Earlier this week came word that the massive denial-of-service attacks targeting code-sharing site GitHub were the work of hackers with control over China's Internet backbone. Now, a security researcher has provided even harder proof that the Chinese government is the source of the assaults.
In Tuesday's story, Ars explained that the computers pummeling GitHub pages all ran a piece of JavaScript that surreptitiously made them soldiers in a massive DDoS army. The JavaScript was silently injected into the traffic of sites that use an analytics service that China-based search engine Baidu makes available so website operators can track visitor statistics. When everyday Internet users visited a site using the Baidu-supplied tracker, the injected code caused their browsers to constantly load two GitHub pages, one a mirror of anti-censorship site GreatFire.org the other a copy of the China edition of The New York Times.
Besides the motive of taking out pages the Chinese government doesn't want its citizens to see, there was technical evidence supporting the theory the attack had the support of China's leaders. To wit, the packets transmitting the malicious JavaScript had vastly different TTL, or time to live limits, from 30 to 229 compared with 42 for legitimate analytics code. This technical detail all but proved the DDoS code was coming from a source inside China other than the visited website.
Now, Rob Graham, CEO of Errata Security, has traced the origin of the malicious code to China Unicom, the same telecom that has been caught before aiding the massive censorship apparatus known as the Great Firewall of China. The white-hat hacker tracked down the source using a modified version of the traceroute network diagnostics tool. The customized traceroute used HTTP packets to trace their path along the Internet, rather than UDP or ICMP packets used in normal traceroutes. That allowed Graham to figure out the location of the node that was sending the malicious code.
I found that the device lurks between 11 and 12 hops. The web request packets sent with a TTL of 11 are not seen, while packets with TTL of 12 are, generating a response, as shown below:
The black line above shows the packet I sent, with a TTL of 12. The orange line (and the two packets above it) show the packets received from the man-in-the-middle device. When I send packets with a TTL of 11, I never get a response from that evil device.
By looking at the IP addresses in the traceroute, we can conclusive(ly) prove that the man-in-the-middle device is located on the backbone of China Unicom, a major service provider in China.
The next step is to traceroute in the other direction, from China to a blocked address, such as the http://www.nytimes.com address at 170.149.168.130. Using the website http://www.linkwan.net/tr.htm, I get the following:
This shows that the Great Firewall runs inside the China Unicom infrastructure.
Conclusion
Using my custom http-traceroute, I've proven that the man-in-the-middle machine attacking GitHub is located on or near the Great Firewall of China. While many explanations are possible, such as hackers breaking into these machines, the overwhelmingly most likely suspect for the source of the GitHub attacks is the Chinese government.
Readers should once again remember that attributing hack attacks to a particular individual or group is extremely risky, since threat actors frequently stage their exploits to give the appearance someone else is behind them. Still, the evidence presented so far makes it hard to deny China's government at least tacitly permitted GitHub attacks and possibly carried them out directly. Given GitHub's status as the world's biggest host of open-source projects, it might not be hard for some people in Washington DC to argue the DDOS assaults meet the threshold of an attack that disrupts key American interests.
Post updated to correct language in the fourth paragraph characterizing Graham's customized traceroute tool.
Given GitHub's status as the world's biggest host of open-source projects, it might not be hard for some people in Washington DC to argue the DDOS assaults meet the threshold of an attack that disrupts key American interests.
It's far bigger than just open-source software. Many of America's leading companies use Github to host private code including PayPal, Rackspace, SAP, along with countless others. When github goes down a large portion of the software that runs the global economy is stalled.
Given GitHub's status as the world's biggest host of open-source projects, it might not be hard for some people in Washington DC to argue the DDOS assaults meet the threshold of an attack that disrupts key American interests.
It's far bigger than just open-source software. Many of America's leading companies use Github to host private code including PayPal, Rackspace, SAP, along with countless others. When github goes down a large portion of the software that runs the global economy is stalled.
Dan Goodin
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene.
reader comments
45