China's Great Firewall Turned Around: Why China Wants To Censor Global Internet

from the pay-attention----this-matters-a-lot dept

If you pay attention to Github (and you should), you know that late last week the site started experiencing some problems staying online, thanks to a massive and frequently changing DDoS attack. Over the past few days a lot more details have come out, making it pretty clear that the attack is coming via China with what is likely direct support from the Chinese government. While it's messing with all of Github, it's sending traffic to two specific Github pages: https://github.com/greatfire and https://github.com/cn-nytimes. Those both provide tools to help people in China access Greatfire and the NY Times. Notably, Greatfire itself notes that prior to the DDoS on Github, its own site was hit with a very similar DDoS attack.

If you want the technical details, Netresec explains how the DDoS works, noting that it's a "man-on-the-side" attack, injecting certain packets alongside code loaded by Chinese search engine Baidu (including both its ad platform and analytics platform), but is unlikely to be coming directly from Baidu itself.

But the much more interesting part is why China is using a DDoS attack, rather than its standard approach of just blocking access in China, as it has historically done. The key is that, two years ago, China tried to block Github entirely... and Chinese programmers flipped out, pointing out that they couldn't do their jobs without Github. The Chinese censors were forced to back down, leading to a sort of loophole in the Great Firewall. That leads to the next question of why China doesn't just block access to the URLs of the two repositories it doesn't like? And the answer there: HTTPS. Because all Github traffic is encrypted via HTTPS, China can't just block access to those URLs, because it doesn't know specifically what's being accessed.

And thus, we get the decision to turn its firewall around, launching a rather obvious DDoS attack on the two sites it doesn't like, with the rather clear message being sent to Github: if you stop hosting these projects, the DDoS will stop. Of course, so far Github is taking a stand and refusing to take down those projects (which is great and exactly what it should be doing).

However, this does suggest an interesting escalation in questions about the increasing attempts to fragment the internet. You see various countries demanding (or forcing) certain websites get blocked. But those solutions are truly only temporary. Because the overall internet is too important to block, and because some sites are necessary (like Github) there are always holes in the system. Add in a useful dose of encryption (yay!) and the ability to control everything that's read in one particular country becomes increasingly difficult. You might hope the response would be to give up attempts to censor, but China isn't likely to give up just like that. So, instead, it's basically trying to censor the global internet, by launching a high powered attack on the site that is the problem, while basically saying "get rid of these projects and we'll stop the attack."

It seems likely that this sort of escalation is only going to continue -- but in some ways it's actually a good sign. It shows that there are real cracks in China's attempts to censor the internet. We're basically realizing the limits of the Great Firewall of China, and useful services like Github have allowed a way to tunnel through. China is responding by trying to make life difficult for Github, but as long as Github and others can figure out ways to resist, censorship attempts like the Great Firewall will increasingly be useless.

In the early days of the internet, people talked about how it was resistant to censorship. Over the past decade or so, China has challenged that idea, showing that it could basically wall off large parts of the internet, and actually keep things semi-functional. Yes, there were always cracks in the wall, but for the most part, China showed that you could censor large parts of the internet. This latest move suggests that we may be moving back towards a world where the internet really is resistant to censorship -- and China is freaking out about it and responding by trying to increase the censorship globally. It's a battle that is going to be important to follow if you believe in supporting free expression online.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: censorship, china, ddos, encryption, great firewall, injection, man in the side
Companies: github, greatfire, ny times


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    daggar (profile), 31 Mar 2015 @ 11:58am

    Alternate title

    "https everywhere: it works, bitches."

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 31 Mar 2015 @ 12:08pm

    And just before this attack was launched, NSA demanded the right to carry out cyberattacks whenever it wanted to, coincidence or what.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 31 Mar 2015 @ 12:10pm

    Re:

    They probably heard through the "grapevine" what China was planning, and became jealous.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 31 Mar 2015 @ 12:14pm

    Users (and browser vendors) can help fight this

    As a user, use RequestPolicy or similar tools to block junk embeds (in this case, the Baidu analytics that China repurposed as an attack vector). As a browser vendor, make it easier for users to avoid loading unwanted junk so that users cannot be co-opted into running this attack. As a site administrator, stop embedding resources fetched over HTTP from insecure third parties. If the Baidu analytics script were fetched over HTTPS, China would need to compromise Baidu more directly to execute such an attack.

    link to this | view in thread ]

  5. identicon
    Christenson, 31 Mar 2015 @ 12:22pm

    Can I set up something to help?

    Like, maybe mirror the offending projects???

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 31 Mar 2015 @ 12:47pm

    HTTPS under attack

    Because all Github traffic is encrypted via HTTPS, China can't just block access to those URLs, because it doesn't know specifically what's being accessed.

    This puts the story where Google found that a Certificate Authority was issuing unauthorized certificates into a new light.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 31 Mar 2015 @ 1:30pm

    Re: HTTPS under attack

    You could just implement a deep packet sniffer and do man-in-the-middle attacks of the certificates.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 31 Mar 2015 @ 2:06pm

    Firstly, you don't meet your adversary on their own low ground. Secondly, if American business wasn't so thrilled with cheap Chinese sweatshop labor this would be a non issue. Cut the cord, kill the satellite feed, and be done with it. Then they can pay Mr. Putin and company for access to the internet. I do block all known Chinese, N. Korean, Mongolian, Macau, and Hong Kong IP addresses (not Nepal yet)from access to my systems, and although that isn't enough it is a start. The USA is a bright spot on the world map for such shenanigans, so get your own glass house in order before throwing rocks at others.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 31 Mar 2015 @ 2:11pm

    Re: Re:

    "Mommy, I need a playstation. Look, they have already got a playstation! I am getting mocked, mommy!"

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 31 Mar 2015 @ 3:46pm

    Does this mean the USTR and MAFIAA are Chinese spies?

    link to this | view in thread ]

  11. icon
    Rapnel (profile), 31 Mar 2015 @ 4:30pm

    The internet, like the earth, is built with everything required to support everyone. Funny that, also like the earth, there are groups of people hell-bent on containing, controlling or otherwise destroying the very thing that supports all of us without prejudice.

    China's had a good run. I can appreciate the efforts.

    The Internet is free speech for the planet, one way or another. We're all going to have to step it up a notch to protect these things.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 31 Mar 2015 @ 4:43pm

    Re:

    Yeah, why not just block the entire country of China?

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 31 Mar 2015 @ 5:06pm

    HTTPS

    "Because all Github traffic is encrypted via HTTPS, China can't just block access to those URLs, because it doesn't know specifically what's being accessed."

    I guess that means the NSA has given the HTTPS keys to it's Chinese counterparts ... yet.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 31 Mar 2015 @ 5:49pm

    Re: HTTPS

    "has" was supposed to be "hasn't"

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 31 Mar 2015 @ 6:23pm

    THIS

    If GitHub just blocked all Chinese IP addresses or redirected them to a page explaining that GitHub access would not be allowed from China until China stopped DDOSing the site, it would likely stop in short order....

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 31 Mar 2015 @ 7:05pm

    Re: THIS

    If GitHub just blocked all Chinese IP addresses
    If you read the fine article linked in the Techdirt post, you will see that the problem is not coming (exclusively) from Chinese IP addresses. That would be comparatively easy to stop. The problem is that when users traverse the Great Firwall to access Baidu, some of those users are served malicious code which hijacks use of their resources to attack Github. There might be some users in China that are contributing to it, but most of the traffic is coming from users outside China who are accessing Chinese resources. Perversely, if the rest of the world had a corresponding firewall that could be used to drop China off the Internet (and thereby banish Baidu and the malicious servers hijacking requests to Baidu), such a firewall could be used to prevent unwitting users from receiving the attack code.

    link to this | view in thread ]

  17. icon
    Sheogorath (profile), 31 Mar 2015 @ 9:03pm

    Dear China,
    Please fuck off and stop imposing your views on us.
    Yours sincerely, The Rest of the World.

    link to this | view in thread ]

  18. identicon
    R, 31 Mar 2015 @ 9:08pm

    This really needs to be handled further up the chain. If your IP/subnet is launching a DoS, have the ISP automatically block it for an hour. If they don't, have the ISP one level up from them do the same thing.

    Right now people don't have much of an incentive to keep their systems secure, but if everyone who accessed Baidu suddenly lost their internet access, you can bet no one would touch it.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 31 Mar 2015 @ 9:09pm

    Chinas doing a cyberwar or something...

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 31 Mar 2015 @ 10:04pm

    Tor has started hiding behind Google, Amazon, and Microsoft DNS and IP addresses. Lookup Tor's Meek plugin if you're interested in how it works.

    https://trac.torproject.org/projects/tor/wiki/doc/meek

    Basically, when a Tor client tries connecting to the Tor network using Meek, the only thing a censor will see is the client trying to connect to https://www.google.com/. Then the Tor client is forwarded to meek-reflect.appspot.com inside Google's internal network. From there the client is finally forwarded to a Tor bridge running outside Google's network.

    In order for a censor such as China to block Tor clients using the Meek plugin. China would need to block all of Google.com IP addresses, plus all of Amazon's Cloudfront IP addresses, plus all of Microsoft's Azure IP addresses. ALL IP addresses that resolve for google.com, cloudfront.net, etc.

    So yes, China is freaking out because the collateral damage caused by their their future censorship attempts will be massive. Both economically and legally. Blocking and DOSing multinational corporations could be seen as protectionism and unfair competitive tactics. Which could bring lawsuits against China in international "free trade" courts of law.

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 31 Mar 2015 @ 10:34pm

    U.S. State Department does jack

    U.S. State Department has nothing to say about China's DDoS.


    Daily Press Briefing, Washington, DC, March 30, 2015
    Index for Today's Briefing... CHINA

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 31 Mar 2015 @ 11:15pm

    Re: Re: HTTPS under attack

    the NSA and the FVEY bitches already have this tool, its called QUANTUM INSERT and can be used to pull off an attack like this.

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 31 Mar 2015 @ 11:18pm

    Re:

    Please provide any proof at all that directly attributes this attack to China.
    Thanks.

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 31 Mar 2015 @ 11:38pm

    Re: Re:

    "Please provide any proof at all that directly attributes this attack to China. Thanks."

    I reject your reality and substitute my own.

    link to this | view in thread ]

  25. icon
    Padpaw (profile), 31 Mar 2015 @ 11:40pm

    Wonder if this has anything to do with the FBI recently stating they gave themselves the authority to hack into other countries national infrastructure because they won't let a little thing about them having no authority to committ a web based attack against foreign nations stop them or because terrorism means they can do whatever they want whenever they want

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 31 Mar 2015 @ 11:44pm

    Re: U.S. State Department does jack

    Of course not. They don't want trouble with the ruling party.

    link to this | view in thread ]

  27. icon
    Ninja (profile), 1 Apr 2015 @ 4:03am

    Re: Users (and browser vendors) can help fight this

    I second that. But as an active user of RequestPolicy I have a request for the sites: express explicitly which requests are absolutely needed for minimum functionality to the site. And don't lie, I will absolutely test it.

    Techdirt is a good example of a site with too many goddamn requests for external stuff. Which should I allow for minimum functionality? With some testing you can eventually figure out but it makes things easier.

    Now it takes another level of evil like adobe where you must have their tracker unblocked to use basic functionality...

    link to this | view in thread ]

  28. identicon
    HMTKSteve, 1 Apr 2015 @ 5:37am

    URL

    Why not just change the URL? Keep hosting the content but give it a new URL.

    link to this | view in thread ]

  29. identicon
    eye sea ewe, 1 Apr 2015 @ 6:27am

    Re: Re: Users (and browser vendors) can help fight this

    I have installed this today and I have not turned on any of the blocked destinations and techdirt.com works fine for me.

    link to this | view in thread ]

  30. identicon
    Anonymous Coward, 1 Apr 2015 @ 11:23am

    Re: HTTPS under attack

    Technically they can if the pages are static.

    link to this | view in thread ]

  31. identicon
    Knucklebusted, 2 Apr 2015 @ 6:31am

    HTTPS Proxy?

    If China was omnipotent as everyone believes, they'd simply redirect all traffic through a mandatory proxy, which breaks and reassembles HTTPS or just breaks HTTPS if it can't.

    I question the validity of the assertions in this article as all the facts seem to be trivial to invent for someone less sophisticated in the ways of filtering traffic.

    link to this | view in thread ]

  32. icon
    Sheogorath (profile), 3 Apr 2015 @ 3:41am

    Re: Re:

    How's about the fact that the Great Firewall of China was set up by the Chinese government? That do you? Oh, wait, you're completely anonymous. Figures...

    link to this | view in thread ]

  33. identicon
    Anonymous Coward, 4 Apr 2015 @ 2:48am

    Re: Re: Re:

    YES the Great Firewall of China was set up by the Chinese Government; well done.
    You may be failing to understand the technology.

    "There's nothing China did this last couple of weeks that the Five Eyes' QUANTUM setups aren't already tooled to do: QUANTUMINSERT can be used to inject the JavaScript, just change the selectors and the payload. Indeed, I believe this capability has already been privately trialled by GCHQ. (QUANTUMSLAMMER, was it?)

    It is not advanced technology: TCP just has no protection here. Anyone capable of in-path packet surveillance and in-/by-path packet injection on a significant link can pull off this exact same attack. You could co-opt a router to do it: GCHQ have.

    We're going to need pervasive (authenticated) encryption to defeat it."

    link to this | view in thread ]

  34. icon
    Sheogorath (profile), 6 Apr 2015 @ 8:20pm

    Re: Re: Re: Re:

    Wow, you just completely derailed the topic! Well done, fuckbag.

    link to this | view in thread ]

  35. identicon
    Anonymous Coward, 1 May 2015 @ 7:54pm

    ^^ you asked the question

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.