The barrage of web traffic that sank the sites of GitHub and GreatFire.org for a weekend, two weeks ago, was the world's first look at one of China's latest weapons of cyber warfare: the Great Cannon.
Though China's Great Cannon earned its name about two weeks ago, the moniker was only recently given to the cyber weapon in an analysis of the attack.
The study was conducted by the Citizen Lab at the University of Toronto, the International Computer Science Institute (ICSI) and the University of California, Berkeley. The study outlined the what, why and how of the attack on GitHub and the weapon used to carry out the assault.
A Show of Force
GitHub described the distributed denial of service (DDoS) attack as the most devastating offensive the site has faced in its history. The host of software development repositories was lambasted with traffic from unwitting web surfers and used as a proxy attack to cripple sites in China.
Security experts have stated their belief that China flooded GitHub with traffic to strike GreatFire.org, a privacy watchdog group, and the Chinese language version of the New York Times. Backups of both sites were hosted by GitHub.
"Their willingness to be so public mystifies me," said Nicholas Weaver, an ICSI researcher who took part in the joint study. "But it does appear to be a very public statement about their capabilities."
The Inner Workings of the Great Cannon
China's Great Cannon works in conjunction with China's Great Firewall, a massive system of firewalls capable of filtering the entire country's web traffic.
The Great Firewall expends the bulk of its resources disassembling and reassembling packets of information to scrutinize the requests they contain. The firewall system blocks requests to blocked websites.
The Great Cannon functions similarly to the Great Firewall, but the Great Cannon can inject scripts into web requests and even suppress traffic. It intercepts traffic headed to specific websites in the country, such as search giant Baidu, functioning as a massive man-in-the-middle as opposed to a security check like the Great Firewall.
The researcher discovered that the attacks inject javascript into a small percentage of web traffic passing through it, using the infected browsers to carry out simple tasks that, in concert with millions of others, deliver massive effects.
The Great Cannon targets unencrypted traffic streaming into China from the outside, letting the majority of the request go through without being manipulated, but injected about 1.75 percent of it with malicious scripts. In the GitHub attack, the 1.75 percent of traffic sent to the world's second largest search engine, Baidu, was more than enough to keep the site crippled for days on end.
How to Avoid Being a Cannon Ball for China
There are no sure ways to avoid being used by China to unwittingly take part in a cyber attack, besides skipping all sites based in the country.
The next best route, for now, is to encrypt every request sent into the China, because the Great Cannon looks for tracks that it can read. That's the lesson to be learned from the Great Cannon: encrypt everything.
"If you have to worry about a nation state adversary and if they can see an unencrypted web request that they can tie to your identity, they can use that as a vehicle for attack. This has always been the case, but it's now practice," Weaver said.