Global Internet War – Chinese Great Cannon

Last Updated on August 22, 2023

We’ve all seen those scaremongering stories on mainstream media, about cyber wars and the internet becoming a battlefield.  Usually these are rather over the top,  however a story is breaking now which is making these seem much more of a reality.

The story starts with a web site called greatfire.org which provides news and information around Chinese censorship in general and the Great Firewall of China specifically.  It contains lots of information and links to VPN and proxy tools like Identity Cloaker which can be used to circumvent the Chinese firewall and surf without restrictions.
Now obviously sites like these are not very popular with the Chinese authorities and generally can be difficult to access directly (although the site is mirrored across several locations).  It comes as no great surprise that sites like these are routinely blocked, but what has happened next is a significant escalation by the Chinese authorities.

Unleash the Great Cannon 
cannon-308996_640

On the 16th March the greatfire servers came under a huge DDoS attack, 10 days later an open source developer’s site called github came under a similar attack.  Basically the sites experienced a huge surge in traffic which their servers were unable to cope with and simply fell over.

The origin of these attacks were from thousands of computers mainly from across Asia (although outside China).   The source were thousands of clients and some injected JS scripts from traffic which appeared to be destined for Baidu (the Chinese search engine).

At first it was unclear who was responsible for coordinating these attacks, until Citizen Lab, a group based in the University of Toronto, investigated the attacks and released this report.  It is from their hard work that we can see the real culprit behind these attacks.

Basically the Chinese have developed a system which can intercepting foreign unencrypted traffic destined for any location in China, then insert malicious javascript to attack any target they specify.  This offensive system has been dubbed as the Great Cannon of China and in this instance  performed this man in the middle attack on the two sites greatfire and github.  A large proportion of unencrypted traffic was intercepted and diverted to these sites in order to overwhelm them.

So just to explain, if you had perhaps used Baidu on the 16th March, your browser may have been involved in the attack completely without your knowledge.  The Chinese have developed a system which is able to leverage internet traffic to basically destroy any web site they wish for a limited time.

Of course those worried about a one sided war where the Chinese obliterate sections of the internet, should be aware that the UK and USA intelligence services have already developed and tested similar technology.  However for free speech and internet neutrality it’s an extremely worrying development.

Summary 

It’s an extremely aggressive and high profile attack, the report seems fairly conclusive that it was conducted by the Chinese state, with parts of the code from libraries identified from the Great Firewall and several confirmed locations on the firewall injecting the scripts.

The worry is that the Chinese will so openly inject malware into any inbound traffic and redirect it at any target it likes.   This man in the middle attack could easily be redirected at any target they wish. Although larger sites may be able to cope in the short term, effectively it could finish any web site without significant resources.  The bandwidth bill of greatfire.org shot up by tens of thousands of dollars during the attack, costs that most web owners wouldn’t be able to cope with.  In fact small sites could easily be subverted quickly and efficiently using these methods – read this post which records the demise of Tomaar.net, a Saudi Arabian discussion forum.

Technically there is an even more worrying possibility, in that any computer can potentially be compromised by simply visiting any Chinese website without encryption.  The code could be altered to identify specific computers (perhaps IP addresses used by foreign Government computers)  and then infect them directly rather than launching an attack on a third party.

The possibilities and threats are endless, so unless you want to be involved in an attack it’s probably not a wise move  to visit any Chinese (Non-HTTPS) based website without using encryption.  Although this can be difficult to identify with adverts and analytics often embedded into websites which you can’t see.

Commercial pressure will hopefully cause some damage to stop the Chinese attacks, internal pressure stopped the attack on Github as it’s a powerful resource used by many Chinese programmers.  It’s not going to do a great deal for any Chinese based internet commerce or technology company either, who wants to risk being directly involved in the crazed attacks of the Chinese State on free speech websites?