Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
China Network Security

Github Under JS-Based "Greatfire" DDoS Attack, Allegedly From Chinese Government 116

An anonymous reader writes: During the past two days, popular code hosting site GitHub has been under a DDoS attack, which has led to intermittent service interruptions. As blogger Anthr@X reports from traceroute lists, the attack originated from MITM-modified JavaScript files for the Chinese company Baidu's user tracking code, changing the unencrypted content as it passed through the great firewall of China to request the URLs github.com/greatfire/ and github.com/cn-nytimes/. The Chinese government's dislike of widespread VPN usage may have caused it to arrange the attack, where only people accessing Baidu's services from outside the firewall would contribute to the DDoS. This wouldn't have been the first time China arranged this kind of "protest."
This discussion has been archived. No new comments can be posted.

Github Under JS-Based "Greatfire" DDoS Attack, Allegedly From Chinese Government

Comments Filter:
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Friday March 27, 2015 @10:41AM (#49354785)
    Comment removed based on user account deletion
    • Or ... More likely, the story is complete bullshit.

      China would really sanction such a petty operation against github ... WHY?

      GitHub is suddenly target because of what?

      It makes no sense for the Chinese to use their own primary connectivity to the rest of the world to run a half assed DDoS against a company that almost no one outside the OSS world even knows exists.

      And if they wanted to do it, they'd take github down and be done with it. China has WAY more bandwidth than github, even taking AWS into account.

  • by swschrad ( 312009 ) on Friday March 27, 2015 @10:47AM (#49354823) Homepage Journal

    knock them off the web for 12 hours, open it up... if they continue, block 'em again...

  • by Anonymous Coward

    This is where socialism leads: Authoritarianism.

    • Comment removed based on user account deletion
      • by blueg3 ( 192743 ) on Friday March 27, 2015 @11:26AM (#49355123)

        Well, the acronym for Socialist In Name Only is "sino".

      • by halivar ( 535827 )

        See, that's a serious image problem right there. Since absolutely no self-described socialist or communist government in the world is considered "true" socialism or communism by those philosophy's respective defenders (who then go on to praise "socialist" European nations that are, in fact, simply capitalism plus robust welfare), it leads the rest of us to believe that those philosophies are simply impossible to implement in reality.

    • by HiThere ( 15173 )

      While you are correct, I defy you to come up with an example of a form of government (that has been in use) that doesn't/didn't lead to authoritarianism.

      In the US it took less than 10 years (see "The Whiskey Rebellion"). The only thing that slowed down the process was the existence of an "open border" along the west. Closed borders foster authroitarianism, whatever the form of government.

      Actually, I believe that there ARE forms of government that don't necessarily drift towards authoritarianism, but they

  • Comment removed (Score:4, Interesting)

    by account_deleted ( 4530225 ) on Friday March 27, 2015 @10:48AM (#49354837)
    Comment removed based on user account deletion
    • by dave420 ( 699308 )
      That would be pretty fucked up if the military and academic networks had nothing to do with it. I guess that's why international diplomacy is usually steered away from vigilantism, and those nations who engage in vigilantism are treated with a certain level of disdain...
    • If Korporate AmeriKa hadn't (along with their subsidiary, the US gov't) offshored all the jobs, technology and investment to China, they wouldn't have been capable of doing this. We now stand at a disadvantage, thanks to the banksters!
  • by Anonymous Coward

    I have a coworker who advocates GitHub as the solution to all of our needs. He wants us to store all of our production code there. I asked him if he had a plan for backing up the GitHub repo, and his answer was along the lines of, 'someone will have the latest version on their PC, so we don't need a backup.' I asked him how we would work in times of limited GitHub availabilty. What if it goes down? What if it gets hit with DDOS? 'Oh, they're a big company, that won't happen.'

    I have no fundamental prob

    • by wisnoskij ( 1206448 ) on Friday March 27, 2015 @11:10AM (#49354985) Homepage
      Well considering that apparently f***en CHINA is DDOSing them and they are only experiencing intermittent downtime that is pretty impressive to me. More of reason to switch than a warning against it.

      Still, no backups, no alternative plan, your coworker is an idiot.
      • by abies ( 607076 )

        Technically, it is not China itself which is DDOSing them, but all the people from _outside_ of china which are accessing Baidu servers in China. Basically some part of chinese disapora is DDOSing github. Which is considerably smaller number of people than 'China'.
        Plus, it is happening just on browser refresh, not as dedicated trojan running heavy DOS attack from each PC.

    • Re: (Score:2, Interesting)

      Run your own GitHub or Git repo. Why in the world would your rely on an outside company to store your production code? It verges on incompetence to do so.
    • by dave420 ( 699308 ) on Friday March 27, 2015 @11:39AM (#49355237)
      You put your local github repo on some server, and then have it push its updates to Github. Should anything happen to that server, you can use Github to get a copy. The chances of Github and your local server losing your data is clearly much lower than either on its own, hence it making sense. Or just hate on Github because you are scared and don't understand stuff. Whatever's easier.
      • by rdnetto ( 955205 )

        The main advantage of Github, etc. isn't the hosting - you can use any SSH-capable server for that. It's in the issue tracking and other built-in features.
        That means it makes more sense to have your backup server pull updates from Github, since it can't provide that.

        Of course, an even better approach would be to use an alternative like Gitorious (now Gitlab?) that allows you to host it yourself, so you don't lose access to anything if your primary hosting goes down...

    • by Fwipp ( 1473271 )

      If you're that paranoid about an outage for an hour or two; mirror it on bitbucket, gitorious, gitlab, amazon S3, a local server, etc, etc, etc.

      It's trivial to do these sorts of mirrors, precisely because git's a DVCS.

    • by fhage ( 596871 ) on Friday March 27, 2015 @12:32PM (#49355683)
      This is a good example of people having a fundamental lack of knowledge about Git and GitHub.

      You heard; "We don't need a backup because GitHub is so awesome". That does sound scary.

      However, the whole point of Git is everyone who cares about the project has the complete repository, usually with multiple backups, and works "off-line" as normal practice.

      Github is just an awesome and easy place to share a copy of the repository. It's trivial to set up another shared repository or just share directly with those involved in the development.

    • If GitHub is down just:

      git remote add bitbucket git@bitbucket.org:company/project.git
      git push bitbucket

      And then keep rolling.

      Replace Bitbucket with any number of alternatives.

      It simply doesn't matter if GitHub goes down. It has a convenient interface, for sure, but you can continue to work without it easily.

    • by HiThere ( 15173 )

      Well, if your production code is open source, then storing your code on GitHub seems like a reasonable approach ... for backup.

    • by phorm ( 591458 )

      And using GIThub for your prod code is stupid, unless you fully plan on sharing it with the world, including possibly any "fun" stuff that gets included by accident like private company info, passwords, internal IP-space, users, or security flaws...

    • I hope you don't work on any critical work.. lol
    • by prs ( 18535 )

      Some other comments mention that you can just clone your git repositories and use that a backup, but that's not practical when you're using git workflow as a core part of running your development team.

      Relying on external services is never a good business move, so the a solution is to use GitHub Enterprise [github.com], which lets you run a private copy of the GitHub site on your own servers, with your own backup solution and security provisions.

      Maybe this is what your coworker is advocating.

  • by Anonymous Coward

    To fight back they have changed those projects to be

    alert("WARNING: malicious javascript detected on this domain")

    So the user sees a message =)

    • by blueg3 ( 192743 ) on Friday March 27, 2015 @11:28AM (#49355149)

      Not only do they see that message, but the alert pauses the loop that keeps loading the pages.

    • by fhage ( 596871 )
      This was the whole point. Someone wanted to cause a disruption to users in China surfing via a VPN.

      I assumed they selected Github as the target because they wanted an effective response delivered to the originators of the original http request.

      They are constantly mapping accessible VPNs and developing countermeasures against them. I understand it's a constant game of whack-a-mole over there with access to VPNs outside the great firewall.

  • by tlambert ( 566799 ) on Friday March 27, 2015 @12:14PM (#49355491)

    Fix is pretty obvious.

    There are two URLs being hit.

    Step 1: Put a reverse proxy cache which serves static pages directly out of RAM from a kernel module in front of GitHuB. If there's nothing like this for Linux, there is for FreeBSD, and it's pretty trivial to set up.

    Step 2: At the first URL, serve pro Free Tibet information. At the second URL, serve pro Falun Gong information.

    Step 3: Wait for someone in China in charge of the attack to call it off in fear for their life from the government for serving this illegal in China content to everyone in China going to one of the affected web sites that has the javascript injected.

    Step 4: (optional) Laugh your ass off as they are sent to a reeducation camp.

    • by Anonymous Coward

      The content and attack is only served to people OUTSIDE of China accessing Baidu. People from inside of China aren't affected.

      • The content and attack is only served to people OUTSIDE of China accessing Baidu. People from inside of China aren't affected.

        China watches external visibility of Chinese sites. A Chinese site serving pro Tibet/Falun Gong info would get flagged very quickly, especially if the text is sensational and purports to be from a Baidu employe, since the press outside of China isn't going to check their sources very closely, any more than they check any of their sources very closely these days.

        So it will at least hit some, if not many, mainstream news channels, especially if it's couched as a "Help! I'm trapped in a Chinese fortune cookie

    • Can't see those trees, can ya? The forest too much in the way for ya? China can do whatever they like, as long as the banksters continue to offshore all the jobs, all the technology and all the investment their way.
  • by Anonymous Coward

    <span>Github Under JS-Based "Greatfire" DDoS Attack, Allegedly From {{enemyOfTheDay}}</span>

  • So basically Baidus search results is being hijacked to run a JS script in the client computers. Unlike a normal DDOS the client computer hasn't yet been compromised.

    Baidu’s traffic hijacked to DDoS GitHub.com [insight-labs.org]
  • Why not setup every computer in the U.S. in like a beowolf cluster and mass DDos China. Shut the whole country down. No loss there.... Might help generate new manufacturing jobs in the U.S...

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...