DDoS attacks that crippled GitHub linked to Great Firewall of China

Earlier this week came word that the massive denial-of-service attacks targeting code-sharing site GitHub were the work of hackers with control over China’s Internet backbone. Now, a security researcher has provided even harder proof that the Chinese government is the source of the assaults.

In Tuesday’s story, Ars explained that the computers pummeling GitHub pages all ran a piece of JavaScript that surreptitiously made them soldiers in a massive DDoS army. The JavaScript was silently injected into the traffic of sites that use an analytics service that China-based search engine Baidu makes available so website operators can track visitor statistics. When everyday Internet users visited a site using the Baidu-supplied tracker, the injected code caused their browsers to constantly load two GitHub pages, one a mirror of anti-censorship site GreatFire.org the other a copy of the China edition of The New York Times.

Besides the motive of taking out pages the Chinese government doesn’t want its citizens to see, there was technical evidence supporting the theory the attack had the support of China’s leaders. To wit, the packets transmitting the malicious JavaScript had vastly different TTL, or time to live limits, from 30 to 229 compared with 42 for legitimate analytics code. This technical detail all but proved the DDoS code was coming from a sources inside China other than the visited website.