lolloj - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Massive GitHub DDoS attack tied to Chinese government

Security experts say the largest DDoS attack in GitHub history, which lasted five days, was the work of the Chinese government.

A massive, persistent distributed denial-of-service (DDoS) attack that struck social coding site GitHub has finally come to an end after five days, and experts are pointing the finger at China.

After 118 hours of sustained DDoS attacks, GitHub announced Tuesday morning on its status page that its defenses were holding and the threat had been downgraded. The attack, according to GitHub, was the largest in the site's history.

"[The attacks] include every vector we've seen in previous attacks as well as some sophisticated new techniques that use the web browsers of unsuspecting, uninvolved people to flood with high levels of traffic," according to the GitHub blog. "Based on reports we've received, we believe the intent of this attack is to convince us to remove a specific class of content."

According to security expert "[email protected]," a penetration tester with security organization Insight-Labs who studied the GitHub incident, the DDoS attack used redirected traffic coming from international users of Baidu -- the largest search engine available in China.

"[The GitHub DDoS attack] appears to be HTTP hijacking," [email protected] wrote in a blog post, adding that the attack involved the injection of malicious JavaScript. "A certain device at the border of China's inner network and the Internet has hijacked the HTTP connections that went into China, and replaced some JavaScript files from Baidu with malicious ones that would load and every two seconds."

One of the blocked GitHub URLs is the Chinese version of The New York Times. The other,, is an anti-censorship site focused on the Chinese government.

Interestingly, this marked the second attack on GreatFire in a matter of weeks. The first attack targeted the organization's Internet Project, which creates a set of mirror websites for addresses that are blocked by the Chinese government. The mirror sites are hosted on large CDNs, according to GreatFire, including Amazon's Cloud Front.

"[The] project reported on their website that they were suffering from a large Denial of Service attack that started the day before," according to GreatFire. "More than ten million computers distributed all over the world were sending requests to servers hosted behind Amazon's Cloud Front."

This attack method was similar in its use of redirected Baidu traffic, but [email protected] said the size of Amazon Web Services (AWS) mitigated the damage. "AWS was able to handle this because their scale is much larger than GitHub," [email protected] told

[email protected] said both the GreatFire DDoS attack and the GitHub DDoS attack involved the use of primarily international traffic. Approximately 50 million Chinese speakers live outside of China, [email protected] said, and even a fraction of these users' redirected traffic is enough to cause problems for a site.

"The reason for why only international traffic was used is unknown, but domestic traffic can be used if they wanted," [email protected] said. "My guess would be -- they want the attack to come from all directions so the target cannot easily block it."

The nature of the GitHub attack has led researchers to conclude the Chinese government is to blame. "[E]ven people outside China are being weaponized to target things the Chinese government does not like, for example, freedom of speech," [email protected] wrote in the blog post.

Swedish network software firm Netresec also connected the attack to the "Great Firewall of China," which is the Chinese government's Internet filtering and monitoring system. "This attack demonstrates how the vast passive and active network filtering infrastructure in China, known as the Great Firewall of China or 'GFW', can be used in order to perform powerful DDoS attacks," the company wrote in its report.

Larry Salibra, co-founder of software testing marketplace Pay4Bugs, also put the blame on the Chinese government, despite the attempts to make it appear that the DDoS attack was coming from outside the country.

"[The attack] leverages unsuspecting website visitors with uncompromised machines to create a DDOS attack," Salibra wrote in a blog. "It makes a China-based attack appear to come from outside of China, by only inserting the compromising JavaScript code in Baidu CDN requests made outside of China."

This tactic is a way to squelch the popular developer site after backlash from Chinese developers when the Chinese government tried to block GitHub altogether, according to Salibra.

According to Reuters, a Baidu spokesperson in Beijing claimed a thorough investigation by the company had found no security problems and no hacking on Baidu's end. But [email protected] was skeptical of Baidu's claims.

"If they were actively monitoring their services like all IT companies," [email protected] said, "I doubt Baidu was unaware of it."

GitHub representatives declined to comment further on the matter. Baidu representatives could not be reached for comment.

Next Steps

Find out how to deny DDoS attacks with best practices and mitigation plans

Dig Deeper on DDoS attack detection and prevention