GitHub Defenses Hold in 4-Days-and-Counting Battle

After battling a distributed denial of service attack for four days, GitHub on Monday was able to restore normal service levels.

The primary target of the assault is GreatFire.org, which is hosted on GitHub. GreatFire has attracted the ire of the Chinese government for offering anticensorship tools, including access to uncensored versions of The New York Times.

“Very clearly, the Cyberspace Administration of China is behind both of the recent DDoS attacks,” GreatFire Co-founder Charles Smith told TechNewsWorld.

The attack used malicious code inserted in China’s version of Google Analytics, Baidu Analytics, to turn millions of unwitting users into procreators of crippling DDoS traffic aimed at GreatFire.org and GitHub, Smith explained in a post on the GreatFire website.

“Inserting malicious code in this manner can only be done via the Chinese Internet backbone. Even if CAC did not launch the DDoS attack directly, they are responsible for managing the Internet in China and it is not possible that they did not know what was happening,” he wrote.

“Hijacking the computers of millions of innocent Internet users around the world is particularly striking as it illustrates the utter disregard the Chinese authorities have for international as well as even Chinese Internet governance norms,” Smith added.

Atypical Attack

The attack on GitHub and GreatFire is atypical in both its length and intensity.

“Amateur attackers tend to give up after a while, because it’s a lot of effort to keep up the attack, especially without some kind of financial motivation,” said Richard Stiennon, chief research analyst at IT Harvest.

“It’s unusual that it’s been going on for four days like this,” he told TechNewsWorld.

The magnitude of the attack — 700,000 requests per second — is also unusual.

“That’s bigger than the majority of the attacks we see,” said Ofer Gayer, a researcher with Incapsula. “We usually see attacks at a maximum of 200,000 to 300,000 requests per second.”

Because of the magnitude of the attack, it’s likely a large player like a nation state is behind it.

“You need to have good control over infrastructure to mount an attack like this,” he told TechNewsWorld.

“The Chinese have control of the infrastructure of an entire country, so they can divert traffic to wherever they want, inject code they want to run, and create requests with the code to GitHub,” Gayer explained.

Clever Adversaries

The method used to launch the attack is difficult to combat.

“With botnets, all the requests look pretty much the same, so once patterns are identified, you can block them,” Gayer pointed out.

“In this case, it’s very diverse. You have many different IPs and browsers creating non-homogenous traffic,” he noted. “This attack is very clever, and it’s not very easy to mitigate.”

However, GitHub has come up with a clever way to counter the attack. Once it identified the malicious resource generating requests, GitHub used it to trigger an alert for a user. If the user didn’t respond to the alert, the loop creating requests would break, and a device would stop sending requests.

“That reduced traffic from a user by a factor of anywhere from 10 to 100,” Gayer said.

US Action Needed?

If China can be identified with some degree of certainty as the perpetrator of the attack, the U.S. government should intervene, maintained IT Harvest’s Stiennon.

“We’ve already established a precedent with the reaction to the attack on Sony,” he said.

“As soon as they can get the same level of assurance of attribution, then, at the very least, they should use diplomatic efforts to get them to stop,” Stiennon argued.

“GitHub is an extremely important website for software development,” he said. “Many of our startups use GitHub as their software repository. It is part of the core infrastructure for our technology industry.”

If China is involved, its decision to attack GitHub could backfire on the country.

“These attacks also illustrate the shortsighted nature of the Chinese authorities,” Smith wrote. “Weaponizing Chinese Internet services stifles global confidence in Chinese entrepreneurs and contributes to the fragmentation of the global Internet.”

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

CRM Buyer Channels