You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Chris Doman of AlienVault reports that the Great Cannon has been used to DDoS a Hong Kong–related web site, ongoing now since 2019-11-25, but first detected in September 2019. This is the third documented use of the Great Cannon. The first was against GitHub in 2015, and the second was against mingjingnews.com in 2017.
The Great Cannon is currently attempting to take the website LIHKG offline. LIHKG has been used to organize protests in Hong Kong. Using a simple script that uses data from UrlScan.io, we identified new attacks likely starting Monday November 25th, 2019.
Websites are indirectly serving a malicious javascript file from either:
http://push.zhanzhang.baidu.com/push.js; or
http://js.passport.qihucdn.com/11.0.1.js
Normally these URLs serve standard analytics tracking scripts. However, for a certain percentage of requests, the Great Cannon swaps these on the fly with malicious code.
LIHKG has been under unprecedented DDoS attacks in the past 24 hours. We have reasons to believe that there is a power, or even a national level power behind to organise such attacks as botnet from all over the world were manipulated in launching this attack.
Here are the figures on the attack during the period 0800 - 2359 on 31 August 2019:
Total request exceeded 1.5 billion;
Highest record on unique visitors exceeded 6.5 million/hr;
Highest record on the Total Request frequency was 260k/sec in which then lasted for 30 minutes before it is banned.
A reminder of how the Great Cannon works: the unwitting DDoS attackers are not web users in China, but web users outside China. When someone outside China browses a web site that includes one of the above .js resources, their HTTP requests traverse the Great Firewall, and that is where the malicious code is injected. Global Voices has a good summary(archive):
While LIHKG has blocked all IPs from mainland China, when someone from overseas visited Baidu or Qihoo360 hosted in mainland China, the script would point them to LIHKG and hence the forum faced a massive DDoS attack coming from all over the world.
Here is the obfuscated malicious JavaScript file linked from the report, which also mentions "bugs in the malicious Javascript code that we won't discuss here." Doman links to(archive)several other samples(archive) and an unobfuscated version.
The text was updated successfully, but these errors were encountered:
Chris Doman of AlienVault reports that the Great Cannon has been used to DDoS a Hong Kong–related web site, ongoing now since 2019-11-25, but first detected in September 2019. This is the third documented use of the Great Cannon. The first was against GitHub in 2015, and the second was against mingjingnews.com in 2017.
The "Great Cannon" has been deployed again (archive)
LIHKG has published its own report of the attack, dated 2019-08-31.
A reminder of how the Great Cannon works: the unwitting DDoS attackers are not web users in China, but web users outside China. When someone outside China browses a web site that includes one of the above .js resources, their HTTP requests traverse the Great Firewall, and that is where the malicious code is injected. Global Voices has a good summary (archive):
Here is the obfuscated malicious JavaScript file linked from the report, which also mentions "bugs in the malicious Javascript code that we won't discuss here." Doman links to (archive) several other samples (archive) and an unobfuscated version.
The text was updated successfully, but these errors were encountered: