Github, GreatFire Attack Perpetrated by China’s Great Cannon Traffic Injection Tool

China totalitarian state apparatus was widely believed to be behind the recent Distributed Denial of Service DDoS attacks on Github and internet freedom group Great Fire. Now Citizen Labs has published a report validating the same.

According to the report by Citizen Labs, Chinese attackers used the Great Firewall’s offensive sister-system, named the Great Cannon, to launch a recent series of distributed denial of service attacks targeting the anti-censorship site, GreatFire.org, and the global code repository, Github.

GreatFire.org which is a internet freedom group and specializes on censhorship activities in China was first targetted by the Great Cannon tool on March 16. A week later, the global code repository website, Github came under the attack from Great Cannon on March 26.

The attack on Github was so powerful that it took Github down for almost a week before the website could be back to normal.  It is widely believed that the attackers launched these attacks in an attempt to shut down services which were providing users with ways and means of evading the China’s massive content blocking infrastructure, known as the Great Firewall.

The University of Toronto Munk School of Global Affairs’ Citizen Lab, along with help from the International Computer Science Institute, the University of California at Berkeley and Princeton University, began monitoring the attacks on March 18 on GreatFire and and continued to watch the events unfold until April 8.

The report says that China’s Great Firewall monitors connections between China and the global Internet for banned content, which it blocks by injecting forged TCP reset packets that cause both the sender and the recipient communications to stop and, in turn, blocks banned traffic.

“On-path systems have architectural advantages for censorship, but are less flexible and stealthy than in-path systems as attack tools, because while they can inject additional packets, they cannot prevent in-flight packets (packets that have already been sent) from reaching their destination,” explained Citizen Lab in a report. “Thus, one generally can identify the presence of an on-path system by observing anomalies resulting from the presence of both injected and legitimate traffic.”

While the sister tool, Great Cannon is described as “a distinct attack tool that hijacks traffic of individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.”

Citizen Lab says the Great Cannon has capability of suppressing and injecting traffic. Also, the report says, unlike the Great Firewall, the Great Cannon does not monitor all traffic but instead only that traffic originated from a set of chosen IP addresses.

Furthermore, the Great Cannon conserves computing resources by examining only individual packets, whereas the Great Firewall requires massive computing resources in order to perform TCP bytestream reassembly. While Web requests are often one-packet affairs, Web replies can contain multiple packets, which the Great Firewall must reassemble in order to properly block banned content.

China and Baidu from where the attacks originated, have denied the existence of Great Cannon but the fact that both the sites were actively involved in bypassing the censorship and therefore were attacked cannot be denied. GreatFire has been at the forefront of bring news from behind the great Chinese Firewall to us while its source codes were stored on the repository site, Github.