GitHub has been hit by a massive DDoS (distributed denial-of-service) attack in the last day or so, intermittently resulting in outages for developers attempting to access source code stored on the site.
What’s particularly interesting about the attack on GitHub is that the denial-of-service attack does not appear to be conducted in the familiar fashione of a botnet of compromised computers around the world, bombarding the site with traffic.
Instead, it appears that someone is tricking web browsers visiting Chinese websites into repeatedly reloading two pages on the GitHub site:
A researcher at Insight Labs wrote up an analysis of what he believed was going on.
In a nutshell, many Chinese websites use advertising and visitor tracking code from Baidu, China’s leading search engine (just as many other sites around the world might use, say, Google Analytics). It appears that when webpages containing the Baidu scripts are accessed from outside China, the script’s code is being replaced with code serving a different function.
When the obfuscated code is decrypted, its purpose becomes clear: it tries to access the GitHub pages, over and over again.
Baidu, however, has denied any involvement in the attack - telling The Verge that an external party must be to blame.
As a consequence, not only are the GreatFire and CN-NYTimes projects disrupted on Github but *all* of GitHub suffers a denial-of-service attack. An attack which, because it is being driven by users’ browsers outside China, may not immediately be seen to be originating from China itself.
GreatFire, of course, is a group which monitors online censorship in China (the name is short for the “Great Firewall of China”). It has itself suffered badly at the hands of DDoS attacks recently.
It’s natural for the finger of suspicion to point in the direction of the authorities in Beijing, keen to prevent Chinese citizens from accessing censored material on the internet.
GitHub has been keeping its users informed of the site’s status, as it yo-yos up-and-down, via status.github.com. The site says it has deployed “volumetric attack defenses against an extremely large amount of traffic.”
So, just how big a problem are denial-of-service attacks?
Seems that some folks just can’t agree.
San Francisco-based DDoS-mitigation outfit Black Lotus says that the number of denial-of-service attacks declined last year, from 450,000 attacks in Q1 to fewer than 150,000 by the end of 2014.
Meanwhile, Corero Network Security says in its latest report that DDoS attacks are “increasingly rampant”.
What isn’t in dispute between the companies which help businesses protect against DDoS attacks is that attacks are becoming more complex, with multiple techniques being combined to bring down a site or online service.
“There is a continuous trend of people combining different attacks together, in hybrid attacks,” Frank Ip, Black Lotus’s VP of marketing and business development told CSO Online. “We’re also seeing more application-layer attacks. Even though those are smaller in size, they are not smaller in terms of effect or damage to the targeted victim.”
Corero, meanwhile, says that on average its customers each experienced 3.9 DDoS attack attempts every day during the last three months of 2014:
Today’s DDoS threat landscape is complex and increasingly sophisticated. Opportunistic DDoS attacks remain a menace, but targeted attacks are a rapidly growing threat. Each vertical market reveals variations in the motivations behind DDoS attacks, including cyber terrorism, political or ideological intentions, fraud, ransom, monetary gain, data exfiltration attempts or even for gaining a competitive advantage. The drivers are endless, and the attacks keep coming.
DDoS attacks can be used to make money, to make a political point and to silence freedom of speech. They’re not going to be going away anytime soon.
In fact, we should get used to them becoming more sophisticated as more attackers - whether solo activists, cybercriminal gangs or governments - deploy them in anger.