Chinese attackers used the Great Firewall’s offensive sister-system, named the Great Cannon, to launch a recent series of distributed denial of service attacks targeting the anti-censorship site, GreatFire.org, and the code repository, Github, which was hosting content from the former.

The first set of DDoS attacks hit GreatFire.org on March 16. On March 26, Github became an unwitting victim in the attack, as another DDoS knocked it offline. It is widely believed that the attackers launched these attacks in an attempt to shut down services aimed at circumventing China’s massive content blocking infrastructure, known as the Great Firewall. The University of Toronto Munk School of Global Affairs’ Citizen Lab, along with help from the International Computer Science Institute, the University of California at Berkeley and Princeton University, began quietly monitoring the attacks on March 18 and continued to watch the events unfold until April 8.

China’s Great Firewall doesn’t really operate as a barrier at all. Rather, the Great Firewall monitors connections between China and the global Internet for banned content, which it blocks by injecting forged TCP reset packets that cause both the sender and the recipient communications to stop and, in turn, blocks banned traffic.

“On-path systems have architectural advantages for censorship, but are less flexible and stealthy than in-path systems as attack tools, because while they can inject additional packets, they cannot prevent in-flight packets (packets that have already been sent) from reaching their destination,” explained Citizen Lab in a report. “Thus, one generally can identify the presence of an on-path system by observing anomalies resulting from the presence of both injected and legitimate traffic.”

While there are several structural and code-base similarities between the two, the Great Cannon is described as “a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.”

For example, Citizen Lab says the Great Cannon is an in-path system capable both of suppressing and injecting traffic. Unlike the Great Firewall, the Great Cannon does not monitor all traffic but instead only that traffic originated from a set of chosen IP addresses. Furthermore, the Great Cannon conserves computing resources by examining only individual packets, whereas the Great Firewall requires massive computing resources in order to perform TCP bytestream reassembly. While Web requests are often one-packet affairs, Web replies can contain multiple packets, which the Great Firewall must reassemble in order to properly block banned content.

In the case of these DDoS attacks, the Great Cannon intercepted traffic bound for Baidu’s analytics servers. Baidu is the Chinese variety of Google. If the Great Cannon saw Baidu requests for javascript files, it would then make one of two probabilistic decisions: 98.25 percent of the time, the traffic moved along as normal and 1.75 percent of the time, it sent a malicious a script back to the user, who was then an unknowing participant in the DDoS attacks. The 1.75 percent were always users outside China that had somehow come to access a site roped into Baidu’s analytics infrastructure or using Baidu’s traffic reporting services.

One technical but noteworthy difference between the two systems is that in a test of the Great Firewall, Citizen Lab could see both the injected TCP resets and the legitimate server response. For the Great Cannon, there was no legitimate server response accompanying the maliciously injected reply. Citizen Lab determined that the Great Cannon is dropping requests before they even reach Baidu, which constitutes a feature not available to the Great Firewall.

Additionally, the two systems deploy similar but different content injectors. When the Great Firewall injects packets, it quantifies them by changing the IP time-to-live (TTL) field. The Great Cannon does so as well. However, an analysis of the two injection techniques revealed that the Great Cannon and Great Firewall’s injected TTL values shared no similarities. The Great Cannon also ignored certain request that triggered blocking by the Great Firewall, further solidifying the belief that the Great Cannon only targets particular IP ranges.

Another important distinction is that the Great Cannon only operates on the very first packet when it determines whether or not to inject a malicious response. In this way, Citizen Lab explains, the Great Cannon will process invalid HTTP requests, while the Great Firewall will not. It makes sense too, because the Great Cannon is not concerned with the contents of a packet, because it is not seeking to potentially block them.

Furthermore, the Great Firewall acts deterministically, meaning it always injects traffic once it observes packets meeting the target criteria. The Great Cannon, as mentioned earlier, acts probabilistically, meaning it only inject malicious traffic sometimes after analyzing a target packet, opting to ignore most of the traffic upon which it could act.

Attribution of the Great Cannon to China is based primarily on findings suggesting that it is co-located within the Great Firewall infrastructure. The Great Cannon, because it only acts on initial packets, is a poor censorship tool. According to Citizen Lab, it has no censorship capabilities not already possessed by the Great Firewall. Thus, they say the evidence indicates that the Great Cannon’s role is to inject traffic under specific targeted circumstances, not to censor traffic.

A technically simple change in the Great Cannon’s configuration, switching to operating on traffic from a specific IP address rather than to a specific address, would allow its operator to deliver malware to targeted individuals who communicates with any Chinese server not employing cryptographic protections

“The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users,” the report concludes. “Specifically, the Cannon manipulates the traffic of ‘bystander’ systems outside China, silently programming their browsers to create a massive DDoS attack. While employed for a highly visible attack in this case, the Great Cannon clearly has the capability for use in a manner similar to the NSA’s QUANTUM system, affording China the opportunity to deliver exploits targeting any foreign computer that communicates with any China-based website not fully utilizing HTTPS.”

The use of the Great Cannon and it’s exploitation of Baidu ultimately reveals that the Chinese regime is willing to put at risk the substantial economic benefits of having Baidu within its economy in order to maintain strict content control over its citizens.

Baidu, for its part, has denied any involvement in the attack.

“A technically simple change in the Great Cannon’s configuration, switching to operating on traffic from a specific IP address rather than to a specific address, would allow its operator to deliver malware to targeted individuals who communicates with any Chinese server not employing cryptographic protections,” Citizen Lab reasons.

Categories: Government, Vulnerabilities, Web Security