Researchers have released a paper detailing a new Chinese DDoS attack tool that weaponizes internet users to take out websites critical of Beijing.
The web experts hail from Princeton, Berkeley, the International Computer Science Institute and Canadian rights group Citizen Lab.
They announced their findings in a lengthy blog post, which details new attack infrastructure first spotted in a campaign to take down web properties belonging to anti-censorship body Greatfire.org.
It has the following:
“We show that, while the attack infrastructure is co-located with the Great Firewall, the attack was carried out by a separate offensive system, with different capabilities and design, that we term the ‘Great Cannon.’ The Great Cannon is not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.
The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users. Specifically, the Cannon manipulates the traffic of ‘bystander’ systems outside China, silently programming their browsers to create a massive DDoS attack.”
The Great Cannon works by intercepting traffic sent to search engine Baidu’s infrastructure servers, which host analytics and advertising scripts.
Around 1.75% of the time it will replace these JavaScript files with malicious script designed to load the targeted sites every two seconds, causing a denial of service.
The researchers claim the Great Cannon is co-located with China’s notorious Great Firewall censorship infrastructure across two ISPs, which “strongly suggests a governmental actor” is behind the tool.
They claim that, given the highly visible nature of the Great Cannon attacks and their potential for “political backlash,” the tool must have been green-lighted by “high-level authorities within the Chinese government” – possibly even the president himself.
What’s more, the Great Cannon could be used with a few tweaks to deliver far more than a simple DDoS.
“A technically simple change in the Great Cannon’s configuration, switching to operating on traffic from a specific IP address rather than to a specific address, would allow its operator to deliver malware to targeted individuals who communicate with any Chinese server not employing cryptographic protections,” they warned.
Tampering with unencrypted internet traffic to control information and launch attacks was also the main purpose of the NSA/GCHQ QUANTUM project, and further underscores the need for web owners to move to HTTPS, the researchers argued.