GitHub DDoS Security Update and Analysis
I was given an article to read by a friend about GitHub’s recent DDoS attacks they began experiencing last Thursday. As a web developer who uses GitHub, this seemed interesting even though I was never really into security news. However, it caught enough of my attention to the point where I included it in last week’s episode of TiG Tech Talk.
All the articles I read on this pointed the finger on China, saying they were the root cause. The evidence for this did seem to add up. As of now, I also will say that China was behind the attack, and I am very strict and careful when it comes to pointing fingers.
GitHub, however, remains silent on the cause of the attack and gave the following statement:
“Based on reports we’ve received, we believe the intent of this attack is to convince us to remove a specific class of content.” – GitHub
The article I received was from Vice who was the one to conclude it was from China. They stated that China loaded some JavaScript code into various websites which would make an Ajax request request to GitHub. What this basically means is that certain websites now have secret code hidden inside them that will talk to GitHub. The computers that are doing the ‘talking’ work are regular user’s computer (it uses their computing power) who are browsing a website, now knowing it’s been infected. Not only that, but the request to GitHub was being made every two seconds a user browses an infected website.
This is where DDoS comes in. DDoS stands for ‘Distributed Denial of Service.’ When a DDoS attack is intended against a victim, this means the intention behind the attack is to stop the victims services. So for GitHub, the attackers intention was to stop GitHub’s website (or take it down).
This intention can be accomplished by constantly making requests to a victim (GitHub), until the victim will finally stop allowing requests because of the price they pay for constantly handling these requests. A simpler way of explaining this is to imagine if someone paid a hundred people to knock on your door one after another. When you respond to the first random person, not knowing who they are, you would ask them to leave or say ‘wrong house’ or something. Same with the second person, third person, and this will go on until you finally get annoyed and stop answering the door all together. In other words, stop handling requests all-together. This is how you have been ‘shut down’ since you are no longer answering your door. So the attackers who made constant requests to GitHub were hoping that GitHub will simply stop responding to requests. This will lead to making GitHub near useless.
One might ask, why doesn’t GitHub just block the source of all these requests? The answer is simple. We stated earlier that the code runs on the users’ computers when they visit an infected website. This means the source of the attack is not from one location, but hundreds or thousands of many locations distributed throughout China. So the only way for GitHub to block the source of the attack is to block all of China. But if they do this, then the China hackers have won.
Now why do I say that China did this? It could be some Chinese citizen in his basement causing the attacks. The reason I believe China (as in the Chinese government in charge of their internet) is behind this attack is because of the evidence.
A user by the name of Anthr@x exposed this on his website. He found a website that’s been infected with the secret injected hacking code. This was found when he received an alert on his browser which stated: “WARNING: malicious javascript detested on this domain.”
When he examined the code, he found that there was secret JavaScript code (which he ridiculed saying it was barely secret) that made an Ajax request to GitHub, as stated earlier in this article. However, when looking at the URL of the victim of the request, he found that they weren’t just attacking GitHub.com. But the URL was specifically to GreatFire.org’s GitHub page. This means the attacks were directed at GitHub.com/greatfire. (Another URL that was attacked was Github.com/cn-nytimes/, which looks like a project for China New York Times).
When you go to GreatFire’s website, you will find that it’s a website exposing China’s strict internet regulation laws. The website accomplished this by listing what China has blocked since 2011. If this website is legit, and China wants to keep their internet regulations secret, then obviously this website would be an enemy to China. From this, I can also conclude that China was behind the attacks on GitHub since they were trying to attack GreatFire’s GitHub page.
What’s even weird is that when I navigated to GitHub.com/greatfire, and Github.com/cn-nytimes/, I receive a message on the page saying:
alert("WARNING: malicious javascript detected on this domain")
But this code was only displayed. Not executed. If it was executed, it would show a popup with the warning message.
But a questions arises: Why would China attack GreatFire’s GitHub page if the only one that is infected is GitHub. Constantly attacking GreatFire’s GitHub page does zero damage to GreatFire, and does 100% damage to GitHub. Either they’re not intelligent when it comes to GitHub and internet traffic, or they just don’t like GitHub.
This is a very pathetic attempt to hide themselves also. JavaScript is a scripting language. This means the code is not compiled which also means we can see the code. This can be done by opening the developer tools on any modern web browser, and you can see the code. Or, if you’re using Chrome or Internet Explorer, you can simply right-click anywhere on a page, and click ‘view source.’ Then you can see the code of that webpage. So when someone sees a code that is making constant attacks on an anti-China website, then China is likely the hacker.
This was my opinion. Tell us what you think below.