Massive denial-of-service attack on Github tied to Chinese government

Reports: Millions of innocent Internet users conscripted into Chinese DDoS army.

Read the whole story

 

[nsap]

It shows that the TTL of a legitimate SYN+ACK packet is 42 seconds, while three packets with a malicious payload have TTL values of 227, 228, and 229 seconds.

I thought TTL values were for a number of hops across a network, not a specific amount of time?

 

[razzmatazz]

The one thing I find most puzzling about this story is how brazen it appears. Doesn't China usually conduct its hacking operations with at least a veneer of plausible deniability?

 

[lewax00]

nsap[/url]":3mejbjyr]

It shows that the TTL of a legitimate SYN+ACK packet is 42 seconds, while three packets with a malicious payload have TTL values of 227, 228, and 229 seconds.

I thought TTL values were for a number of hops across a network, not a specific amount of time?

IIRC, the spec defines them as time, but in practical application they use hops because it's easier.

 

[Frennzy]

IIRC, the spec defines them as time, but in practical application they use hops because it's easier.

A packet TTL is a specification of how many hops (routing boundaries) a packet will traverse before it will be dropped.

Different hosts/OSs use different default values.

The TTL the article is talking about, as near as I can tell, is actually session hold/wait times. But it doesn't make a whole lot of sense to call it TTL (as a network guy)

edit: looking more closely at the trace, this article is simply incorrect. Those TTLs are perfectly valid and normal. Note the source and destinations swap when the TTL changes. That's because the TTL is set by the host sending each packet. Small changes simply reflect changes in the path to get from A to B.

edit to my edit: What's incorrect in the article is the "seconds". TTL has nothing to do with that...but I see now what the point is...yes, the TTL should change that much, coming from the same host, barring a massive re-routing of the packet...and even then it shouldn't go UP.

 

[zarmanto]

The Taxpayer[/url]":1wn5050u]... We need to absolute obliterate their ability to even make a ping if they don't hold their dogs...

Perhaps ultimately -- but not yet. To me, this falls under the heading of, "giving them enough rope to hang themselves." Once it becomes fully apparent that their actions have in no way accomplished their intended effect, (and have instead invoked the Streisand Effect) China will almost certainly back off on their own, without sanctions... and they'll be in a far weaker position, for it.

Or, to put it another way: Let 'em have their fun; it'll be short lived.

 

[Vincent294]

andrewb610[/url]":2lqui5rx]

while the other hosts a mirror site of The New York Times' Chinese edition.

Perhaps the American version of the NY Times could take some lessons on effective reporting. Clearly the Chinese version doesn't toe the line like its joke of an American counterpart.

The NY Times may not be perfect, but it's a hell of a lot better than say, Fox or MSNBC. And if you think China's news is much better than the United States, you're sadly mistaken.

 

[everythingispermitted]

Rather than isolating China from the internet, we need to double our efforts to bring uncensored access to the people of China.

Dictators use information control to control the population. Exposure to views from the rest of the world discredits the oppressors, casts doubt on propaganda and makes average citizens more likely to take action to stop the oppression.

Isolation is exactly what the party bosses in China want. We shouldn't take reactionary measures and give it to them.

Think of the children! (If they can use it, so can I)

[Edit: We *shouldn't* take reactionary measures...]
[Edit: *makes *what - I am my own Grammar Nazi. FML]

 

[AreWeThereYeti]

I think this should be considered an offensive cyberattack by a nation-state, that requires a response. It's bad enough that they restrict what their own citizens can see, but at least that doesn't involve attacking other countries directly. If we start letting China commit clear offensive attacks against critical civilian internet services outside their country, they need to feel some kind of pain in response.

 

[Kharma]

Well, they can't let the NSA have all the fun.

 

[Xavin]

We need to absolute obliterate their ability to even make a ping if they don't hold their dogs

The main problem is that nobody has ever fought a cyber war before. How far is too far? What kind of strikes back are necessary/proper. Do the government officials in China even realize they have effectively declared war by cyber-bombing the US?

The first thing to do is tell them to stop, immediately. If they keep denying or don't, then the question is, do we fight back with our own attacks, sanctions, or the military? Our international relations apparatus isn't designed to handle this kind of thing yet, and a good portion of them (on all sides) probably have no concept of how aggressive this is.

 

[onkeljonas]

The Taxpayer[/url]":1cp2jchs]
Cut China from the fucking civilized world if their stupid government don't fucking stop this hostil behavior...

It's starting to piss me off... It should piss off everyone that doesn't accept communists diktats... They think they can get away with it... And it's our governments fault for not showing them that they are wrong...

Yea, unlike civilized nations like the US who wiretaps allied governments and abduct people on the streets, locking them up indefinitely without trial.
Or if you're looking for an even closer example - do you really think the US had no hand in stuxnet?

The Chinese government might live in a moral/legal glasshouse, but the American isn't exactly made of stone...

 

[CraigJ ✅]

AreWeThereYeti[/url]":2hql0ps0]I think this should be considered an offensive cyberattack by a nation-state, that requires a response. It's bad enough that they restrict what their own citizens can see, but at least that doesn't involve attacking other countries directly. If we start letting China commit clear offensive attacks against critical civilian internet services outside their country, they need to feel some kind of pain in response.

Our response should be to have the NSA figure out how to completely circumvent the GFW from inside and distribute a payload that allows the folks in China to bypass the GFW. And do it quietly. The best thing for the world is for all the citizens of countries with repressive governments to have free access to information.

 

[greatn]

Every time I see a story about Github, I assume it must be the Gith Hub, aka the Astral Plane, where the Githyanki live, to which I can only assume the attackers were the Githzerai from the plane of elemental chaos.

 

[daggar]

Techdirt has a good write-up on just why China might target Github:

https://www.techdirt.com/articles/20150 ... rnet.shtml

TLDR: github is too valuable for them to block, but HTTPS makes it difficult to censor the site on a per-request basis. They can't lock out particular projects, so they want to pressure github to censor them on their end.

(Not sure why the Great Firewall wouldn't do some MiTM intervention on github instead.)

 

[lewax00]

Frennzy[/url]":qttx3327]

IIRC, the spec defines them as time, but in practical application they use hops because it's easier.

A packet TTL is a specification of how many hops (routing boundaries) a packet will traverse before it will be dropped.

Different hosts/OSs use different default values.

The TTL the article is talking about, as near as I can tell, is actually session hold/wait times. But it doesn't make a whole lot of sense to call it TTL (as a network guy)

edit: looking more closely at the trace, this article is simply incorrect. Those TTLs are perfectly valid and normal. Note the source and destinations swap when the TTL changes. That's because the TTL is set by the host sending each packet. Small changes simply reflect changes in the path to get from A to B.

edit to my edit: What's incorrect in the article is the "seconds". TTL has nothing to do with that...but I see now what the point is...yes, the TTL should change that much, coming from the same host, barring a massive re-routing of the packet...and even then it shouldn't go UP.

From RFC 791:

The time is measured in units of seconds, but since every module that processes a datagram must decrease the TTL by at least one even if it process the datagram in less than a second, the TTL must be thought of only as an upper bound on the time a datagram may exist.

So it really is specified in seconds, but is not necessarily treated that way (especially since you'd have a hard time finding a router that takes more than a second to pass it along).

 

[Tofystedeth]

dwaltz[/url]":2pxl1ofn]Well one question: why github?
What's wrong with it? Is this just a test? Or does sombody really hate the idea of a community like github?

If you read the article, it's specifically attacking the pages for two projects hosted one github. One to circumvent the Great FireWall, the other to mirror the Chinese language version of the New York Times.

 

[Fukengruven]

razzmatazz[/url]":1shs5hxz]The one thing I find most puzzling about this story is how brazen it appears. Doesn't China usually conduct its hacking operations with at least a veneer of plausible deniability?

It's a very thin veneer. About 5 years ago while I worked for a major public DNS hosting company some of our clients' domains came under attack. This was nothing particularly unusual except that, for the 3rd or 4th time that year all of the domains were for sites calling out issues with the Chinese gov't or promoting a religious sect the Chinese gov't is known to dislike.

I've been trying to find it and have so far failed but there is a propaganda video produced by the Chinese gov't put out a few weeks after that big DDoS that bragged about their universities' technical capabilities and military cooperation. In a few shots in that video is a computer screen showing a dialog that read something to the effect of "Victim:" with a drop-down to select a domain and an "Attack" button. The domain shown in the video was one of the clients using the DNS platform I worked on.

The inclusion of those few shots was likely a mistake but the video went global with that still in it.

This just illustrates that the Chinese gov't has been actively attacking sites for several years, probably since they first gained the ability to do so. There has been ample proof over the years of their direct involvement and yet this little cyberwar continues unabated. There is little to no reason to think this will get any better any time soon.

 

[Deleted member 1]

razzmatazz[/url]":1b9bjds8]The one thing I find most puzzling about this story is how brazen it appears. Doesn't China usually conduct its hacking operations with at least a veneer of plausible deniability?

No, and they never have.

Have you ever run some kind of active network monitoring software on your computer? If you did, you would find that Chinese IPs are constantly port-scanning nearly every US computer with a public IP for known vulnerabilities. You'll also see some Russian IPs and and Eastern European IPs, but it's mostly China. We are literally under attack from Chinese hackers 24/7. Sure, it's not a focused attack, and it's largely automated, but if an open port or unpatched vulnerability is found, you can be sure someone is going to take a second look eventually. These attacks are so brazen and have been going on so long that no one seems to care.

We also know that China has been making focused attacks on American companies and government organizations for at least a decade now, stealing engineering and military data so it can boost its own capabilities in these realms. This is one of the reasons why China has been able to modernize its civilian and military technology so rapidly. They're simply ripping off our own R&D.

Why doesn't the US call China out on this crap? Probably because we've sold so much of our debt to them. China has been bankrolling so much of our debt that our economies are inextricably linked. While it would hurt their economy almost as badly, China could decide not to give us any more credit the next time we need to increase the national debt limit, and we'd be fucked. Because China holds the purse strings, we also cannot simply invade North Korea, or do anything else which might upset China. Despite supposedly standing for free speech and other freedoms, you'll rarely hear high-level US politicians condemn China. China continues to pull hacking stunts like these because they know they can get away with it.

 

[Meailda]

The Taxpayer[/url]":2m14jlwz]If the Chinese Government attacks western innocent internet services like github, we need to show them force.

We need to absolute obliterate their ability to even make a ping if they don't hold their dogs... And if they keep this unacceptable behavior we need to kick in some economic sanctions... In the west, we need to reindustrialize our economies anyway, this might be a good starting point...

Cut China from the fucking civilized world if their stupid government don't fucking stop this hostil behavior...

It's starting to piss me off... It should piss off everyone that doesn't accept communists diktats... They think they can get away with it... And it's our governments fault for not showing them that they are wrong...

Sigh. The alias appears to be accurate. I am reminded of why cutting defense spending is political suicide.

 

[Meailda]

AreWeThereYeti[/url]":5p5b16fg]I think this should be considered an offensive cyberattack by a nation-state, that requires a response. It's bad enough that they restrict what their own citizens can see, but at least that doesn't involve attacking other countries directly. If we start letting China commit clear offensive attacks against critical civilian internet services outside their country, they need to feel some kind of pain in response.

Nah. We just subsidize the cloudflare account for Github and say loudly to China "Meh, better luck next time."

 

[Frennzy]

So it really is specified in seconds, but is not necessarily treated that way (especially since you'd have a hard time finding a router that takes more than a second to pass it along).

A fair point. I don't think I ever actually read that RFC before.

 

[TenderBabyMeat]

You stay classy, China.

 

[Meailda]

dwaltz[/url]":2i3gq7as]Well one question: why github?
What's wrong with it? Is this just a test? Or does sombody really hate the idea of a community like github?

I refer you to the article.

 

[PhysicalEd]

My knee-jerk reaction is "cut China off from the Internet. If the attacks stop, we know it was them."

But is that even possible? Can the gateway routers be configured to reject all IP blocks registered to China and Chinese ISPs and corporations even if we wanted/had to?

 

[lewax00]

Frennzy[/url]":10p2tngc]

So it really is specified in seconds, but is not necessarily treated that way (especially since you'd have a hard time finding a router that takes more than a second to pass it along).

A fair point. I don't think I ever actually read that RFC before.

I only knew* because I had a class where we had to analyze some actual network traffic and breakdown what was going on. Involved looking up headers for IP, 802.11, TLS, and maybe a couple more. The RFC was the easiest to understand explanation of the IPv4 header format I found.

*Mostly...I still had to go back and check

 

[andrewb610]

Vincent294[/url]":9ngrm29j]

andrewb610[/url]":9ngrm29j]

while the other hosts a mirror site of The New York Times' Chinese edition.

Perhaps the American version of the NY Times could take some lessons on effective reporting. Clearly the Chinese version doesn't toe the line like its joke of an American counterpart.

The NY Times may not be perfect, but it's a hell of a lot better than say, Fox or MSNBC. And if you think China's news is much better than the United States, you're sadly mistaken.

It wasn't inteded to be a generalization of all Chinese news and all American news, but I like that you group MSNBC in with Fox.

 

[Marcos2247]

chronomitch[/url]":1za6hldb]We also know that China has been making focused attacks on American companies and government organizations for at least a decade now, stealing engineering and military data so it can boost its own capabilities in these realms. This is one of the reasons why China has been able to modernize its civilian and military technology so rapidly. They're simply ripping off our own R&D.

We also know that the USA and Russia and every other nation capable have been doing that since forever.

This is the main reason nobody's really calling out China. Everybody's doing it. And the only gentlemen's agreement is "You don't talk about spy club".

we also cannot simply invade North Korea

Is this supposed to be a pro or a con?

 

[Fukengruven]

PhysicalEd[/url]":4t0435vu]My knee-jerk reaction is "cut China off from the Internet. If the attacks stop, we know it was them."

But is that even possible? Can the gateway routers be configured to reject all IP blocks registered to China and Chinese ISPs and corporations even if we wanted/had to?

It's possible, yes, but it would be largely ineffective. This particular attack may originate in China but the massive volume of requests are coming from South Korea, among other places. Innocents whose machines have been infected with malicious javascript that does the dirty work.

 

[dwaltz]

Tofystedeth[/url]":18ymsti9]

dwaltz[/url]":18ymsti9]Well one question: why github?
What's wrong with it? Is this just a test? Or does sombody really hate the idea of a community like github?

If you read the article, it's specifically attacking the pages for two projects hosted one github. One to circumvent the Great FireWall, the other to mirror the Chinese language version of the New York Times.

Thanks for the reply, i misread that fragment.

 

[IceCub]

I've cut off China from the networks I manage a long time ago. The reason is simple: cutting off China reduces the attack traffic by about 90%.

 

[MikeGale]

IceCub[/url]":2h6v6d8v]I've cut off China from the networks I manage a long time ago. The reason is simple: cutting off China reduces the attack traffic by about 90%.

Might be useful if you pass on how you are doing this, so that others can adopt and extend your actions.

 

[Davebo]

China needs a firewall alright - built around the exterior of their country. Only legit traffic gets onto the rest of the worlds Internet.

 

[Bengie25]

nsap[/url]":xdn0siyy]

It shows that the TTL of a legitimate SYN+ACK packet is 42 seconds, while three packets with a malicious payload have TTL values of 227, 228, and 229 seconds.

I thought TTL values were for a number of hops across a network, not a specific amount of time?

Correct, but fun historical fact. TTL in IPv4 was originally how many seconds for the packet to live, so it was a time. IPv6 renamed this field to "Hop Limit".