Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

China's 'Great Cannon' DDoS tool enforces Internet censorship

Loek Essers | April 13, 2015
Sophisticated attack tool can also be modified to inject individual users with malware, researchers found.

China is deploying a tool that can be used to launch huge distributed denial-of-service (DDoS) attacks to enforce censorship. Researchers have dubbed it "the Great Cannon."

The first time the tool was seen in action was during the massive DDoS attacks that hit software development platform GitHub last month. The attack sent large amounts of traffic to the site, targeting Chinese anti-censorship projects hosted there. It was the largest attack the site has endured in its history.

That attack was first thought to have been orchestrated using China's "Great Firewall," a sophisticated ring of networking equipment and filtering software used by the government to exert strict control over Internet access in the country. The firewall is used to block sites like Facebook and Twitter as well as several media outlets.

However, while the Great Cannon infrastructure is co-located with the Great Firewall, it is a separate, offensive system, with different capabilities and design, said researchers at the University of California, Berkeley, and the University of Toronto on Friday.

The Great Cannon is not simply an extension of the Great Firewall, but rather a distinct tool that hijacks traffic to individual IP addresses, and can arbitrarily replace unencrypted content by sitting between the Web server and end user -- a method known as a man-in-the-middle attack. The system is used to manipulate the traffic of systems outside of China, silently programming browsers to create a massive DDoS attack, the researchers said.

The attack method deployed against Github injected malicious Javascript into browsers connecting to the Chinese search engine Baidu. When the Great Cannon sees a request for certain Javascript files on one of Baidu's infrastructure servers that host commonly used analytics, social, or advertising scripts, it appears to take one of two actions. It either passes the request to Baidu's servers, which has happened over 98 percent of the time, or it drops the request before it reaches Baidu and instead sends a malicious script back to the requesting user, which has happened about 1.75 percent of the time, the report said.

In the latter case, the requesting user would be an individual outside China browsing a website making use of a Baidu infrastructure server, such as sites with ads served by Baidu's ad network. In the DDos attack against GitHub, the malicious script was used to enlist the requesting user as an unwitting participant, the report said.

These findings are in line with an analysis by the Electronic Frontier Foundation (EFF) that described the attack method used last week. According to the EFF, the attack was obviously orchestrated by people who had access to backbone routers in China and was only possible because the Baidu analytics script that is included on sites does not use encryption by default. A wider use of HTTPS could have prevented the attack, it found.

 

1  2  Next Page 

Sign up for Computerworld eNewsletters.