The attack turned visitors of other websites into weapons to target an anti-censorship group.
Late Thursday night, the popular coding site GitHub announced that someone had been attacking the site with a "continuous" distributed denial of service attack for more than 24 hours.
Hours later, the site was still working to mitigate the attack, and activists as well as computer security experts started pointing the finger at China as the "someone" behind it.
The DDoS attack is amplifying again. We are working to mitigate with all hands on deck.
— GitHub Status (@githubstatus) March 27, 2015
China was hijacking internet traffic so that everyone who visited any site that contained scripts from Chinese Internet giant Baidu would make a request to visit two specific pages hosted inside GitHub, with the goal of overloading them with traffic, according to a security researcher that goes by the name of Anthr@x.
"In other words, even people outside China are being weaponized to target things the Chinese government does not like, for example, freedom of speech," Anthr@x wrote in a blog post analyzing the attack.
"People outside China are being weaponized to target things the Chinese government does not like, for example, freedom of speech."
In fact, the two pages targeted were the GitHub page of GreatFire, a well-known group that fights against Chinese censorship, and another page set by the group that hosts New York Times mirrors to allow Chinese netizens to access the paper's site, which is normally blocked.
Other experts also have little doubt that China was behind this attack.
"I have no proof it's the Chinese government," Mikko Hypponen, a renowned security expert and chief research officer for F-Secure, told Motherboard. "But who else would have the motive? Who else would have the capability to hijack traffic like this?"
6/ we suspect such attack is govt-backed, and need access to network infrastructure to achieve. this also linked to recent attack on AWS.
— 比特客栈的寻行数墨 (@bitinn) March 27, 2015
In the last year, GreatFire has begun using GitHub, as well as Amazon cloud hosting service AWS, to avoid Chinese censors.
Girhub's whole site uses HTTPS encryption, so when a Chinese netizen visits content hosted on the site, Chinese censors can only see that the user is visiting github.com, but not the full URL address within GitHub. So China can't selectively block just some content on GitHub without blocking the entire site. (GitHub did not immediately respond to Motherboard's request for comment.)
That's what GreatFire and other Internet Freedom activists call "collateral freedom," and it seems China is determined to find new ways to block websites it doesn't like. (We have tried to reach out to China's cybersecurity and Internet czar Lu Wei, but have not received a response yet.)
This seems to be the latest in a recent escalation in the tensions between the Chinese government and GreatFire, which has been monitoring censorship and creating circumvention tools for years.
In January, the Chinese government called GreatFire an "anti-China website set up by an overseas anti-China organization." And earlier this month, GreatFire's websites were targeted by another DDoS attack, probably orchestrated by China as well.
UPDATE 27/03/2015, 3:54 p.m. ET: GitHub called this attack the "largest DDoS attack in GitHub's history," in a blog post published on Friday afternoon. The company didn't reveal many new details, but said the attack used various sophisticated techniques "that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic," confirming the analysis of independent researchers.
GitHub did not point the finger but said that it believed "the intent of this attack is to convince us to remove a specific class of content."
A company spokesperson declined to answer Motherboard's questions.