China Appears to Attack GitHub by Diverting Web Traffic

The Chinese government has long used a sophisticated set of Internet filters known as the Great Firewall as a barrier to prevent its citizens from obtaining access to foreign websites with information it deems threatening.

But in a recent series of cyber-attacks on websites that try to help Internet users in China circumvent this censorship, the Great Firewall appears to have been used instead as a weapon, diverting a portion of the torrents of Internet traffic that flow through it to overload targeted websites.

In doing so, the Chinese government is taking advantage of and damaging one of China's own Internet companies: Baidu. The attacks appear to hijack advertising and analytics traffic intended for Baidu, China's largest search company, and then send that traffic to smaller websites in what is known as a distributed denial of service or DDoS attack. The huge flow of traffic has the effect of crashing the sites.

The aggressive new strategy shows vividly how Beijing is struggling to balance its desire to control the flow of information online with the aim of encouraging the growth of its tech sector.

The main target of the recent barrage is GitHub, a popular website that acts as a library of code for programmers. While it is indispensable for tech companies in China, it also hosts several pages that enable users to view sites blocked in the country.

Because GitHub is fully encrypted, China's domestic Web filters cannot distinguish between pages that host code useful to programmers and code that circumvents censorship. In 2013, when the government fully blocked GitHub, it caused an outcry among China's many computer engineers, leading to the site's subsequent unblocking.

The new attacks take more of a siege approach, hitting the site with a costly and difficult-to-manage barrage of traffic in the hopes it will remove two pages, one with code from GreatFire.org - a nonprofit organization that runs mirrors of blocked sites including Google, the BBC and The New York Times - and another that hosts links to mirror sites of the Chinese version of The New York Times.

Eileen Murphy, a spokeswoman for The Times, declined to comment on the attacks.

"This is a huge problem for free expression," said Lokman Tsui, an assistant professor at the Chinese University of Hong Kong. He added that these attacks could lead sites like GitHub to decide it is too much trouble to host content deemed problematic by China.

"This is a message to the people who maintain GitHub: Either you kick out GreatFire and The New York Times, or we'll keep this up," said Mikko Hypponen, chief research officer at the security firm F-Secure.

(Also See: GitHub Undergoes Days-Long DDoS Cyber-Attack)

The new attacks come as Beijing has increased censorship in China, and grown more vocal about how the Internet should be governed globally. In a number of recent public appearances, China's Internet czar, Lu Wei, has called for respect for China's Internet sovereignty, meaning that China should have the right to manage the Internet within its borders as it wants.

But the GreatFire.org material on GitHub, which is based in San Francisco, offers an unusual exception. By offering code that unblocks sites within China, it is assumed to be violating Chinese laws from abroad. James Andrew Lewis, a senior fellow at the Center for Strategic and International Studies, said the attack was an attempt to deal with extraterritoriality on the Internet.

"China is trying to redefine the rules of the Internet and they're feeling their way forward as they do it," he said. "This is one of another set of actions to say China will have a bigger voice in how the Internet works."

He added that the United States had reacted strongly to distributed denial of service attacks by Iran in the past, and in this case the Obama administration could increase pressure and enact stiffer penalties against China if these types of attacks continue.

If the style of the most recent wave of attacks is well known, novel elements present major difficulties for those seeking to keep the site up, according to a number of security experts. In particular, because the traffic comes from real users scattered across the globe, instead of a concentrated network of infected computers, it is hard to sort the real traffic from the fake.

Experts said they could not be certain who was behind the attacks. But it appears that signals to or from Baidu ads and analytics tools are being redirected toward the targeted sites when users outside China visit a site inside China. Because the signals seem to be diverted at the gateway between China and the rest of the world, analysts suspect the government and the Great Firewall.

In a post on a security website run by Insight Labs, an analyst wrote that "a certain device at the border of China's inner network and the Internet has hijacked" connections going into China.

"In other words," the post continued, "even people outside China are being weaponized to target things the Chinese government does not like, for example, freedom of speech."

Hypponen said the on-again off-again waves of attack traffic acted similarly to the way the Great Firewall filters, and that the capabilities and motivations also pointed to Beijing.

In a statement Friday, GitHub said the attack was the largest of its type to have targeted the site and that the attack featured "some sophisticated new techniques that use the Web browsers of unsuspecting, uninvolved people to flood GitHub.com with high levels of traffic."

"Based on reports we've received," the company said, "we believe the intent of this attack is to convince us to remove a specific class of content."

As of Monday GitHub said services were operating normally, but attack traffic continued.

The attacks also put Baidu in a difficult position. Calling it the price of doing business in China, Tsui said the company was "being used" and pointed out that the attack was directly hitting the company's bottom line by interrupting advertising traffic.

In a statement, Kaiser Kuo, a Baidu spokesman, said the company found no security breaches and was working with other organizations to get to the bottom of the attack.

© 2015, The New York Times News Service