The PRC's DDoS of GitHub seems a little risky.[1] If GitHub is inventive (or desperate) enough, they could call on their users for aid. The perpetrators would immediately draw the ire of vast numbers of talented programmers. And GitHub is positioned to direct this ire toward useful ends. They could encourage users to contribute to GreatFire, or even start other initiatives and projects to stymie censorship. The outcome could easily be worse for the PRC than if the attack had never happened.
1. Even if this isn't a PRC-ordered or sponsored attack, large parts of their infrastructure are being co-opted. If they aren't criminally involved, they're criminally irresponsible.
Eliminating these 10 attack vectors would account for 94% of DDoS attacks according to this visualization[1], as witnessed by Akamai over the last 30 days. Just the top 3 is more than 50%. Seems like a reasonable start on a way to measure success.
Who'd like to sponsor? Or should I just spin up a GitHub repo for the code and a kickstarter for the prize money?
SYN Flood is already mitigated a long time ago with SYN cookies. The rest ..... well, it's basically just packets.
I see this latest development as good news. The Javascript MITM trick was very clever because forcing github to render and serve a page is a lot more resource consuming than just firing packets at servers that ignore them (like a UDP or SYN flood). The latter can saturate network links until the sources are blocked, but those sources tend to be somewhat focused and don't shift much. An HTTP level attack driven by random web users means every request might have a different IP and it requires running way more of the app stack to be able to filter them out. If China is now resorted to SYN flooding then it means they ran out of better techniques.
synflooding is not mitigated by syncookies.
the attacker can encode information inside the packets in exactly the same way as the server, meaning they don't have to maintain any state, see:
http://insecure.org/stf/tcpdos/outpost24-sect-sockstress.ppt (slide 18 onwards)
That's not a syn flood though. A syn flood is purely syns. So there is no need for the attacker to encode information if they are just doing a syn flood.
There are generally two types of floods against DNS infrastructure:
- Flood of "valid" requests, to a large number of open DNS recursors. To avoid caching they usually contain random prefix. Flood against large number of open DNS recursors basically causes the recursors to not work, and many authoritative servers to be overwhelmed.
- Flood directly against authoritative servers, to fill the network or use up all the CPU.
Traditional reflections aren't that popular any more.
You aren't going to make ddos attacks go away by offering prizes for a miracle software solution. It amazes me that there are so many programmers here who don't understand this basic principal. I think the only way we can get people to understand the situation is with an analogy.
Let's say your pipe can receive 1 Liter per second of water. There are some impurities that you can filter through your faucet, this is analogous to the software firewall. However what happens when someone starts piping 99 L/s of sludge through the other end? No matter how sophisticated the filter you have on your faucet, the water you will get out of it is going to slow to a trickle.
Now I can already hear you asking, why does the Internet allow people to send whatever sludge they want? And the answer is because that's the way the internet is made. There has been a push to stop spoofing called BCP38, but this requires EVERYONE to do extra work and spend extra money which is why relatively little progress has been made since it was released 15 years ago, and is likely to never succeed.
If it was as easy as creating a piece of software to deal with, large businesses like Prolexic wouldn't be banking their future on a problem that would be so easily solved.
I think there are plenty of people, myself included, who understand how DDoS attacks work.
Do you know how X-Prizes work?
Hit: Did I say anything about software?
[edit: It's odd to me that this would get down voted. Is it offensive? Or are downvoters really that opposed to thinking outside of the box?
The X-Prize encourages participation from unexpected directions, precisely where innovation is often found. As the parent post demonstrates (almost as if on queue), it's quite common for skilled experts within a field to become overly focused on specific classes of solution. I was careful not to say anything about how the above goals might be achieved.]
I didn't downvote you but I can see why they did. The way you act is similar to someone running a contest to disprove Turing's proof on the halting problem.
If your bandwidth is being filled from the other end, it doesn't matter how sophisticated the filter is at your server. Even if it is theoretically perfect and able to tell which packets came from real requests with 100% accuracy, it will not solve the problem. This limitation also applies to hardware firewalls.
Many smart people have already tried to solve the DDoS problem and they all came to the same conclusion. Either everyone does BCP38, which is never going to happen, or you buy more bandwidth than your attacker can throw at you.
To suggest that all we have to do to solve this is dangle chump change for some random coder to solve it is rather silly especially when companies like Cloudflare and Prolexic have bet their entire futures on DDoS not being fixed any time soon.
As someone who deals with DDoS attacks every month it is rather obvious that you don't have a very good idea of how ddos attacks work when everything in the list you copied off a random website except for SYN could be classified as attacks that overflow your bandwidth. UDP fragments and Chargen are also bandwidth attacks.
I understand your position, and I don't want to be offensive. I simply want to be clear.
The X-Prize is intended precisely for this type of industry stagnation, and has been very successful at that goal so far. Winners solve unbelievable problems in unbelievable ways.
I am, if not an expert, nearly so, and I can say that my first thought is not better filtration. As you rightly point out that is a very hard problem, technically impossible too if you limit the framing of the problem to only information available to the server and consider each event in isolation.
I am a little surprised that you as a self professed expert keep harping on the futility of better serverside filtration when your very argument is that it isn't a good approach. Why are you assuming that others would choose a poor approach when you would not?
For example my first thoughts go to ideas like: a home firewall auto configuration / lockdown tool and associated marketing campaign; inexpensive home network security hardware; better anti bot software; a police botnet; browser and os patch sets; political campaigns to change regulatory requirements; graphic design, video and other media to improve understanding and provide easy to implement solutions, economic/business models that naturally incentivise users and/or device vendor to prefer better security features on devices. In the end perhaps it would be none of these things are perhaps it would be some particularly spectacular bit of server filter coding.
The point of prize systems like the X-Prize is to efficiently solve hard problems. It is not to solve it in any particular way. Is there no better algorithm to recommend movies? No there isn't, until you consider human factors (The Netflix Prize). Is human space travel truly only the domain of nation states? Yes it is, until the Ansari X-Prize.
Before these prizes were won, their solutions were impossible, afterwards they are simply solved problems.
--
P.S. In addition to your mistaken impression of my inexperience in the filed you are also mistaken that the information I posted is "off a random website". The information is from Akamai's State of the Internet site and represents Akamai's "real-time 24-hour global attack data: sources, targets, and types of attacks". It is linked to directly from Prolexic's home page. Though, I'm sure as an expert you knew that.
> The X-Prize is intended precisely for this type of industry stagnation
No. Take a look Ansari X-Prize, the first of this kind.
The theoretic foundations for spaceflight were laid out about a century ago, the first flight took place in 1961. So this is something which is very well understood. The prize was, basically, for tweaking the components to make it cheaper.
But you're asking somebody to invent a new method, without providing a theoretical foundation for it to work in.
So this would be like asking to invent a teleporter or faster-than-light travel.
Besides that, other x-prizes were formulated as a contained experiments. E.g. demonstrate that your spacecraft can fly, or provide a program which offers better recommendations.
But what you describe is not an experiment. You actually want participants to go an change how the Internet works. This isn't contained.
So you're being downvoted for being extremely naive. You seem to believe that a kickstarter campaign and a github repo can solve any problem.
Everything you've suggested requires all networks to cooperate/spend extra time and money, or that no one makes an exploitable protocol in the future (as likely as humans never making mistakes). If you can already get all networks to cooperate/spend extra time and money, then you can make them do BCP38 which would be a more complete solution.
> In addition to your mistaken impression of my inexperience in the filed you are also mistaken that the information I posted is "off a random website". The information is from Akamai's State of the Internet site and represents Akamai's "real-time 24-hour global attack data: sources, targets, and types of attacks". It is linked to directly from Prolexic's home page. Though, I'm sure as an expert you knew that.
And all of this doesn't disprove anything I said.
That website is a marketing piece made for laymen such as yourself.
The fact that you are categorizing those attack vectors as seperate problems instead of being in the same class proves what I claim.
Indeed I did, still no software implication. I was being fairly deliberate about that.
What I'm confused about is what the argument is.
Is it we shouldn't try to find a solution?
I'm sorry if I was unclear that I did not intend to limit the scope of solutions to software, but frankly so what even if I had?
In any case the X-Prize proposal seems quite popular so I'd be happy to set it up, help someone else set it up or in general do anything I can to encourage innovative solutions of any kind, but..
Most of these attack vectors just mean a great amount of a specific traffic of some sort. Traffic volume is not something that you can, or would want to, eliminate.
You have to somehow identify and separate the unwanted requests from you regular traffic. That's why these cases are unique and needs to be handled manually, in cooperation with your uplink(s).
To be clear these are attack vector prevalence relative to each other, and represent 'known' attack traffic identified by Akamai, not general traffic in these protocols.
However, this is no doubt not a complete list of DDoS vectors as it doesn't account for application level exploits like demonstrated in the GitHub attacks. And obviously not everything that is a DDoS is a protocol flood.
Either there is a way to identify those types of attacks now, or improved attack identification should be included as a requirement for the X-Prize.
Maybe I misinterpreted the "or desperate enough," I don't know, but quite a lot of people in this thread seem very trigger happy.
// Fun fact: Depending on what jurisdiction you're under and how the tool is implemented writing a DDoS protection tool might actually be considered a crime.
> What jurisdiction or tool-implementation would consider DDoS prevention a crime?
That depends on how the tool is implemented. Nobody cares what you use it for; what it does and what that (potentially) enables you to do is usually the deciding factor. I can't give you a concrete example because I'm not a judge and these kind of laws are way too vague anyway. We're obviously not talking about "traditional" methods here (hence the fun fact). Note that the problem is not you using a tool, it's you distributing a tool that can be used for ... well ... I don't know.
"Bully" is rather too weak a label for the perpetrator. This attack is criminal. If carried out by a sovereign nation, perhaps an act of war. We don't allow foreign raiding parties to enter our country to loot private businesses. Neither should we treat this attack as a simple act of "bullying".
GitHub should get the full support of federal law enforcement, if not the military.
We should never take up arms for a thread that has no human casualties, especially when there are alternatives.
If your neighbour enter your home uninvited, because the door is not locked, the first thing you do is ask nicely not to do that. The next thing you do is lock the door. You don't start shooting at them first ...
So if a government shut down US airports for 72 hours but resulting in no loss of life, should we just sit back and do nothing? A risk to human life isn't the only threshold that determines retaliation. A risk to economic activity is just as provocative as physical violence. How about if they attacked the power grid? A huge number of companies's businesses depend on services like github. Do we just hold hands and choose to pray for a solution or do we hit the perpetrators in the gut? If the Chinese are behind it, we should immediately start seizing their US assets until such time as they put an end to the nonsense. If the Chinese can thwart Google, they sure as hell have the means to stop a cyber attack from their soil: even if they are directly the ones doing it. Alternatively, their cables could be cut (there are only about 7 that connect China with the outside Internet.) if someone is spraying you with a firehouse, cutting off their water supply is a just and reasonable response.
I don't think they're breaking into their system at all. They're just abusing a public interface on their sight. A more apt analogy would be repeatedly calling their phone, or ringing their doorbell nonstop. Your analogy implies they are destroying GitHub's property, which they aren't.
Bit further than that. They're crowding your front porch with the explicit purpose of preventing any of your friends, family or customers actually getting to your front door. I think the intent is important to note. It's not a child who likes the sound of a doorbell, but an adult employed to achieve a very negative outcome.
I wouldn't be averse to depth charging a fiber optic cable (more specifically - damaging their ability to operate the great firewall) so long as there are no human casualties. Even better if it could be done without disrupting Chinese Internet.
Unfortunately, most people's response would be "What's a GitHub"?
I was addressing the assertion that this is the first time China attacked the U.S. Whether or not the U.S. reciprocates is off-topic, but to answer your question: I don't know about any evidence that would suggest the U.S. reciprocates.
I'd say cut the internet trunk lines to China... period.. end of story. That would seem to be an appropriate response. Blacklist China's internet traffic completely.
@vacri, can't reply directly to you... but here goes.
If China was loading missiles into cargo ships that fire at northern california, we wouldn't continue to let ships enter/leave China. As to the debt that China owns, they're already in a position of playing games with currency and resources to assert a dominant position.
Eventually you have to stand up for yourself. As to the do-dad manufacture costs, well I think we'd be okay if we had to go a couple years without any new do-dads.
It's become clear to me over the past 5-10 years or so that we're in some sort of weird undeclared war on the Internet. Nations are doing exactly what you describe, and it seems there is little to no repercussions for them doing so.
I agree that it's criminal but that doesn't make it a terrible offense, and far from an "act of war". The damages to GitHub are probably minor in the long run. Nobody will have died or have even been injured. Any one violent crime would rank above this in severity imho.
I hope that by "full support of federal law enforcement, if not the military" you mean whatever cyber defense and possibly offense forces they have. I really hope that nobody thinks this is worth starting a shooting war with a rival nuclear superpower over.
On further thought, you're right. I would not condone any sort of violent response. But a criminal investigation should be made, even if it leads to Chinese authorities.
(Just as we should have criminal investigations over US surveillance programs...).
Both are unethical, but there is a difference between spying (sitting with some binoculars by a window, or snooping around inside the building) and destructive actions (blowing up the entrance with a constant stream of TNT so no one else can get in). US does the former, China does both.
We've been hearing propaganda for ages about China & Russia doing evil things in the cyberspace and USA promoting freedoms and such but the NSA revelations among other things have shown that USA is just as guilty of all the spying, attacks, weakening of hardware and software even if it hurts american companies, economic espionage (which was also a difference people here used to make with China and was proven false), etc.
And I'm not even touching Stuxnet and Flame.
> The US generally does not engage in destructive actions with the intent of restricting the rights of their own citizens... just other country's citizens. China does both. Both are very bad, but I think the US still has a slight moral highground here.
If it does. It's not much higher. You're completely restricted in your rights to do anything that the government finds a matter of "national security". Even if it's not related to any official entity [1]
It's time we stop thinking about Us vs Them and who is winning or has a moral high-ground and start thinking in terms of citizens of the world united against injustice.
Opposing attacks like the Chinese against GitHub and the surveillance, propaganda and violence of all the other big powers.
Feeling good about "our side" being slightly better (Subjective and irrational) won't change the fact that it's still unacceptable.
I do pretty much agree with all your points. The revelation that NSA was engaged in economic spying definitely brought their moral highground way down to earth, even if the nature of the spying was somewhat more geopolitical than what China was doing (going after national energy companies, in NSA's case). But a few caveats:
>You're completely restricted in your rights to do anything that the government finds a matter of "national security". Even if it's not related to any official entity [1]
There are very few countries where this is not the case, even supposed extremely liberal countries like the Nordic ones. State secrets and national security are always going to be a monolith hanging over us for centuries. What needs to improve is the internal regulations and auditing behind these processes, to ensure strict adhere to public (not classified) laws and regulations.
I am not nationalistic or even patriotic in the least. I don't like a lot of what the US government and intelligence community does. However, I do see it as the lesser evil when you compare other superpowers like Russia and China.
They do, but usually those actions are done against "belligerent" entities.
And though it's certainly not a great defense, the router bricking was unintentional.
The US generally does not engage in destructive actions with the intent of restricting the rights of their own citizens... just other country's citizens. China does both. Both are very bad, but I think the US still has a slight moral highground here.
I don't think this qualifies as an act of war, not by a long shot. But that does raise an interesting question: what would be considered (or rather should) an act of war in cyberspace?
Should the target be a whole nation? Or maybe enough of it to affect their ability to function? How much commerce disruption equates an act of war, even if no shots are fired?
You'd need some pretty good proof and how would you respond? With another cyber attack? Or escalate into a shooting war? Or by disconnecting the attacking country from the internet?
How much commerce disruption equates an act of war, even if no shots are fired?
I'm pretty sure blockading ports (as in cities where ships go, not network ports) counts, so that's a starting point. But on the other hand, blockades do tend to be backed up by at least threats of actual physical violence, so.... ?
> GitHub should get the full support of federal law enforcement, if not the military.
With a few exceptions, the US military has atrocious "cyber" readiness and capability. This isn't yet in their wheelhouse, and any public assistance they might provide would just be risking embarrassment.
As a non-paying customer I have seen nothing but 100% uptime and perfect service. If it weren't for HN and Twitter I wouldn't even know Github was under attack.
OAuth seem to have sporadic issues, which, I guess, may cause failures to "Log in with Github" auth on some occasions.
At least I've seen a few "connection refused"/"timeout" error notifications from one of the sites I manage. Don't know the successful login counts, so no idea how high the error rate is.
Too bad they bent over for Russian government though. I wouldn't bet on Github growing a spine anytime soon. If these attacks continue, Github will delete the material China wants them to. They already shown weakness once when they censored what Russia wanted to censor.
The difference was that the russian government did actively attack them, it merely was trying to block illegal content. Github didn't remove the repo, they simply blocked that page for russian users. Also the material they were blocking was a suicide poem, and while free speech was being minorly impacted, all in all it's removal didn't affect very many people.
In this case china is attacking them directly, and removing the repos in question would affect people's ability to use that software, greatly affecting freedom from censorship for many many people.
They inject jQuery not once, but twice, and only use jQuery to make a simple XHR request. Perhaps they are worried about one instance of jQuery being taken down or made unavailable to them, but they really don't need jQuery at all for something this simple.
It's not even an XHR request. It's a JSONP-style insert-<script src="someurl"></script>-into-the-body "request".
The fact they used jQuery to do this is incredibly amateurish. Especially since they didn't seem to realise they could do the same trick with <img> without creating an XSS vector.
I think it is an XHR request, despite that not being the best option, as you later explain. As in, it includes the jQuery script and then does a `$.ajax()` call.
the jQuery is being injected from 2 different sources. The first being from a Baidu CDN, I suppose they anticipate some kind of attack on Baidu and included the 2nd one as fallback.
As for jQuery being unnecessary for this job; agreed, but hey, it got the job done.
They might be using jquery because it abstracts away the quirks of different browsers (I seem to remember that old versions of firefox and IE had different APIs for making XHR requests).
Can Github ask for US Government help with it, since it's an attack by [presumably] foreign sovereign entity? It's paying taxes in US, right — so it may expect some kind of protection, isn't this what taxes are about?
""Cybercrime"" and ""cyberterrorism"" resources are only deployed (a) for securing more funding (b) for expanding US surveillance or sometimes (c) on behalf of big donors like the copyright industry.
The US has no interest in saying "international cyberattack should be illegal" because then other countries might insist that it stop. They could go for a trade war escalation, but that would at some point have Apple as a casualty.
Realize you're talking to folks who do this kind of stuff for a living, rather than just the random Internet denizens of most other websites.
The FBI will regularly inform and assist companies who've been breached, for example. The US government is very interested in protecting US companies.
That said, they don't quite have any guidance from congress on how to do that, so right now the assistance is limited. It is most certainly there, however, and your tinfoil-hat nonsense doesn't really fly.
When I was an admin of an IRC network we regularly reported large scale DDoS attacks to an FBI agent assigned to us. He didn't care. Some of those attacks took the network down for a while and resulted in many users moving to other networks. In at least two cases we even figured out the identity, address, and phone numbers of the people doing it and there was no movement on it.
Then one day one of the people we had the identity of boasted on how he had briefly brought down the website of one of the democratic primary candidates. We forwarded that information and our case was reassigned to another agent and the person was arrested immediately. I absolutely think it's true that the US government is only interested in protecting established and powerful figures. I suspect the reason is career driven - defending the little guys isn't glamorous and probably has no promotion impact.
Its a matter of finance more than anything - if the people of the United States are paying you to protect national interests that is exactly what they should be doing. I can't speak for your specific situation but my time on the internet leads me to believe they have bigger fish to fry. Sorry though man I know that had to suck.
Please don't write such baseless assertions; we are trying to keep the post quality high here.
Your other responder works in this field, and I have been on the other side (worked for a company that got this sort of help). We also regularly had the FBI come in and give talks on the sorts of things they were working on in this space.
I saw this on Weibo earlier, NOT from a trusted source. But the first and third rounds have been confirmed.
> 第一轮外域JavaScript,一个alert防住;第二轮外域img,Referer挡外面;第三轮GitHub Pages被D;第四波正在进行,是TCP SYN Flood攻击。
My translation:
> The first round was cross-domain JavaScript, stopped with an "alert()". Second round was cross-domain <img>, stopped with referrer. Third was DDoS-ing GitHub Pages. Fourth is the ongoing TCP SYN Flood attack.
But this is a response header, so server shoud respond and that is the goal of attack.
Browser doesn't send any request headers saying that site is opened in the iframe.
Any company that makes most or all of its money online is the subject of DDoS attacks for blackmail purposes, github a bit more so because the Chinese government doesn't like it.
It's unfortunately a very normal thing these days.
This attack is perhaps just a taste of something nastier.
The GitHub infrastructure is rock solid and gives valuable real time information via its status dashboard .
This seems ideal for measuring the impact of an attack before choosing a more critical target.
Hi, foreigner working in Chinese high tech company here. I wonder a bit, on which ground is this attack attributed to Chinese gov? It looks a bit unlikely to me. China has some cyber military but they are more likely to be pragmatic and choose wisely their targets. There's a bunch of script kiddies but they would choose also something else. However it seems possible that many servers hosted in China are not secured and could be used for this attack, by some other people.
Do you have a link to this? I haven't seen anything regarding HTTPS injection. Just injection of code into javascript resources hosted by Baidu CDN, over HTTP.
Thanks, so if I understand well, every js gotten from baidu cdn from outside China has a malicious code attacking github. Weird. It could be some test gone wrong, but I still don't buy Chinese gov attacking purposely and openly github like that. It's like showing your one time secret weapon way too early and on some wrong target. Or maybe it's a way to make some big noise to the left while the real target is discretely owned on the right.
> It could be some test gone wrong... Or maybe [misdirection]
There's a MITM injecting malicious javascript causing a prolonged DDoS for several days now. There have been times in the past where BGP "misconfigurations" have redirected large amounts of internet traffic, and we used to think, oh, Hanlon's razor, now we know better.
What convinces me this is not Hanlon is the precisely targeted nature and significant duration of the attack. Whoever controls these servers and routers knows this is happening and wants it to happen.
This isn't the first time [0] China has been accused of using it's filtering to DDoS enemies. It's not a secret weapon really, it's an obvious capability of being able to redirect a large majority of your country's internet traffic at will.
China and Chinese have been accused of all sort things. From ten years spent there I can tell you accusing their gov to be stupid is really dumb. Attacking github is the most useless attack they could invent. Therefore it's not them. Or it is a side effect.
I agree it seems to be a stupid move for a government, and maybe someone else has gained access to the right routers. But "some test gone wrong"? You can't be serious. This is a carefully targeted attack and includes packets that can't be generated from a web browser.
I don't see why there are so many downvotes to this. This is a clear and obvious counter-argument to people jumping the gun and saying it must be the government. While it doesn't _prove_ that it wasn't the government, there's certainly a lot of room for doubt.
Edit: and this post adds even more doubt: https://news.ycombinator.com/item?id=9285343. There's no clear reason why the PRC's first move would be to turn toward DDOS. As other people have written, it's way too powerful of a weapon for them to use it on something so foolish. Keeping an open mind on this one.
The official cyber force of China is not the biggest suspect in most attacks like this. The loosely controlled civilian hacker force (think privateer pirates) launch most ddos-style attacks on foreign soil.
China has approximately 2 million people in its 'cyber army'. Not all of them are going to be experts, but sheer volume makes them probably the most effective 'cyber army' out there.
If that's true (which I don't know) then just directing those people manually visiting websites would bring quite a few targets to their knees, some basic automation and you have a real problem.
Interestingly enough, if the attacks never stop (which is a possibility), the engineers at GitHub might still come up with a way to effectively nullify DDOS and continue their normal operations.
Which would be a massive advance in cyberdefense. It's unlikely, but it would be a great example of "natural selection" (via their intelligent engineers' efforts) at work.
It will no doubt take ingenuity, but I don't think any other website than GitHub is in the position to do this. Especially right now.
Nullifying DDOS doesn't take ingenuity, it takes a big wallet, which Github no doubt has, but let's not pretend that its some engineering feat. If it was, a small company being ddosed would have a chance at fending it off all the same, but that's just simply not the case.
> Nullifying DDOS doesn't take ingenuity, it takes a big wallet
The problem in this instance relates not to the absolute size of Github's wallet, but the relative size of its wallet compared to whoever is sponsoring the attack. State-sponsored actors (if that is what is happening here) have many dollars at their disposal.
Honestly, if you start by saying you're not well versed, how can you confidently make a statement about whether it is possible or not?
Large scale DDOSes are usually the most damaging when they're high bandwidth (Layer 7 attacks can usually gradually be mitigated by well written firewall rules placed on the proximity of the network). When a DDOS is just maxing out the bandwidth coming into your network or sometimes even data center, no amount of clever algorithms can make your pipes bigger. For that, you need money.
It can be a weakness in a widely deployed, vital protocol and that would be technically impossible to fix- not because of the technology but because altering the protocol would either require everyone on the Internet to change their software, or it'd preclude certain types of communication, or both.
What does NP have to do with it? NP-problems are perfectly solvable, it's just that they take more than polynomial time to solve them relative to the size of the inputs. You were probably looking for something like "not computable" for when there is no possible algorithm to solve a problem.
Ha this is actually interesting. I'm doing a research project at school on DDOS mitigation with AITF. This seems like exactly something github could use right about now.
It would be interesting to compute the value (in MWh for example) of the energy used for this attack. Seems massive to me. Not just the traffic but the job performed by each computer.
I really wish they would post what the attacker wants removed so we could mirror it, post it, etc. The streisand effect is a good response to things like this I think.
It appears that the first attack was targeted at https://github.com/cn-nytimes/ and https://github.com/greatfire/ [1]. Accessing these two pages still responds with `alert("WARNING: malicious javascript detected on this domain")` which is supposed to be executed on the (innocent) client's browser.
If this is China doing this, it makes me so upset the US has spent years and billions of dollars building up their economy instead of countries like Mexico.
Our relationship with them is almost as bad as our middle-eastern oil addiction.
> $6.1 trillion or approximately 47% of the debt held by the public was owned by foreign investors, the largest of which were the People's Republic of China and Japan at about $1.3 trillion and $1.2 trillion respectively.
This news about attack make me wonder why isn't GitHub just blocked these repositories for all Chinese IPs. It's would be logical after they censored certain repositories for Russian IPs:
And no I'm don't support any of this and strictly against any censorship, but still it's looks weird why GitHub agree to deal with Russians, but not Chinese.
Its because the requests aren't actually coming from China. China is redirecting worldwide users from Baidu to GitHub. Sorry, I don't have the link handy, but it was in that WSJ article on the front page.
I do understand this, but if it's Chinese government behind attack the reason why they doing this it's these anti-censorship projects hosted on GitHub. Considering GitHub already supported censorship in Russia I see no reason why don't they just block access from China to projects that Chinese gov don't like.
Because Github does not want to be complicit in Chinese government censorship, and if they blocked what that government obviously wants them to block, then they would be.
> Because Github does not want to be complicit in Chinese government censorship
I think you are missing the guy's point: what is the difference between Russian censorship and Chinese censorship?
Github made a deal with Russia - why not also China?
I know this might soUnd Kafkaesque but here it goes: Internet censorship is extralegal in China and the official stance is to deny its existence. They are known to be somewhat proud of the fact that "we respect internet freedom and never took down any websites hosted overseas". There is going to be no deal because that would be an admission of responsibility.
So fact that great firewall exist isn't officially documented?
Didn't know about that, that's make the difference. Usually in totalitarian countries everything is well documented as everybody want to put responsibility on someone else.
Haven't seen many stats, but I'm pretty sure they could. If I remember correctly they deflected one of the largest we've ever seen which even made trouble for the Internet's infrastructure.
Anyway, even assuming the traffic is infinite, (to my understanding) most of the flooding IP's are from china. If that's the case it would most likely only affect the datacenter handling Chinese traffic. So even if it's really bad, only a (relatively small)[1] part of the world would notice.
[1] relatively small in terms of the size of internet, not number of people
L7 attacks come down to how much you can cache. If GitHhub was a purely static site, they wouldn't have trouble serving the requests themselves in any case.
Github can solve this problem with CloudFlare to the same extent that Github's product can be replaced with a hundred nginx servers with 10Gbit uplinks, large RAM caches, and effectively zero CPU time spent on each request.
For what it's worth there's an article[1] from Craig Hockenberry. His servers were hit by massive amounts of traffic from China earlier this year, targeted (randomly?) at Iconfactory's website. The charts are quite impressive.
Agreed about the extremely small attack, but one pi couldn't have done it. You'd need at least two or three. A pi will only get you to ~3Mb/s sustained ethernet. That's because ethernet is tacked onto the USB subsystem in a funny way.
That doesn't look anything like the attack on GitHub. His server buckled from a couple of thousand requests because his webserver was misconfigured. GitHub probably handles an order of magnitude more requests on any normal day.
I'm not sure you understand the concept of "order of magnitude". Taken literally, you're saying you think Github handles 10 000 requests per day, which is about a factor of 10 000 to 100 000 (4-5 orders of magnitude) too low.
No. Per second. That would work out to ~ 1 M req/day. I have absolutely no idea if that's in the right ballpark or not, my point was that the misconfiguration that took down some guy's web server has absolutely nothing in common with what Github faces.
Ok, per second it makes more sense. I couldn't find hard stats either, but one semi-dubious-looking traffic tracker said github.com sees 10 million req/day. It looked like that was for just the front page; how do we even define what a request is? For more reliable sources such as Alexa you have to pay to get these numbers.
As convenient as GitHub is, let this be a lesson to ensure you have multiple remotes for your repositories. The more popular GitHub gets, the more it will become a target from a wide range of vectors.
All your devs already have copies or your repos, and setting up a common server to share over ssh is easy (first thing we did on Friday). The bigger issues are dependencies, most people's builds these days depend on pulling dependencies from github.
Gizmodo has some info. but I wanted to find a less trashy source; the register has a story [1]. In short, it's suspected that the Chinese government is behind the attack because there are some projects hosted on GitHub that it ideologically disagrees with.
Which raises the question: when will the rest of the world kick China of the internet? First it was redirecting Chinese internet users to random IPs, if the government didn't like their DNS queries and now they're doing ddos attack on a site that host a large percentage of open source code, used for a whole host of service and products.
At some point it's going to make more economical sense to kick China of the internet.
Net neutrality is about carriers treating all traffic equally. Banning a country from the internet is discriminating traffic by origin. That sounds like a net neutrality issue if there ever was one. Whether the discrimination happens in the hardware or in the software stack is a mere implementation detail.
Sure it is, but if some carriers are a state-sponsored arm of a bad actor and are told by their masters not to treat traffic equally, thus breaking the net neutrality pact, then what are the responsibilities of the the other carriers?
So because the Chinese government are being hostile, all the chinese companies innocently doing their own business should have their comms cut off as well? Chinese families should not be able to contact their travelling members? This is definitively the exact same issue - the Chinese government is not the only entity to use the Chinese intertubes.
I disagree with parent but I have learned from this case that anyone with access to a major CDN or the great firewall can take down any website. There is unbalanced power. What if I don't have access to the OPs team of github?
> > Which raises the question: when will the rest of the world kick China of the internet?
Well, that's exactly what the DDoS wanted, so the government could just happily control all access to Internet in mainland China
The DDoS targets github.com/greatfire and github.com/cn-nytimes by their so called "collateral freedom" [1]
Suppose github could just ban Chinese IP all together, but @greatfire could easily jump to another host and abuse ToS to hosting "neutral" political content, like bitbucket[2]
Many webmasters have already banned all Chinese IPs, so gradually, every public hosting service will eventually ban all Chinese IPs, Chinese government could easily destroy the rest of circumvention methods
The first attack based on the Javascript wasn't actually using Chinese IPs to do the attack. As otherwise it'd indeed be very easy to block by just blackholing Chinese traffic.
What it was actually doing was a massive MITM attack against non-SSLd HTTP connections from inbound connections to China, from Chinese users abroad visiting Chinese websites. It's an extremely clever trick that is only possible if you have the ability to mount mass MITM attacks on an entire country, but what it gives you is a massive ever shifting botnet.
The lesson I draw from this is that we need more SSL, we need it everywhere and we need it yesterday. I hope this stuff puts to rest the idea that some websites aren't worth being encrypted.
> Chinese government* already has a root CA in all* * browsers.
* For definitions of "Chinese government" that includes the Beijing non-profit China Internet Network Information Center, which isn't technically part of the government, but presumably is easily pressured.
* * For definitions of "all browsers" that excludes some minority browsers and those browsers run by users who have disabled the CNNIC root cert.
I have no doubt that the Chinese government has access to the CCNIC root certificate private key if it so chooses, but demanding the private key for an existing domain certificate would provide slightly less traceability and slightly more deniability.
Buh? Encryption is de-facto illegal in China. To the extent SSL is used, you can be sure that the government already has a copy of the master key. I've worked on Chinese deployed train systems, and we were banned from encrypting train control signals (signing was allowed, though), just in case someone might try to sneak in a political message in an ATO control telegram...
So breaking encryption is accepted; serving malicious scripts is accepted (it's what happened in this attack), but breaking encryption to serve malicious scripts would be out of limits? That doesn't make much sense.
Serving malicious scripts is very bad, and may not actually be accepted. I know I would hesitate to use baidu analytics after this. But people might come around if they say something about SSL and wont happen again.
If the encryption is then broken and it is done again, then a) it will prove that China did it. Because you can see who signed the certificate. b) it will prove that technical countermeasures are not enough, since the problem is deeper than that.
> Why is encrypting train control signals a good idea?
Because someone might like to mess with train signals, and in the off chance that some weakness is found in the MAC/signature scheme you're using, forcing an attacker to guess at which messages they're manipulating and how will make their attack more difficult.
If you're working with a networked application, even if it's on a non-public network, you should be asking yourself "why not encrypt?" instead of "why encrypt?". This is doubly true of critical infrastructure that's expensive and slow to replace.
If that was what the Chinese government wanted they could simply block all access from China to github. In fact they did that once but had to undo that because the damage to the IT sector would be too big. China doesn't want github inaccessible, they want github to take down repos which the Chinese censor doesn’t like.
Hmm, maybe Github could block all access from China except for these two projects, serve a special home page with install instructions, and make it so that with either of these installed you can access all of Github from China?
Hopefully never. IMO access to the internet is a basic human right, like clean water and immunization. I wouldn't choose to deny these things to citizens of any country.
The internet is how we maintain dialogue between peoples when our Governments behave like posturing (arse|ass)+holes. The worse a Government behaves the more (not less) internets the country should receive.
Taking your question at face value, some people say "arseholes", some people say "assholes", and some people just say "holes". We can factor out the "holes" to get that some people say "arse", some people say "ass", and some say nothing extra. We get alternation in regular expressions by separating them with a vertical bar, so we have a regular expression:
arse | ass
That's optional, so we have the regular expression:
(arse|ass)+
Put back the "holes" and we get the regular expression:
Taking your confusion at face value, what you should have done is to use a question mark ‘?’ instead of a plus sign ‘+’. Otherwise, the string which
oneeyedpigeon posted also matches your regexp.
Hah! That explains it! Yes, the "+" usually means "1 or more" rather than the "optional" which I assumed. I rarely use either, because in my computing history I've used RexExp engines that didn't use those symbols consistently.
I'll leave my comment there as a testament to writing from memory and experience, rather than taking the time to check modern standards, and how things might have changed.
China will be kicked from the internet at about the same time US and their NSA will be kicked.
Which is quite unlikely. We don't kick out USA because NSA breaks into backbone routers, steal encryption codes from sim cards, and steal traffic from google search, Gmail and Facebook. China attacks github, and the reaction will be likely the same.
At some point, it is going to make a economical sense to issue a treaty against this kind of behaviors. A treaty that forbids attacking fellow nations infrastructure and businesses over the Internet will benefit everyone, and it is going to take a long time before it is commonly understood.
If the PRC were merely snooping, and not actively attacking, that equivalence would work.
I was also under the impression that this is already in violation of treaty, the only saving grace for the PRC being that it hasn't been proven it's them.
Hardware caught in transit and infected by malware.
Firmware infected with malware at factories.
Bricked backbone routers, causing widespread outage during civil war.
Hacked phone companies.
Stuxnet, a computer worm designed to sabotage industrial centrifuges.
A $6 billion trade contract being manipulated in favor of Boeing.
A $1.3 billion contract trade contract being manipulated in favor of American defense contractor Raytheon.
Weakening products and standards that Internet users.
Should I continue? The list goes on and on and on as more leaks are reported on. Using that definition of snooping, we can just call PRC action snooping too.
> Hardware caught in transit and infected by malware.
For... hmm... backdoors to data? (Laptops with Stuxnet covered below)
> Firmware infected with malware at factories.
For, yes, transmission snooping. The PRC has also altered routers and other computerized electronics, including those intended for use by militaries in various Western countries.
> Bricked backbone routers, causing widespread outage during civil war.
Yes, by accident [1] while attempting to surveil (snoop). Not sure if disabling Syria's internet is worse or better than China's DNS poisoning which affected everyone... by accident.
> Hacked phone companies.
For what purpose, I wonder?
> Stuxnet, a computer worm designed to sabotage industrial centrifuges.
A. Not done over the internet, done by sneakernet. B. Nuclear reactor facilities in Iran are really not the same as GitHub.
> A $6 billion trade contract being manipulated in favor of Boeing.
That's nefarious, I'll agree... except, the NSA just blew the whistle on Airbus who was bribing Saudi officials. The information was indeed gained from--wait for it--snooping. [2]
> ...Raytheon
Same deal there... The CIA was the whistle blower against the French competition. [3]
> Weakening products and standards that Internet users.[sic]
LOL.
Of the two actions you do cite that aren't surveillance, one has nothing to do with the internet and the other was for the purpose of surveillance. So no, the U.S. government's surveillance program is not the same as the PRC performing a DDoS attack on Github.
Backdoors has a lovely side effect, in that they are backdoors. They can be used to take control over devices, as in. That they can also be used for data transfer is a side effect of the active attack called "implanting an backdoor".
But okey, if all those are just snooping and not active attacks, let just assume that PRC gained the information to attack github by snooping. DONE. It is now just snooping as per your definition.
> A DDOS attack on github.
>> except, the PRC just used information, information which was indeed gained from--wait for it--snooping!
In computer security, we have terms to distinguish this. Its called passive and active attacks. PRC and NSA both perform active attacks on other nations infrastructure, businesses, governments and military. The purpose: To gain political, economic and military benefits.
It would be a huge mistake to cut of China from the internet. Whatever power the US wields militarily as well as economically is an absolute joke compared to the power it wields culturally. American culture through movies, tv and music dominates global culture, allowing it define what normal society looks like.
You want the people in China consuming more and not less of it.
> You want the people in China consuming more and not less of it.
Want all you wish, the Chinese government is actively stopping and blocking the outside internet at an alarming rate. I was in Beijing a few weeks ago and couldn't load google, youtube, gmail, gmaps, instangram, facebook, twitter, various chatting apps, imgur, and on and on. Even using VPNs were difficult. I don't see this stopping anytime soon since it allows 1) control of the people and 2) growth from copying a western products and forcing the people inside the firewall to use the Chinese cloned version.
I spend about 6 months of the year in China. Yes, I am forced, as you say, to use the Chinese versions of everything, but, to be honest, it doesn't worry me. I use Baidu to put my teaching notes online for my students - it is as good as DropBox. Bing is allowed and works fine as a search engine, even if it blocks any results for "naughty" words. It becomes a bit of a game to see which double entendres it doesn't recognise. Conversing on English corner one night, a student asked me what I thought about their government blocking Google. I think my answer surprised him: I said, "Do you want Google to rule the world?" My implication is that I think services like Baidu are good competition for Google. I honestly think that the governments blocking of Western services is a business decision. It's highly likely sites like Bauidu pay the government a cut to continue the blockade. Imagine a world where you don't get continually served with Google ads. That's pretty close to Nirvana in my opinion.
Are you really serious? Adblocking is trivial and does not require government censorship. And how does allowing access to Google let them rule the world?
I think you miss my point. As I see it, the Chinese government are basically blocking Google as a business decision. Take a look at Baidu. You will be amazed at the number of services they offer. On the roads in China you see a lot of Audis and Mercedes. These are mostly driven by Government officials. There are many avenues for Government officials to earn money. I don't know the size of companies like Baidu and Ali Baba, but I would warrant they are many times the size of Google and Amazon. Government officials want a piece of that action. If you really think this all about freedom of speech, you seem somewhat naïve to me. It's money, money, money.
I am sorry. I have to let you connect the dots. I have a university job in China and I don't want to be kicked out of the country. Just follow the money.
The valuation of Baidu is currently around $50 billion. Compare this to Amazon which is valued at $125 billion, and Google at $375 billion. Apple is at $600 billion. So you're basically wrong.
Think about it: the government wants to cut us off from the rest of the world, that would make them happy, but would PISS a lot of people off. Anyways, if the westerners did it for the Chinese government, the people would be angry at them rather than the government...
If you try to complain to China Telecom about not being able to access Facebook, they already blame it Facebook since none of these sites are "officially" blocked. This would just play into that lie big time.
> the government wants to cut us off from the rest of the world, that would make them happy
Chinas ability to manufacture and sell hinges critically on internet connectivity. Of all the sanctions that would be effective I think an internet blockade is one of the more practical and effective ones.
I don't think they would be too concerned about an internet blockade, it would work to their advantage EVEN if it would hurt the economy and make a lot of the people's lives harder. That they could blame the "imperialist westerners" for this means that they can easily deflect any dissent outwards (as often happens in hard times...e.g. see the most recent anti-Japanese protests).
Highly same-minded swarm at this size is very dangerous. The controller is using it for its own purpose. The best strategy might be waiting for the swarm loosing it's basic power supply and falling apart. But this would affect the world economy as well, especially after 2007.
> Are countries (and their citizens) only permitted to be connected to the internet if their culture matches that of your country/federation?
Don't be so easily offended. Nobody said anything about their culture. The reason the question is being raised is because of the unignorable number of DDOS attacks being launched from their Internet space. Stop that, and you'll have less calls for cutting their connection.
It has nothing to do with culture. It has to do with committing crimes against the global infrastructure. Nobody is calling for the disconnect of Japan, Vietnam, South Korea, or even North Korea because none of those countries are taking a dump in the swimming pool we are all trying to use.
This speculative attribution seems a bit fishy to me.
This attack is a clumsy way to harass those projects. It's not sure to work, and is bringing the specific projects more attention in the meantime. As an official (or easily-attributable) extra-territorial action, it seems both unprecedented and disproportionate.
It's also drawing extra attention to the border machines and their capability to do man-in-the-middle tampering. I'd have thought CNGov would want to be miserly with that capability, to suppress awareness of the risk or development of countermeasures/workarounds.
I wouldn't completely rule out that this might be an action by some other party that intends, in a roundabout way, to raise an alarm about Chinese net borders.
They also have a pretty good weapon to aid them in this - their internet users.
They've been redirecting traffic of its user to load GitHub, which is a very smart/evil tactic to use - this is what certain sites did years ago to take down their smaller competitors.
I doubt the Chinese government is behind the attack - except for maybe not caring enough to do anything about it.
Basically the government doesn't really care what other people do outside the Chinese Internet, and just block anything they don't want local people to read.
Far more likely is a 'red hacker', e.g. Someone hacking for patriotic reasons and has taken issue with those projects hosted on GitHub.
It may well be that the person has government connections or works in some way for the government but I'd be surprised if it was a government sponsored/sanctioned attack - especially because there are far more likely candidates who will be far easier to take offline than GitHub.
The Chinese government's strategy has generally been about keeping things out, not taking things down.
I might not have lived in and researched China for 28 years, but I'm not exactly a stranger to the place and have spent the better part of a decade in China and the greater China area and have been circumventing the great firewall for almost 15 years.
Unless your China research has been limited to something like the tea cultivating habits of the Bulang minority, you should be able to list off the top of your head a half dozen better targets than the current attack, which is two relatively small projects, largely unknown to the Chinese people, and hosted on another website (GitHub) that is once again largely unknown to majority of Chinese Internet users.
I still stand by my statement that the Chinese government doesn't really care what the rest of the world reads/watches so long as they can control what their local citizens have access too.
If the Chinese government wanted those projects gone they would just block those project pages. Their current infrastructure is more than sufficient to do that both from a technical perspective in blocking just those projects rather than the entire GitHub domain, and from a man power perspective (tens of thousands of people employed to monitor the web for 'objectionable' content).
If the government was really interested in knocking material they find objectionable off the internet through a DDoS then thanks to the GFW they already have a big list of sites and content they don't like and they could take the total GitHub DDoS traffic and proportion it among the top however many sites they don't like and bring them down far more easily than bringing down GitHub, and with far less people caring about it.
P.S. If you want me to take you seriously as an expert on China, you probably shouldn't put google-translated Chinese messages on your twitter feed.
If the PRC solution was blocking the project pages, then Chinese users could just fork clones to circumvent the block. Forcing foreign organizations to anticipate some cost in supporting anti-censorship software is precisely about controlling their own citizens. Your personal attacks do nothing to support your argument. The use of these tools, at large, by the Chinese people may not be what the attack is about. It could very well be a an effort against some select group that are known users of these tools.
The GFW is advanced enough to do automated blocking based on content. People could keep forking and those projects would keep getting blocked automatically.
Yes you could change wording up, but then you run the risk of either obfuscating it too much that users of the program don't how to find it, or the government updating filters to block the changes content also.
Groups with real desire to circumvent the GFW have other ways to do it. I've been use ssh tunnelling for almost 15 years without major issues.
My view - based on no evidence, just reasoning from what we know - is that China are scared of Github.
They can't shut it down fully, because doing so would shut down their software engineering capability (it has got that important). And people can host basically anything there, including anti-censorship software.
Attack feels like a power play to me. Either to pressurise Github into censoring for the PRC - "block the repos we hate, or we DOS your whole service again".
And/or to build a local competitor. The more Github is down, the more it is considered "anti-China" in China, the easier to build a local competitor.
This is all just my immediate hypothesis from the news. I'd love to see somebody who knows more about software development in China to say what might be really going on.
And/or to build a local competitor. The more Github is down, the more it is considered "anti-China" in China, the easier to build a local competitor.
Or even globally. GitHub is, as you say, very important for the IT industry. Maybe China thinks it's too important. Make Github unusable for everyone else in the world and people, even outside China, might start looking elsewhere.
Hactivist by itself doesn't imply anti censorship. Just people who hack as a form of activism.
In china there are hacktivists that are against the government and hacktivists that support the government's agenda and who hack for patriotic purposes and to avenge perceived slights against china.
And it's far more likely that they are behind this sort of thing.
People with the skills to be a member of that sort of group have no need for either of the two relatively obscure projects hosted on GitHub to circumvent the GFW.
1. Even if this isn't a PRC-ordered or sponsored attack, large parts of their infrastructure are being co-opted. If they aren't criminally involved, they're criminally irresponsible.