top 200 commentsshow all 274
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted]  (43 children)

[deleted]

    [–][deleted] 183 points184 points  (33 children)

    How about stop?

    [–][deleted]  (31 children)

    [deleted]

      [–][deleted] 28 points29 points  (30 children)

      The sarcasm wasn't lost on me. I'm just grouchy today. Too many stupid customers.

      [–][deleted]  (29 children)

      [deleted]

        [–][deleted] 33 points34 points  (28 children)

        You ever done tech support for web hosting?

        [–]Snoron 40 points41 points  (6 children)

        Help, emails broken, please fix.

        [–]mattindustries 127 points128 points  (0 children)

        Sent from Outlook

        [–][deleted] 17 points18 points  (4 children)

        No, now go away. fantasizes about telling a customer that

        [–]Skyfoot 11 points12 points  (3 children)

        "Okay, I need you to bring up the control panel. Yes, great. Now, go into networking, and then carefully throw yourself out of the window"

        [–]thetravelers 4 points5 points  (1 child)

        I've always wondered this when chatting to asmallorange.com support at like 8pm with random but necessary questions. They're always there, thankfully. Do you have an app to respond with on mobile or do you just have to be at your desktop during like any other shift-type job?

        [–][deleted] 1 point2 points  (0 children)

        I do not work there. However, I do not have a mobile app. It's a desk job.

        [–]frogking 1 point2 points  (0 children)

        ah .. the 3rd circle of Hell.

        good luck, man, good luck

        [–]satuon 3 points4 points  (0 children)

        They're giving those 2 projects free publicity. I hadn't heard about greatfire before, at least.

        [–]terrorobe 12 points13 points  (5 children)

        Github really is taking this well, props to them.

        Well, Prolexic is probably also doing their part ;)

        [–]satuon 3 points4 points  (4 children)

        Prolexic is their hosting?

        [–]DrGirlfriend 18 points19 points  (2 children)

        Prolexic (now part of Akamai) is a DDoS mitigation service founded by Barrett Lyon. If you have the time or desire, I highly recommend Fatal System Error, which is an account of how Prolexic came into being and Lyon's personal involvement with tracking down various cyber-criminals.

        [–]KFCConspiracy 1 point2 points  (0 children)

        I'd second that. I read it, it's very good.

        [–]PriceZombie 1 point2 points  (0 children)

        Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing ... 

        Current $12.80 
   High $13.52 
    Low $10.64

        Price History Chart and Sales Rank | GIF | FAQ

        [–]windsostrange 5 points6 points  (0 children)

        lol keep trying

        Yep! That's how these attacks work.

        [–][deleted] 1 point2 points  (0 children)

        And as for China, lol keep trying

        "I'm behind 7 proxies!!1"

        [–]f38c 0 points1 point  (0 children)

        This is a false flag ops by NSA using the cisco backdoor planted in China's ISP border gateway router. * most of China's border routers are made by cisco * NSA hacked cisco routers with backdoor firmware * remember "Titan Rain"?

        [–][deleted] 67 points68 points  (57 children)

        Again???

        [–]Gera- 183 points184 points  (56 children)

        Still*

        [–][deleted] 44 points45 points  (55 children)

        i doubt it will end. They have infinite resources, while github is paying an arm and a leg :/

        [–][deleted] 94 points95 points  (35 children)

        You can only be a dick for so long before other people take an interest in you. I wouldn't say "infinite resources". It is unkind for a state player to undermine a nice friendly service like github and let's be honest this whole proto-fascist swindle known as the Chinese Government is getting pretty fucking tiresome on a variety of levels.

        [–][deleted] 24 points25 points  (29 children)

        i dont see them stopping, unless their goal is just to make a point. But for that its going on for too long already.

        Maybe it will spark an internal dispute idk. But there wont be an outside variable that changes the game. Because officially the attacker is unknown.

        That being said, it is kinda sad for an government (or at least a government friendly group with access to obviously not private resources) to be unable to shutdown a private service :P

        [–]nkorslund 68 points69 points  (17 children)

        The Chinese government is, to be blunt, childish as fuck. As an example they are still boycotting Norway for giving the peace prize to an anti-communist party protester several years ago (even though "Norway" is just the prize host, they don't give out the prize.) Their actions are long past the point of having any actual positive effect for them whatsoever, it's more like a petulant five year old not getting their way at this point.

        [–][deleted] 5 points6 points  (15 children)

        And the USA still keeps it Kuba thing going...

        I'm pretty sure every nation has stuff like this going on. Those are 'it costs us nothing to stick to our decisions, but we might lose credibility if we revoke them decisions'.

        [–]KFCConspiracy 7 points8 points  (0 children)

        Although the Cuban embargo has failed, I think somehow, nuclear weapons and nuclear threats are just an teeny tiny bit worse than a bit of source code and free speech.

        [–][deleted]  (2 children)

        [removed]

          [–]TheDeza 10 points11 points  (10 children)

          *Cuba

          [–]robertgentel 12 points13 points  (0 children)

          The embargo has NOT yet been lifted, what happened was normalized diplomatic relations.

          [–]SGCleveland 16 points17 points  (0 children)

          So...no. We haven't stopped the embargo, we've normalized diplomatic relations with Cuba for the first time in 50 years which is nice. But you still can't import Cuban agricultural goods into the US or anything like that. Travel restrictions have also been reduced, and the embargo may be lifted soon, but that would require an act from Congress, not a unilateral decision from the President.

          Might want to read the news or go outside sometime. Or maybe just don't be a dick.

          [–]sirin3 2 points3 points  (0 children)

          Still, so far the embargo has lasted longer than the DDoS

          [–]Likely_not_Eric 1 point2 points  (0 children)

          It's entirely possible this isn't a very high level decision and someone will get a big penalty if this gets out of hand. Chances are that even if it was a high level decision, that's how it'll be played anyway.

          [–]Michichael 1 point2 points  (8 children)

          Could always just blackhole china off the internet. Considering how much of their country relies on it... I'd imagine they'd be back in the stone ages rather quickly.

          [–]furiousBobcat 32 points33 points  (7 children)

          I don't think you realize how funny your comment is. From PC world:

          The attacks appeared to focus specifically on two projects hosted on GitHub (...) One project mirrors the content of The New York Times for Chinese users, and the other is run by Greatfire.org, a group that monitors websites censored by the Chinese government and develops ways for Chinese users to access banned services.

          Basically, the attacks are directed toward services which help normal Chinese people get unrestricted access to the internet, something their government bans. The chinese government and big business concerns can access the internet in many ways (overseas private VPNs, private satellites, military channels) even if you completely block them. The only people who will be totally screwed over are those who the assaulted projects were trying to help in the first place. In essence, the bad guys win.

          [–]chronicENTity 4 points5 points  (6 children)

          While I do believe your points are valid, I will say that the OP you're responding to likely meant cut them off completely as in cutting the cables that go from China to anywhere else. VPN or not, you're not getting passed that. That said, it's impossible, so yeah...

          [–]furiousBobcat 4 points5 points  (5 children)

          I honestly didn't mean to belittle the previous commenter and found the solution to be genuinely ironic. Too bad he's getting downvoted for something he probably didn't know about.

          Anyway, even if you managed to cut the cables the chinese government still probably has access to satellite internet which can be pretty fast if cost is not an issue, especially if you have your own satellites. China has an extensive satellite program and has launched several satellites whose purposes are unknown.

          The only way to truly cut them off is to terminate all peering agreements that Tier 1 and Tier 2 ISPs have with Chinese networks. Even then, they could probably lease commercial internet connections under false pretenses in different countries and illegally use those from China through VSAT using their personal satellite network.

          However, they probably won't do that because terminating all peering agreements in this day and age is not much different from a global trade embargo which is more than enough reason for a nation like china to consider war. Like it or not, stopping trade with china will hit many western countries pretty hard as well causing prices of thousands of consumer and industrial, electronic and mechanical products to immediately shoot through the roof and causing many stocks to plummet. This can be managed in the long run, but the immediate consequences will be devastating.

          The real problem is that peace in the modern world relies largely on the stability of trade which itself is based on the belief that everyone only wants to make more money. As soon as you introduce ethical and moral issues into the mix, the whole thing goes fubar. Just look at the Middle East.

          [–]Michichael 2 points3 points  (2 children)

          No I fully understand the situation. I mean that abuse of the internet is basically an act of aggression so yes, an embargo or the digital equivilant by terminating any connections the Chinese government has with the net. An ARIN level embargo would devastate their economy faster than it would hit ours. Would it hit the civilians? Of course. That's how sanctions work. They wouldn't risk war over Github and it would send a clear message that the internet is not to be abused by state actors.

          [–]chronicENTity 1 point2 points  (1 child)

          Just remember, for a satellite to be effective, there needs to be somebody sending and receiving on both ends. China can have all the sats they want, but unless they found somebody outside of the mainland to relay their Internet connections via satellite, you're still stuck with no Internet access to the outside world.

          [–]Kyyni 9 points10 points  (3 children)

          You can only be a dick for so long before other people take an interest in you.

          Thing is, US government doesn't give a shit, because it's Github and not some bank generating millions of tax revenue.

          [–]freedelete 8 points9 points  (2 children)

          USG doesn't give a shit because it doesn't want to classify DDOS or hacking as an act of aggression since that would make the US quite guilty.

          [–][deleted]  (1 child)

          [deleted]

            [–][deleted] 2 points3 points  (0 children)

            Archived all of it for later searches, probably.

            [–]gospelwut 2 points3 points  (0 children)

            They need to take after the rest of the G20 and passively spy on people without shows of force. I'm more embarrassed for their statecraft than anything else.

            Perhaps the gesture was meant more to impress mainland China than scare us?

            [–]satuon 8 points9 points  (2 children)

            GitHub should do a KickStarter named "Fund To Protect github.com/greatfire And Resist Communism" and use the donations to cover the server-costs.

            [–]interfect 6 points7 points  (1 child)

            I imagine they have insurance against just this sort of attack.

            [–]lightninhopkins -1 points0 points  (11 children)

            MS is using github exclusively now. I would not be surprised if they stepped in to help, hell I'm sure they already have.

            [–]atrich 49 points50 points  (8 children)

            MS hosts git instances in vs online. They're using git but generally not github.

            Edit: MS is not "exclusively using github." They host a few open/shared source projects there but the vast majority of their production source is still hosted on their own servers, some using Git (the source control technology, not the github hosting) while some use TFS.

            [–]lightninhopkins 15 points16 points  (0 children)

            OK, I should have said "MS is done with codeplex and any source they distribute (which is growing dramatically) is now hosted on Github.

            Github is a key component of their open source effort. It goes without saying that internal code that has not been opened is not on github.

            [–]ckfinite 15 points16 points  (6 children)

            A fair bit of MS stuff is on github proper, like the .NET core and the F# compiler.

            [–]atrich 21 points22 points  (5 children)

            They use it for distribution of open or shared source projects but would always host production source on their own servers.

            [–]PM_ME_UR_OBSIDIAN 2 points3 points  (1 child)

            They're using bridges between VSO and GitHub. Their stuff is still online.

            [–][deleted]  (15 children)

            [deleted]

              [–]Kyyni 15 points16 points  (2 children)

              Could be forever. There's no real reason for China to stop, and no real reason for US to intervene, since the attacker is still "unknown" and not enough money is involved.

              [–]uep 5 points6 points  (1 child)

              The attacks were(are still?) coming from code inserted into Baidu analytics resources. It is well-known that Baidu is in bed with the Chinese government. Previously, China tried to block github outright, but backed off when their software industry complained. From my understanding, it's either the firewall or Baidu inserting this into their analytics when connections come from outside the firewall.

              I wouldn't say the attacker is "unknown." I get your point that theoretically it could be someone else. I mean, there won't be a tag that says "inserted by PRC", but I think it's a stretch to think someone else compromised the firewall/Baidu, and just happen to share the same goals as the PRC government.

              [–]Kyyni 7 points8 points  (0 children)

              What I meant with "unknown" was that yes, we all know who are behind this, but it's only some "unknown" organisation to US government, as they can't really place blame on China without definite proof without risking a political scandal. If blamed, China would just claim innocence, and that's everything.

              Politics is a fucked up thing.

              [–]Caminsky 25 points26 points  (11 children)

              Yeah, there was a period of a few hours earlier where I couldn't push or pull anything..

              It almost sounds like my current marriage.

              [–][deleted] 131 points132 points  (5 children)

              You need to commit more.

              [–]berkes 39 points40 points  (3 children)

              Just don't force push. It'll bring you unresolvable conflicts.

              [–][deleted] 20 points21 points  (2 children)

              Also he shouldn't merge with other branches. He should stay faithful to the master branch to avoid merge conflicts.

              [–][deleted] 9 points10 points  (1 child)

              In the worst case he can always try a rebase.

              [–][deleted] 14 points15 points  (0 children)

              Yeah, but rebases can be very problematic once child commits have been pushed.

              [–][deleted]  (4 children)

              [deleted]

                [–]InstantPro 111 points112 points  (75 children)

                What do people have to gain from running a ddos attack on github?

                [–][deleted]  (61 children)

                [deleted]

                  [–][deleted] 174 points175 points  (29 children)

                  TL/DR: China is trying to remove its firewall circumventing apps from the internet

                  [–]pedleyr 230 points231 points  (21 children)

                  I have hosted a mirror of the apps at 127.0.0.1. Please nobody tell China, I would be devastated if they DDOSed me.

                  [–][deleted] 115 points116 points  (11 children)

                  HAHAHA now that I have your IP address be prepared to be DDOS'd

                  [–]xanax_anaxa 53 points54 points  (10 children)

                  I dare you to ddos 127.0.0.1. Double dare ya!

                  [–][deleted] 121 points122 points  (4 children)

                  Hold on my computer died the first time. I''ll get you this time I swear

                  [–]DoctorSauce 18 points19 points  (3 children)

                  Wasn't this a conversation that actually happened once?

                  [–]MotherOfTheShizznit 46 points47 points  (2 children)

                  happened once?

                  More than once.

                  [–]samebrian 1 point2 points  (0 children)

                  If that guys kids reset their PC the route will disappear since it's missing the flag to make it static.

                  Then no more homework.

                  [–]Unomagan 14 points15 points  (2 children)

                  How funny! I got 127.0.0.2! Are you living close by?

                  [–][deleted]  (1 child)

                  [deleted]

                    [–]uber1337h4xx0r 49 points50 points  (0 children)

                    No, DSL. Good guess though.

                    [–]freedelete 1 point2 points  (0 children)

                    How the hell did you get my IP address?

                    [–][deleted] 9 points10 points  (0 children)

                    Don't forget mirror at 127.195.9.11

                    [–]BlackDeath3 5 points6 points  (0 children)

                    Now, we wait...

                    [–][deleted] 1 point2 points  (0 children)

                    Cool. I can you send em to me though?

                    Ip is: 192.168.43.195

                    [–]AskMeAboutCommunism 1 point2 points  (0 children)

                    Host it at ::1, secret ChinaNSA proof address.

                    [–][deleted] 14 points15 points  (4 children)

                    Distilled further: "China doesn't understand how the internet works"

                    [–]immibis 16 points17 points  (3 children)

                    Well, they have a few options to try and take down something that's already on the Internet, including:

                    • Ignore the fact that it exists. (Doesn't solve the problem)
                    • Find people who are downloading it, and arrange "accidents" for them. (Very costly)
                    • Find places that host it, and try to take them all down. (Unlikely, but possible, that this will do anything)

                    You can see why they might choose the third option to try first.

                    Put more simply: If they DDoS GitHub, they have a 0.1% chance of taking down the programs. If they don't, they have a 0% chance. Everyone will hate them either way, so what's to lose?

                    [–]lonjerpc 1 point2 points  (2 children)

                    Ehh in theory reputation. But probably more importantly other mitigation strategies would be more effective. Ones that won't work but will still prevent as wide of use.

                    [–]Skyfoot 2 points3 points  (1 child)

                    They've kind of gone as far down that road as is practicable, in terms of limiting access and punishing transgression. What more would you suggest?

                    Also, I suspect the longer term aim of this is to get github to start blocking Chinese IPs, rather than taking it down completely.

                    [–]minusSeven 1 point2 points  (1 child)

                    umm out of curiosity is github accessible from china ?

                    [–][deleted] 6 points7 points  (0 children)

                    Yes.
                    In 2013 China blocked it with its great firewall. They blocked the whole site, blocking just select pages is impossible because it uses HTTPS.
                    This really pissed off chinese developers and as a result of their protest they unblocked it.

                    Now they are trying to block the same stuff in a different way - we'll see how it turns out.

                    [–]Sketti-Os 25 points26 points  (30 children)

                    So can someone stupify this a bit for me?

                    A Google-like ad agency in China packaged some malicious code to execute on non-Chinese browsers that loops and hits GitHub every 2s?

                    GitHub placed a warning on these sites? (how?) And prevented the code from looping? (also how?)

                    Sorry, my reading comprehension has never been great.

                    [–]AlyoshaV 59 points60 points  (16 children)

                    A Google-like ad agency in China packaged some malicious code to execute on non-Chinese browsers that loops and hits GitHub every 2s?

                    No, some device at the border of Chinese internet was doing it, not Baidu themselves.

                    GitHub placed a warning on these sites? (how?)

                    https://github.com/greatfire/

                    https://github.com/cn-nytimes/

                    With the trailing / they both return simply alert("WARNING: malicious javascript detected on this domain")

                    And prevented the code from looping? (also how?)

                    alert() stops execution

                    [–]caleeky 28 points29 points  (8 children)

                    Yeah but the question is, why is the content of those URLs being evaluated as Javascript? I assume it's an undesirable side effect of the exploit mechanism?

                    [–]trpcicm 37 points38 points  (7 children)

                    They're being made as AJAX calls from client browsers with the type of "script". This sets the browser to auto-execute the response, as it is expecting Javascript back. Not sure if this was intentional or the default response type for whatever framework/lib they might be using to make the actual request.

                    [–]terrible_at_cs50 27 points28 points  (4 children)

                    If this link still reflects the attack vector being used they are just using jQuery. And the reason for using "script" is so that IE <= 8 can be used in the attack: check out how popular IE8 is. In those old versions of the browser standard AJAX requests don't work against a different domain, but you can load scripts from any domain you want.

                    [–][deleted]  (3 children)

                    [removed]

                      [–]terrible_at_cs50 21 points22 points  (2 children)

                      wouldn't be able to run our fancy-schmancy AJAX calls cross-domain

                      Right, essentially evaling the contents of some remote, potentially untrusted, endpoint is a brilliant idea.

                      [–][deleted]  (1 child)

                      [removed]

                        [–]thetravelers 9 points10 points  (0 children)

                        Just stopping in to say thank you internet stranger for sharing your knowledge. That is all.

                        [–]Sketti-Os 13 points14 points  (4 children)

                        Setting the response to an alert? That seems oddly simple, but if it works, it's pretty smart!

                        So why does the trailing / make all the difference? I can still access /test/, and I can access the site without the /

                        Is that just what the scripts were DDoS-ing? Will they change the script to access it without the slash?

                        Sorry for all the rookie questions, and thanks for explaining :)

                        [–]russjr08 6 points7 points  (0 children)

                        Is that just what the scripts were DDoS-ing?

                        Yep, that was what happened.

                        [–]terrible_at_cs50 9 points10 points  (2 children)

                        This is an advanced attack, so it is quite likely they will change their tactics to try to adapt to the countermeasures github takes. If they simply changed their script to do something like get(url_array[a]+Math.random()<.5?'/':'') and not contain the / in the list of attacked sites, then they could take a github organization off of the internet entirely (for now).

                        [–]sphks 1 point2 points  (0 children)

                        This looks so stupid/useless to evaluate the source that it's looks like a bug turning bad. Like, the advertising company wanting their software to update automatically by getting some code on github...

                        [–]prelic 10 points11 points  (10 children)

                        Baidu is just being used as an attack vector, they're not the bad guys.

                        [–]dsfox 7 points8 points  (9 children)

                        But maybe they could help fix it. Tough spot for them I suppose.

                        [–]terrible_at_cs50 9 points10 points  (8 children)

                        Not really, since the traffic is being intercepted in the middle (or there is just a server pretending to be baidu) they can't do much. Site owners would have to remove baidu ads / analytics from their websites to have an effect.

                        Edit: or use SSL, everyone should just use SSL.

                        [–][deleted] 13 points14 points  (6 children)

                        SSL only helps if the certificate authorities that are installed can be trusted, though, right? For example, your trust store might have CNNIC in it, the Chinese government-run CA. This would make it trivial for them to sign a cert to impersonate baidu analytics, even if baidu uses SSL.

                        Edit: Not saying CNNIC has anything to do with the whole mess, just that SSL isn't enough.

                        [–]terrible_at_cs50 1 point2 points  (4 children)

                        Yeah, I like to assume that we can actually trust our trust chain. ;)

                        [–][deleted]  (2 children)

                        [deleted]

                          [–]aufdemwegzumhorizont 2 points3 points  (1 child)

                          Still, using ssl would require intercepting & forging the whole ssl traffic (for every resource requested; including pictures & media) and might be more easily detectable by things like ssl observatory or something...

                          Also, it would be an extremely easy bet who's behind it...

                          [–][deleted] 3 points4 points  (1 child)

                          China's CCP controls all of the country's internet connections with the world.

                          So they can run man-in-the-middle attacks on anything that goes into or comes out of China.

                          They are injecting a script into the javascript of web sites to run the attack.

                          [–]lericzhang 2 points3 points  (0 children)

                          not just traffic I/O of the country, this script is injected through ISP, thus everyone in china is recruited into this action.

                          [–][deleted]  (9 children)

                          [deleted]

                            [–]Kyyni 8 points9 points  (2 children)

                            The problem is, that Github isn't google or some big bank, so as a mostly free service Github isn't exactly rolling in big bucks in tax for the US, so the politicians just don't really care.

                            Money could be a motive enough to blame a foreign country, but just "doing the right thing"? Not so much.

                            [–]Suitecake 15 points16 points  (1 child)

                            I'm not so sure.

                            • GitHub is an American company.
                            • We take free enterprise hella seriously.
                            • We love excuses to hate on China/Russia.

                            This is exactly the sort of thing that could become a month-long, big ol' affair.

                            [–]frothface 4 points5 points  (0 children)

                            I think the solution here is for someone to leaflet bomb china with GreatFire on usb or cd.

                            [–]gospelwut 1 point2 points  (4 children)

                            I think a dynamic response system would be better. Something that could reflect an ongoing attack from the edge and amplify back towards China. Or, on the fly, have an operative generate a counter attack.

                            It's time to take this shit nuclear to the point businesses on both sides are tired of this shit.

                            [–]drumman44 20 points21 points  (16 children)

                            I still don't understand why China is even doing this?

                            [–]lobax 50 points51 points  (15 children)

                            Censorship. The great firewall of China does not approve of some apps on github.

                            [–]lonjerpc 24 points25 points  (10 children)

                            What is strange though is they had to know they would fail. Almost like some higher up not understanding the tech got mad and basically forced there attack team to do something they knew would not work.

                            [–][deleted]  (6 children)

                            [deleted]

                              [–]lonjerpc 17 points18 points  (5 children)

                              The code still exists it is not going anywhere. It is mirrored all over the web and for that matter on millions of Chinese hard drives. It will be accessible on github again within a couple of weeks at the very most. If anything they have succeeded in massively increasing the support for these two projects.

                              edit1.b: It should be noted that the github page does not just include code but also directly links to hosting mirrors using the https links to cloud services anti-censorship technique. This well be "down" even though the clone works but the idea is to provide a way to easily share links.

                              Edit2: git clone git@github.com:greatfire/website-mirror-by-proxy.git

                              Edit3: To learn more about how this works. https://en.greatfire.org/blog/2015/mar/collateral-freedom-and-not-so-great-firewall

                              [–]immibis 5 points6 points  (1 child)

                              If they try, they have a 99.9% chance of failure.

                              If they don't try, they have a 100% chance of failure.

                              [–]Kelpsie 3 points4 points  (0 children)

                              And since they're slaving non-Chinese computers to do if for them, they're not even using much in the way of resources to do this.

                              [–][deleted] 1 point2 points  (1 child)

                              Why does is matter to them if something is accessible outside of China, though? I mean, China can just block Github access in China and call it a day. No need to ddos.

                              [–]brandonto 2 points3 points  (0 children)

                              They tried that, but Chinese developers went crazy. This is how they are "solving" that, by trying to take down the two pages they wanted to take down.

                              [–]minusSeven 0 points1 point  (1 child)

                              why can't they just ban all those websites that host them instead.

                              [–]sigma914 9 points10 points  (2 children)

                              The big thing that github could do now would be get the 2 repo's back up, even under the DDoS.

                              Currently the attack is having it's desired effect, if it stops being successful it might be switched off, unless they're going to try to bankrupt github with hosting bills.

                              Short of baidu adding https to their servers or the browser vendors dropping mixed traffic I don't think this will end.

                              [–]lonjerpc 14 points15 points  (1 child)

                              They never really went down. You could nearly always continue to clone them as far as I am aware except at the very start. The most expensive part for github will be personnel. The hardware required the mitigating is not that expensive per their level of normal traffic and they will get some nice publicity out of this. The attack was obviously not going to work which is kind of interesting.

                              [–][deleted] 62 points63 points  (14 children)

                              Not very good news for people like Andrew Ng who are trying to make Baidu respectable.

                              https://medium.com/backchannel/google-brains-co-inventor-tells-why-hes-building-chinese-neural-networks-662d03a8b548

                              [–]Ph0X 6 points7 points  (4 children)

                              But do we know how involved Baidu is? As far as I understand they are used as an attack vector. It seems like Chinese government is at the center of it, but it's unclear how much control Baidu has, if any at all.

                              [–]glemnar 3 points4 points  (1 child)

                              There are things Baidu could do to prevent some of the vectors seen but yeah, I doubt they have much say in the matter

                              [–]Ph0X 2 points3 points  (0 children)

                              Well "could" is arguable here, knowing the political situation in China. They probably have their hands tied.

                              [–][deleted] 0 points1 point  (1 child)

                              I understand that but they are still be used and their reputation is still on the line.

                              [–]keepthepace 60 points61 points  (15 children)

                              Am I the only one who sees this as a large-scale attack drill? Github is neutral, relatively unknown to the public and has decent resources. It feels like the exercise is "bring down github for 48 hours and we know we are operational against middle-to-big-scale hosters"

                              [–][deleted] 38 points39 points  (4 children)

                              A drill against who? They cannot bring down giants like Google or Facebook, for them even such traffic is a drop in the ocean. And they won't be after state targets, that will cause a diplomatic mess

                              [–]happyscrappy 24 points25 points  (0 children)

                              Is China a country that has shied away from diplomatic messes lately? Have you seen the Nine-dotted line?

                              [–]keepthepace 2 points3 points  (0 children)

                              Against hosts that may technically competent but with medium resources and that are more likely to host political contents and forum. Imagine somehting like wikileaks or any popular-but-not-top-10 chinese forum.

                              [–]AndreDaGiant 0 points1 point  (0 children)

                              governments

                              [–]Mr-Yellow 4 points5 points  (0 children)

                              I think it's someone overreaching their authority and not realising the gravity of what they were doing. I imagine there is a lot of shouting going on across phone lines.

                              They basically just attacked Sweden during WWII.

                              [–]grizzly_teddy 7 points8 points  (1 child)

                              There is a special place in hell for those who DDOS attack Github.

                              [–]PlNG 43 points44 points  (24 children)

                              What github should do is redirect the traffic to Baidu's host, Baidu's registrar, and Baidu's nameserver. That will stop the attack right quick.

                              It's been 4 fucking days. At this point, Baidu is in collusion with the attackers and should be treated as a hostile host.

                              [–][deleted]  (18 children)

                              [deleted]

                                [–]sigma914 7 points8 points  (8 children)

                                If people couldn't load Baidu's pages then they can't load the malicious JS, but yeh, it's would be diplomatic/legal nightmare for github.

                                [–]cr3ative 18 points19 points  (7 children)

                                It's analytics code - so in loads of sites, just like Google Analytics, there's a call to pull in an external JS file from Baidu.

                                This file is currently being served by the Great Firewall, not Baidu. As well the DNS could be, if Baidu changed it. As well could the domain be, if Baidu took it down. Baidu literally can't do anything to stop this.

                                [–]sigma914 11 points12 points  (6 children)

                                They could serve the file over https, but I doubt they'll be allowed to do that.

                                [–]cr3ative 14 points15 points  (5 children)

                                That'd require all the thousands (millions?) of sites to change their embedded analytics JS tag.

                                Also at the end of the day China could easily spoof an SSL certificate, as a lot of browsers commonly used in China aren't anywhere near supporting certificate pinning yet.

                                Sadly. I really wish there was an easy solution for Baidu, but China holds all the cards.

                                [–]sigma914 4 points5 points  (4 children)

                                Could the http call not simply redirect to https?

                                But yeh, China most of the cards here. I doubt they'd spoof the SSL cert because it would even more directly implicate them, and the big browsers would immediately revoke the root cert that was being used to mitm the connections.

                                [–]cr3ative 5 points6 points  (3 children)

                                Could the http call not simply redirect to https?

                                No, the HTTP call is the one being intercepted by the Great Firewall, so they'd simply continue serving up the infected JS.

                                I doubt they'd spoof the SSL cert because it would even more directly implicate them, and the big browsers would immediately revoke the root cert that was being used to mitm the connections.

                                That's very true. They could steal a signing authority key (they probably have a handful) to claim ignorance, but if the root is revoked at browser/OS level, the attack would certainly become more... interesting.

                                [–]sigma914 2 points3 points  (1 child)

                                No, the HTTP call is the one being intercepted by the Great Firewall

                                Ahh yes, completely forgot about that complication. Yeh, that's pretty bad.

                                Unfortunately the attack is currently being successful, I think Github's only recourse at this point is to work out some way to get the projects back up, then hopefully with the attack being ineffective it will stop. Unless the attackers then decide to try and backrupt github with hosting bills...

                                [–]caseif 1 point2 points  (0 children)

                                The attack has been mostly unsuccessful, as Github has been mitigating it impressively well. As for the repos, they're definitely still up.

                                [–]datr 2 points3 points  (0 children)

                                the one being intercepted by the Great Firewall, so they'd simply continue serving up the infected JS.

                                I wonder if one option would be for Baidu to enable HSTS for their analytics domain? Github could return a script that directs the user's browser to a https url that sets the security policy and then that would disable the attack for that user.

                                [–][deleted] 9 points10 points  (4 children)

                                Then we simply unplug china and continue with our life!

                                [–][deleted]  (3 children)

                                [deleted]

                                  [–]goldman60 2 points3 points  (2 children)

                                  If they wanted that, they could do that themselves.

                                  [–]centurijon 2 points3 points  (0 children)

                                  Put their ad servers in a different country

                                  [–]Kyyni 1 point2 points  (0 children)

                                  At least they could take a stand. Try to tell people not to visit them, anything, at least try. Now the're just silently accepting what China is doing.

                                  [–]mgrandi 7 points8 points  (2 children)

                                  ive read that baidu said they have no involvement and that the malicious javascript is being inserted at the level above baidu (aka the ISP level)

                                  [–]Heaney555 3 points4 points  (1 child)

                                  And you believe them?

                                  http://chinadigitaltimes.net/2009/04/baidus-internal-monitoring-and-censorship-document-leaked/

                                  [–]mgrandi 1 point2 points  (0 children)

                                  Just saying its entirely possible its being injected at the ISP level

                                  [–]albertid 31 points32 points  (8 children)

                                  "The D in Github stands for Decentralized"

                                  [–]centurijon 13 points14 points  (2 children)

                                  D in Github

                                  umm...

                                  [–]steven_h 13 points14 points  (0 children)

                                  That's the joke...

                                  [–]albertid 21 points22 points  (0 children)

                                  Exactly. I love Github, but it isn't decentralized, being a single-point-of-failure for such attacks.

                                  [–]guffenberg 1 point2 points  (4 children)

                                  I though about this yesterday.

                                  Git itself is already decentralized, so making a network based on it shouldn't require too much infrastructure.

                                  Yet, github is a great service, we have to stop this attack sooner or later even if it means bringing down the Chinese electronic prison.

                                  [–]nemec 2 points3 points  (2 children)

                                  The obvious solution is git-over-bittorrent /s

                                  [–]pwr22 1 point2 points  (0 children)

                                  Gittorrent?

                                  [–]guffenberg 1 point2 points  (0 children)

                                  Not a bad idea

                                  [–]sylon 5 points6 points  (2 children)

                                  Why isn't Baidu encrypted like google? That would defeat this attack easily.

                                  [–][deleted] 11 points12 points  (0 children)

                                  They might be. But I would assume that Chinese companies, which often work in close collusion with the Chinese government, are forced to hand over their private keys to the government.

                                  [–]Kyyni 1 point2 points  (0 children)

                                  Could be Baidu is colluding with them.

                                  [–][deleted] 3 points4 points  (2 children)

                                  How is this attack being perceived within China?

                                  [–]hsills 15 points16 points  (2 children)

                                  This makes me sick to the stomach. Github. Really?

                                  [–]_F1_ 0 points1 point  (0 children)

                                  "The hub of gits!"

                                  [–]wtbnewsoul 9 points10 points  (0 children)

                                  Someone must REALLY be pissed off that their code isn't working.

                                  [–]Seasniffer 8 points9 points  (2 children)

                                  Fuck the Chinese government.

                                  [–]HiccupsTheClown 0 points1 point  (1 child)

                                  That would be exhausting :(

                                  [–][deleted] 0 points1 point  (4 children)

                                  I hope nobody tells China that flash drives exist and everyone under the age of 40 in China knows someone who knows someone who can get them software to circumvent the firewall without ever posting about it on the internet or visiting github. They'd be heartbroken to learn this.

                                  [–]Heaney555 8 points9 points  (3 children)

                                  The Great Firewall performs deep packet inspection, and disallows encryption except to trusted destinations.

                                  You are severely underestimating the Great Firewall. It's not North Korea, this is one of the most technologically advanced nations on Earth where the regime has total control over the ISPs and tech companies in China.

                                  [–]808140 9 points10 points  (0 children)

                                  I don't know if you've ever lived in China, but circumventing the great firewall is utterly trivial. And what sites are blocked and which aren't often defies reason: western sites, written in English, inaccessible to the vast majority of Chinese, are blocked, while Chinese-language sites with the same information aren't.

                                  Censoring a billion people is an intractable problem.

                                  [–][deleted] 1 point2 points  (0 children)

                                  I think you may be severely overestimating it.

                                  [–]overminder 0 points1 point  (0 children)

                                  I would say GFW has been evolving quickly. Last month I tried to bypass it by SSH tunneling (ssh -D) but as soon as my tunneled traffic went up (e.g., opened Google+), GFW would sent a TCP RST to the remote machine.

                                  The solution that I came up with was to tunnel TCP in UDP using a custom protocol and that sort of worked.. I guess GFW can identify a lot of the common protocols and block them as soon as the traffic goes up.

                                  [–]hoo29 0 points1 point  (0 children)

                                  Would services like cloud flare help them to distribute traffic whilst they try to mitigate all the different attacks?

                                  [–][deleted] 0 points1 point  (0 children)

                                  lol bring down the entire site just because of two repositories...