It looks like the attackers upgraded the code during the attack to check for Cloudflare and target more URLs: pic.twitter.com/2wqP9gj7pR
— chris doman (@chrisdoman) September 2, 2019
Every week the AT&T Chief Security Office produces a series called ThreatTraq with helpful information and news commentary for InfoSec practitioners and researchers. I really enjoy them; you can subscribe to the Youtube channel to stay updated. This is a transcript of a recent feature on ThreatTraq. The video features Chris Doman, Principal, Information Security, AT&T Cybersecurity and Ganesh Kasina, Principal Technology Security, AT&T.
Chris: The Great Cannon has attacked a number of websites.
Ganesh: Hey, Chris. I heard you have a great story about Great Cannon attacks. Could you elaborate a little bit on that?
Chris: Thanks. I certainly hope it's great. Most people have heard of the Great Firewall, which means that if you're browsing the internet from within China, you can’t access certain websites, like BBC News -that kind of thing. It's fair enough.
But back in 2015, we saw something else for the first time, called the Great Cannon. It was all over the news at the time because it was a technology being used to take down a number of websites with massive denial of service attacks. The way it was working was that if you visit the website, which loads some code from the site behind the Great Firewall, so instead of being blocked, you'd be served back a piece of malicious script. That meant that your machine sitting in the United States or here in London, would then attack other websites. This meant that millions of people's machines, like potentially me and you, were attacking certain websites.
This was really noted at the time because one of those sites that was attacked was GitHub. GitHub is the code sharing website. It's where the source code of most programs lives these days. And it went down for a bit of time.
But somewhat strangely, after 2015 and those attacks in March to May '15, the Great Cannon just disappeared. But as we noticed a couple of weeks ago, it seems to have come back again for some other attacks. People were discussing that websites used to organize certain protests became inaccessible. They're suspecting that maybe it was something like the Great Cannon or some other technology being used to take them offline.
We looked and we found that actually it was. It was a quite upgraded version of the Great Cannon. If you request a website and it happens to be hosted behind the Great Firewall, you're going to be served back some malicious code and your machine's going to be attacking this protest website. This would have been affecting millions of people - anyone who's browsing. Many big, big websites have been used to attack it.
The end result was this website went down for a while. It’s interesting to see how they did it. They improved the code a bit. They're trying to evade some of the modern denial of service protections like Cloudflare. They were only partly successful there. And thankfully, after a few days, the attack was mitigated. That protest website came back up online and now the attack has paused and the Great Cannon has disappeared again for a while.
We then looked at the code that was used. It was pretty interesting to see - after four years this attack code coming back again. We found back in 2018 there was another attack, but at the time, no one noticed it. That time it was a news website that was controversial to the people running the Great Cannon and the Great Firewall. For a space of about a year, people were attacking it. It meant that there's something like a one-in-a-thousand chance if you're accessing some certain websites, your machine would then be attacking this news website. It was quite a subtle attack. Not obvious. It was just hitting everyone. It was enough to slow down that website so you might want to read about that news, but not very fast. It was really interesting to see those kinds of subtle attacks.
This is the kind of thing that, when you're looking at the Internet Weather Report, what you're seeing in the background all the time just attacks bouncing back and forth across the internet.
So, yes. That's what we saw about the Great Cannon.
Ganesh: This is really interesting. In this case, does the use of HTTPS or HTTP make any difference if they're browsing to these websites? It doesn't matter what browser you’re using. Does it make any difference in this case?
Chris: Yes, exactly. If these sites are using HTTP, they can intercept that traffic. It’s pretty interesting. It's a bit buggy, too. They can see HTTP requests traversing the internet and going to the website – they see your unencrypted HTTP request. They insert malicious code insted.
Sometimes they get it wrong, too, because this is kind of low level. They have to guess the amount of packets they're sending back, that kind of thing. But, yes, HTTPS would have stopped at least the way they're doing this. Messing with DNS is one option. But, encryption in this situation would have saved the day.
Ganesh: There are always new tactics that need to be addressed. Somehow, we need to come up with the solutions to mitigate this.
Chris: Definitely. I mean, it's interesting as a researcher to see a new attack coming out, but for the people on the receiving end, yeah, it's good to find a way to find a way to defend against these attacks.
Ganesh: When you said about DNS, does TTL play any role in this one?
Chris: Not that I've seen or I'm aware of. There's a really detailed analysis down to the protocol level by the Citizen Lab researchers. Maybe in that paper, they talk about that?
Ganesh: Users need to be a little savvy. I think one should not visit questionable websites. That's the best protection.
