Figure 1: Simplified diagram of how the Great Cannon operates
The Great Cannon was the subject of intense research after it was used to disrupt access to the website Github.com in 2015. Little has been seen of the Great Cannon since 2015. However, we’ve recently observed new attacks, which are detailed below.
Most recent attacks against LIHKG
The Great Cannon is currently attempting to take the website LIHKG offline. LIHKG has been used to organize protests in Hong Kong. Using a simple script that uses data from UrlScan.io, we identified new attacks likely starting Monday November 25th, 2019.
- http://push.zhanzhang.baidu.com/push.js; or
Normally these URLs serve standard analytics tracking scripts. However, for a certain percentage of requests, the Great Cannon swaps these on the fly with malicious code:
Figure 2: Malicious code served from the Great Cannon
The code attempts to repeatedly request the following resources, in order to overwhelm websites and prevent them from being accessible:
These may seem like an odd selection of websites and memes to target, however these meme images appear on the LIHKG forums so the traffic is likely intended to blend in with normal traffic. The URLs are appended to the LIHKG image proxy url (eg; https://na.cx/i/6hxp6x9.gif becomes https://i.lih.kg/540/https://na.cx/i/6hxp6x9.gif?t=6009966493) which causes LIHKG to perform the bandwidth and computationally expensive task of taking a remote image, changing its size, then serving it to the user.
Still, it is disturbing to see an attack tool with the potential power of the Great Cannon used more regularly, and again causing collateral damage to US based services.
These attacks would not be successful if the following resources were served over HTTPS instead of HTTP:
- http://push.zhanzhang.baidu.com/push.js; or
You may want to consider blocking these URLs when not sent over HTTPS.
Timeline of historical Great Cannon incidents
Below we have described previous Great Cannon attacks, including previous attacks against LIHKG in September 2019.
2015: GreatFire and GitHub
A number of distinct stages and targets were identified:
- March 3 to March 6, 2015: Initial, limited test firing of the Great Cannon starts.
- March 10: Real attacks start against a Chinese-language news site (Sinasjs.cn).
- March 13: New attacks against an organization that monitors censorship (GreatFire.org).
- March 25: Attacks against GitHub.com start, targeting content hosted from the site GreatFire.org and a Chinese edition of the New York Times. This resulted in a global outage of the GitHub service.
Figure 4: The URLs targeted in the attack against Github.com.
Figure 5: Snippet of the obfuscated code. Current attacks continue to use the same obfuscation.
2017 and onward: attacks against Mingjingnews
In August 2017, Great Cannon attacks against a Chinese-language news website (Mingjingnews.com) were identified by a user on Stack Overflow. The code in the 2017 attack is significantly re-written and is largely unchanged in the attacks seen in 2019.
Figure 6: An excerpt of the code to target Mingjingnews.com in 2017.
We have continued to see attacks against Mingjingnews in the last year.
2019: Attacks against Hong Kong democracy movement
On August 31, 2019, the Great Cannon initiated an attack against a website (lihkg.com) used by members of the Hong Kong democracy movement to plan protests.
Initial versions targeted a single page on lihkg.com.
Later versions targeted multiple pages and attempted (unsuccessfully) to bypass DDoS mitigations that the website owners had implemented.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"AV INFO JS File associated with Great Cannon DDoS"; flow:to_server,established; content:"GET"; http_method; content:"push.js"; http_uri; content:"push.zhanzhang.baidu.com"; http_host; flowbits:set,AVCannonDDOS; flowbits:noalert; classtype:misc-activity; sid:4001470; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"AV INFO JS File associated with Great Cannon DDoS"; flow:to_server,established; content:"GET"; http_method; content:"11.0.1.js"; http_uri; content:"js.passport.qihucdn.com"; http_host; flowbits:set,AVCannonDDOS; flowbits:noalert; classtype:misc-activity; sid:4001471; rev:1;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"AV INFO Potential DDoS attempt related to Great Cannon Attacks"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"isImgComplete"; flowbits:isset,AVCannonDDOS; reference:url,otx.alienvault.com/pulse/5d6d4da02ee2b6fbff703067; classtype:policy-violation; sid:4001473; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"AV INFO JS File associated with Great Cannon DDoS"; flow:to_server,established; content:"GET"; http_method; content:"hm.js"; http_uri; content:"hm.baidu.com"; http_host; flowbits:set,AVCannonDDOS; flowbits:noalert; classtype:misc-activity; sid:4001472; rev:1;) ET WEB_CLIENT Great Cannon DDoS JS M1 sid:2027961 ET WEB_CLIENT Great Cannon DDoS JS M2 sid:2027962 ET WEB_CLIENT Great Cannon DDoS JS M3 sid:2027963 ET WEB_CLIENT Great Cannon DDoS JS M4 sid:2027964
Additional indicators and code samples are available in the Open Threat Exchange pulse.