After a massive denial-of-service attack that’s interrupted the open-source project host GitHub, an Atlanta cyber security researcher says he’s traced the traffic back to China.
Rob Graham — the outspoken owner of Errata Security, who once dismissed the FBI’s accusation that North Korea was behind the Sony breach as nonsense — said he was able to perform a complicated traceback that found a machine distributing malicious code behind the so-called ‘Great Firewall of China’.
For the uninitiated, GitHub is a popular service that allows programmers to post their code so others can review it. There are millions of projects hosted by the service.
It’s an essential tool for programmers in the United States and abroad. GitHub also hosts mirrors, or copies, of websites.
Among those websites are GreatFire — which provides tools that help Chinese citizens circumvent the country’s internet censorship — and the Chinese version of the New York Times.
“China blocks the offending websites, but it cannot easily block the GitHub mirrors,” Graham wrote in the blog post.
“Its choices are either to block or allow everything on GitHub. [And] since GitHub is key infrastructure for open-source, blocking GitHub is not really a viable option.”
That supposedly has left the nation with few choices.
The one it’s seemingly chosen: flood those specific GitHub URLs with traffic in order to pressure the service into removing those pages.
GitHub identified the DDOS (distributed denial of service) attack last week.
Imagine DDOS as a rush of water overcoming a dam, causing a flood.
During an attack of that type, think of millions of machines all calling up the same website at the same time. The result: The website won’t load.
Graham isn’t the first person to come to this conclusion.
Others — particularly those at the Swedish cyber security company Netresec — quickly alleged that the malicious code used in the attack is tied to the Chinese web services company Baidu.
Think of Baidu as you would Google.
That code, which looks as if it is meant to measure website analytics, was able to turn innocent visitors of Chinese websites outside the country into botnets.
Once these computers came into contact with the snippet of code that somehow infected them once they visited Chinese websites, they began visiting GitHub in such overwhelming numbers that the site started experiencing problems.
What Graham is alleging, which he says takes Netresec’s research one step further, is that China is using its ‘Great Firewall’, which alienates its citizens from content the country censors, to insert that malicious code.
It’s a feat that only nation-states could accomplish because of the scale of their infrastructure and their legal coercion.
Graham says he was able to come to this conclusion while tracing the IP address of one of the servers loading that malicious code onto innocent people’s computers.
The machine, Graham added, is connected to China Unicom, an internet service provider in the country. That suggests that potentially the ISP, with or without Baidu, was in on the scam.
Or that China is hacking companies within its own borders.