times of limited GitHub availabilty. What if it goes down? What if it gets hit with DDOS? 'Oh, they're a big company, that won't happen.'
I have no fundamental prob
Re:Github is scary for critical code (Score:5, Insightful)
Still, no backups, no alternative plan, your coworker is an idiot.
Re: (Score:3)
Technically, it is not China itself which is DDOSing them, but all the people from _outside_ of china which are accessing Baidu servers in China. Basically some part of chinese disapora is DDOSing github. Which is considerably smaller number of people than 'China'.
Plus, it is happening just on browser refresh, not as dedicated trojan running heavy DOS attack from each PC.
Re: (Score:2, Interesting)
Re:Github is scary for critical code (Score:5, Insightful)
Re: (Score:2)
The main advantage of Github, etc. isn't the hosting - you can use any SSH-capable server for that. It's in the issue tracking and other built-in features.
That means it makes more sense to have your backup server pull updates from Github, since it can't provide that.
Of course, an even better approach would be to use an alternative like Gitorious (now Gitlab?) that allows you to host it yourself, so you don't lose access to anything if your primary hosting goes down...
Re: (Score:3)
If you're that paranoid about an outage for an hour or two; mirror it on bitbucket, gitorious, gitlab, amazon S3, a local server, etc, etc, etc.
It's trivial to do these sorts of mirrors, precisely because git's a DVCS.
Re:Github is scary for critical code (Score:4, Insightful)
You heard; "We don't need a backup because GitHub is so awesome". That does sound scary.
However, the whole point of Git is everyone who cares about the project has the complete repository, usually with multiple backups, and works "off-line" as normal practice.
Github is just an awesome and easy place to share a copy of the repository. It's trivial to set up another shared repository or just share directly with those involved in the development.
Re: (Score:3)
If GitHub is down just:
git remote add bitbucket git@bitbucket.org:company/project.git
git push bitbucket
And then keep rolling.
Replace Bitbucket with any number of alternatives.
It simply doesn't matter if GitHub goes down. It has a convenient interface, for sure, but you can continue to work without it easily.
Re: (Score:2)
Well, if your production code is open source, then storing your code on GitHub seems like a reasonable approach ... for backup.
Re: (Score:1)
And using GIThub for your prod code is stupid, unless you fully plan on sharing it with the world, including possibly any "fun" stuff that gets included by accident like private company info, passwords, internal IP-space, users, or security flaws...
Re: (Score:2)
Re: (Score:1)
Some other comments mention that you can just clone your git repositories and use that a backup, but that's not practical when you're using git workflow as a core part of running your development team.
Relying on external services is never a good business move, so the a solution is to use GitHub Enterprise [github.com], which lets you run a private copy of the GitHub site on your own servers, with your own backup solution and security provisions.
Maybe this is what your coworker is advocating.
I love the alert they changed the page to (Score:2, Funny)
To fight back they have changed those projects to be
alert("WARNING: malicious javascript detected on this domain")
So the user sees a message =)
Re:I love the alert they changed the page to (Score:4, Insightful)
Not only do they see that message, but the alert pauses the loop that keeps loading the pages.
Re: (Score:2)
I assumed they selected Github as the target because they wanted an effective response delivered to the originators of the original http request.
They are constantly mapping accessible VPNs and developing countermeasures against them. I understand it's a constant game of whack-a-mole over there with access to VPNs outside the great firewall.
Re: Explain (Score:1)
The greatfire guys always post something about ways to bypass the wall and changes in the wall's behavior.
Fix is pretty obvious. (Score:3)
Fix is pretty obvious.
There are two URLs being hit.
Step 1: Put a reverse proxy cache which serves static pages directly out of RAM from a kernel module in front of GitHuB. If there's nothing like this for Linux, there is for FreeBSD, and it's pretty trivial to set up.
Step 2: At the first URL, serve pro Free Tibet information. At the second URL, serve pro Falun Gong information.
Step 3: Wait for someone in China in charge of the attack to call it off in fear for their life from the government for serving this illegal in China content to everyone in China going to one of the affected web sites that has the javascript injected.
Step 4: (optional) Laugh your ass off as they are sent to a reeducation camp.
Re: (Score:1)
The content and attack is only served to people OUTSIDE of China accessing Baidu. People from inside of China aren't affected.
Re: (Score:2)
The content and attack is only served to people OUTSIDE of China accessing Baidu. People from inside of China aren't affected.
China watches external visibility of Chinese sites. A Chinese site serving pro Tibet/Falun Gong info would get flagged very quickly, especially if the text is sensational and purports to be from a Baidu employe, since the press outside of China isn't going to check their sources very closely, any more than they check any of their sources very closely these days.
So it will at least hit some, if not many, mainstream news channels, especially if it's couched as a "Help! I'm trapped in a Chinese fortune cookie
Re: (Score:2)
EOTD (Score:1)
<span>Github Under JS-Based "Greatfire" DDoS Attack, Allegedly From {{enemyOfTheDay}}</span>
Baidu’s traffic hijacked to DDoS GitHub.com (Score:2)
Baidu’s traffic hijacked to DDoS GitHub.com [insight-labs.org]
Cluster DDos China? (Score:2)
Why not setup every computer in the U.S. in like a beowolf cluster and mass DDos China. Shut the whole country down. No loss there.... Might help generate new manufacturing jobs in the U.S...