Github DDoS Attack As Seen By Google 52
New submitter opensec writes: Last month GitHub was hit by a massive DDoS attack originating from China. On this occasion the public discovered that the NSA was not the only one with a QUANTUM-like capability. China has its own "Great Cannon" that can inject malicious JavaScript inside HTTP traffic. That weapon was used in the GitHub attack. People using Baidu services were unwitting participants in the denial of service, their bandwidth used to flood the website. But such a massive subversion of the Internet could not evade Google's watchful eye. Niels Provos, engineer at Google, tells us how it happened. Showing that such attacks cannot be made covertly, Provos hopes that the public shaming will act as a deterrent.
Public Shaming the Red Chinese ? (Score:4, Interesting)
I'll love seeing how that works out. Their people are locked behind their firewall and don't get to see any criticism the government doesn't want them to see. Hell you can't even get politicians here shamed if the media doesn't do a full bore dog pile.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
As explained in
War is Peace, Freedom is Slavery, and Ignorance is Strength
The Theory and Practice of Oligarchical Collectivism by Emmanuel Goldstein [wikipedia.org]
Re: (Score:2)
Re: (Score:2)
I was more thinking Paul Wolfowitz.
I'd suggest adding de Tocqueville to your reading list
Yes and No (Score:2)
Sure, the US needs enemies but this is not the case of faking enemy action. This attack was easily traced to Chines devices which were injecting Javascript into HTML files, resulting in a massive DDOS. The servers performing this were part of the Chinese version of Google, which returned contaminated cache pages to queries.
Call me a skeptic, but I don't think the injections were limited to the cache servers Google names. I think this was done at a lower level to achieve the scale. The reason for the att
Re: (Score:2)
You can't shame a sociopath. And even with the 'cannon' in China, do we know who lit the fuse?
QOTD from one of the links:
We have one network in the world today. Either we build our communications infrastructure for surveillance, or we build it for security. Either everyone gets to spy, or no one gets to spy. That's our choice, with the Internet, with cell phone networks, with everything.
Wonderfully put
Re: (Score:3)
And even with the 'cannon' in China, do we know who lit the fuse?
Almost certainly the same people who arranged for NXDOMAIN on github.com a few weeks back. They really hate that there are open source anti-censorship tools on there.
They had to stop breaking DNS for github since most of China's Internet developers couldn't get any work done anymore.
That Chinese developers are freely using a California hosting service which has benefits to everybody in the world, and everybody recognizes that the "damage" her
Re:Public Shaming the Red Chinese ? (Score:4, Informative)
Their people are locked behind their firewall and don't get to see any criticism the government doesn't want them to see.
I wouldn't be so sure about that. It's effectively no different in China than it is in the west. Yes there are people who are locked behind technology, just like there are Americans who only ever watch Fox News. Maybe it's representative of where in China I was staying, or the class of people who I worked with, but all of them had some form of service to get around the great firewall. Even if they don't at home or on their phone (I realised this when people constantly showed me stuff on Google Maps which is blocked) then if these people work for an international corporation they nearly always have some form of corporate VPN too.
The people are well and truly clued in on what their government is doing.
Re: (Score:2)
There is no firewall to limit US internet users from accessing any source of information across the world. If someone chooses to watch only Fox News that is their decision and not something they are forced to do. The same thing applies to those who think the real truth can only be found in Pravda, The Guardian, or Al jazeera. The most unsettling fact is that people tend to gravitate to news sites, blogs, and other information sources that only present information they already agree with. Subtle but manipul
Re: (Score:2)
Their people are locked behind their firewall and don't get to see any criticism the government doesn't want them to see.
I wouldn't be so sure about that. It's effectively no different in China than it is in the west. Yes there are people who are locked behind technology, just like there are Americans who only ever watch Fox News. Maybe it's representative of where in China I was staying, or the class of people who I worked with, but all of them had some form of service to get around the great firewall. Even if they don't at home or on their phone (I realised this when people constantly showed me stuff on Google Maps which is blocked) then if these people work for an international corporation they nearly always have some form of corporate VPN too.
The people are well and truly clued in on what their government is doing.
Riiight ... China doesn't have noteworthy censorship, because Fox News.
And you actually think that it is the Fox News viewers who are sealed in the ideological bubble, instead of yourself. Amazing.
Re: (Score:2)
No. I do however think you fail at reading comprehension.
China's censorship via the firewall is as optional to citizens with internet as sitting down and only watching Fox News is optional to Americans. Everyone can get around the firewall if they chose, and pretty much most educated people do get around it. Know how I accessed all my Google services while I was over there? I asked the receptionist at work. She told me which program to find and where to find it. Then I even had her install it because I coul
Re: (Score:1)
Who said the Chineese did it? Could be the NSA hacking Chineese computers... nobody fucking knows.
Loss of Face (Score:2)
A little bit of finesse and you can cause a massive loss of face. That will get a chinaman's attention.
Re: Public Shaming the Red Chinese ? (Score:1)
Watchful eye of Google (Score:1, Interesting)
Re: (Score:2)
http://www.alef.net/ALEFFeatures/GoogleSauron.Gif [alef.net]
Shaming? More like helping (Score:3)
You can't shame the (mainland) Chinese government on this one. They were fairly overt about it by using their own govt search engine to do it. It's a scarcely veiled threat to anyone who might want to mess with them, like doing an atomic bomb test or running your aircraft carriers around in sensitive regions. I'm sure they welcome the extra publicity.
Re:Shaming? More like helping (Score:5, Insightful)
"As the representative of the Chinese government, I can categorically deny the Chinese government's use of Baidu for a highly effective attack on GitHub. We did not make use of this capacity, which can be used to quickly and efficiently shut down any networked target at will.
As China is a responsible citizen of the world, we would never use specially trained teams of professional PLA hackers to provide a demonstration of our significant power.
Although China is a global superpower and leader in computer science education, and we certainly have the ability to call down multiple, simultaneous, and devastating defensive DDoS's, (a tactic that we refer to as the Great Worker's and Peasants' Rain of Steel), we are a peace loving nation who does not resort to aggression to pursue our policies.
We condemn in the strongest terms this attack, although we do note its effectiveness and our preparation to do battle on these terms, if such a thing was necessary to maintain the sovereignty of the People's Republic of China from similar aggression.
Thank you."
Shitty story, shitty blog (Score:5, Insightful)
>Will China get the message ?
What message? The one it has been getting forever, the one that says "we know it's you, but we're never going to do anything about it because we rely on you for cheap everything"?
Re: (Score:3)
we're never going to do anything about it because we rely on you for cheap everything"?
That's true, but I'm afraid it's even worse than that. If China is the only country with factories for certain items, then we rely on them for those items, cheap or not. China is developing the power to tell us to stop supporting Taiwan or whatever, or else they'll stop selling us things that we need.
The US government should make up a list of manufactured goods that the US needs. Then have tax incentives for US companies to make those items in the US, with American managers and workers.
Who cares? (Score:1)
Github is really not very good. We could probably do with it being crushed for awhile to allow competitors to rise. This would increase the ecosystem for dev tools and be very beneficial overall as github has become the basket with all eggs in it.
Re: (Score:2)
Re: (Score:2)
dammit you're an AC. I wanted to know more about what you just said.
Easy to solve (Score:2)
Cyber attacks by China are easy to fix; give them exactly what they want and cut them off the Internet. Problem solved.
The website operators have little ability stop these attacks but those controlling the Internet infrastructure between the attacker and victim absolutely do. Once the attacker is identified there should be procedures to quickly block the attack. If that means taking an entire country off the Internet to encourage them to stop the attack and not do it again in the future that is perfectly
Re: (Score:2)
Niels Provos - the blacksmith (Score:2)
Niels Provos - when not fighting [cyber]crime, he's forging a mean sword: https://www.youtube.com/user/m... [youtube.com]
A "subversion" of "github"... (Score:5, Funny)
I see what you did there.
-Rick
Link to the actual Google blog post... (Score:1)
... instead of the shitty ad-filled blog
http://googleonlinesecurity.bl... [blogspot.ae]
Shaming anyone? Hahahaha (Score:5, Insightful)
Shaming "western" governments/agencies doesn't have any effect at all, why would anyone think thank shaming Chinese would be any different?
HTTPS (Score:2)
This is why every website should be on HTTPS.
No more Javascript injection by the network.
Google government (Score:1)