It’s day four of the GitHub cyberattack and the digital assault is still evolving as the largest public code repository in the world continues to battle Chinese hackers. GitHub traces the distributed denial of service (DDoS) attack to Friday, calling it the largest in the site’s history and one that involves a wide combination of attack vectors.
“These include every vector we've seen in previous attacks as well as some sophisticated new techniques that use the Web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic,” GitHub said in a blog post. “Based on reports we've received, we believe the intent of this attack is to convince us to remove a specific class of content.”
GitHub has been offering status updates since then, reporting on Sunday that 87 hours into the attack its mitigation was deflecting most of DDoS traffic. Sunday night, all systems were reporting at 100 percent but the attack traffic continued and early Monday morning GitHub said it has “evolved and we are working to mitigate.”
Not Just a Grudge
Security experts are reporting the traffic onslaught directed huge amounts of traffic from overseas users of Chinese search giant Baidu to GitHub, according to the Wall Street Journal.
The attackers intentionally targeted GitHub pages that linked to copies of Web sites banned in China, including one page Greatfire.org runs and one Chinese-language version of the New York Times, the Journal reported. Greatfire.org monitors online censorship in China.
We asked Graham Cluley, an independent technology analyst in the United Kingdom, for his take on this attack. He told us what we have here is a highly determined attacker.
“This isn't just someone with a grudge operating from their back bedroom. Instead, the people with the most plausible motive are the Chinese government, keen to stamp out access to uncensored content on the Internet,” Cluley said.
“It's not a surprise that their resolve to disrupt unfettered access to the 'Net by Chinese citizens is considerable, which is clearly posing a significant challenge for GitHub as it fights to remain online.”
An Unfamiliar Strategy
Cluley called out what he sees as particularly interesting about the attack on GitHub: the DDoS does not appear to be conducted in the familiar fashion of a botnet of compromised computers around the world that are bombarding the site with traffic.
Rather, it appears that someone is tricking Web browsers visiting Chinese Web sites into repeatedly reloading the two pages on the site, he said.
“In a nutshell, many Chinese Web sites use advertising and visitor tracking code from Baidu, China's leading search engine -- just as many other sites around the world might use, say, Google Analytics,” he explained. “It appears that when Web pages containing the Baidu scripts are accessed from outside China, the script's code is being replaced with code serving a different function.”