中国的巨炮(2)

2015/04/22
Section 3: Analysis of the DDoS Logs from the attack against GreatFire
第三节:对针对greatfire的DDOS攻击日志的分析

The staff of GreatFire.org provided the authors with server logs covering the period of March 18 to 28.16  (A report previously published by Great Fire uses a different sample.17) This period appears to capture the end of the DDoS attack on GreatFire.org’s services, as shown by the size of server log files over this period:
greatfire的工作人员向作者提供了3月18至28日的服务器日志(之前一份由greatfire发布的报告使用了不同的样本)。这一周期的日志似乎抓取了针对greatfire的DDOS攻击的结束时刻,由服务器日志文件大小看出来:

To keep our analysis tractable, we examined a sample of the data from March 18th 11:00 GMT to March 19th 7:00 GMT, as seen from two of the three most commonly seen backend servers.  For each hour, we selected 30MB of compressed logs for each server.18  The total sample includes 16,611,840 web requests, with 13,183 unique source IP addresses. We used the MaxMind GeoIP2 Lite database19 from March 3rd, 2015 to assign a country of origin to each source IP address.  For any IP address that did not result in a definite geolocation using this tool (31 addresses), we looked up the address manually using theiplocation.net service.
为了保证我们的分析是可追踪的,我们检查了一份从3月18日11:00(世界时)到3月19日7:00(世界时),来自于三个最常见的后台服务器中的两个的样本。对于每个小时,我们从每个服务器里取出30MB压缩过的日志。完全的样本包括了16611840个网页请求,里面有13183独特的源IP地址。我们从2015年3月3日开始使用MaxMind GeoIP2 Lite数据库来给每个源IP地址标定上属于哪个国家。对于任何无法使用这工具来得到地理位置的IP地址,我们手动在iplocation.net 上进行查询。

The figure below summarizes the top countries of origin, with China added for comparison.
下面的图示总结了最多的提供源IP地址的国家,中国被加入以进行比对

Figure 3. Number of Unique IP addresses seen in DDoS log sample showing the top 5 countries/regions, with Chinese traffic included for comparison.
图3 DDOS日志中源IP地址最多的5个国家或地区的独特IP地址数,中国流量被加入以比对

Note that 8,827 (66.9%) of the IP addresses originate from Taiwan and Hong Kong, two regions where Chinese is the official language. China, however, accounted for only 18 requests.  This is consistent with malicious code injected into China-hosted websites at the border of the Chinese Internet.
注意8827(66.9%)个IP地址来自于台湾和香港,两个以中文为官方语言的地区。然而,中国却只有18个请求。这和恶意代码是在中国互联网的边界被注入到主机在中国的网站这一事实一致。

To determine which websites have their responses altered by the injection of malicious code, we extracted the domain names of the 25 most frequently seen referrers in our dataset,20  finding that these domains account for 55% of the total requests in the sample.
为了确定哪个网站的响应被注入的恶意代码修改了,我们从数据集合中的25个最频繁出现的引用中提取了域名,发现这些域名占样本里所有请求的55%。

Figure 4. Top 25 referrers found in the DDoS logs, grouped by domain. The top bar reflects domains directly in the baidu.com DNS space. Manual verification confirms that all top 25 referrers use Baidu services such as advertising or analytics.
图4 在DDOS日志里找到的最多的25个引用,按域名分组。顶端的条是直接反映了在baidu.com DNS空间里的域名。手动确认过程确认了所有最多的25个引用都使用了百度的服务,例如广告或统计。

The most commonly seen domain is pos.baidu.com(37.7% of total requests in the sample), a part of Baidu’s ad network.  Many non-Baidu sites display ads served through Baidu’s ad network, indicating that visitors to non-Baidu sites displaying ads also became targeted.21
最常见的域名是pos.baidu.com(占样本所有请求的37.7%),百度广告网络的一部分。很多非百度网站挂有来自百度广告网络的广告,使得非百度网站的访问者加载广告时也成为目标了。

We examined the top 25 domains, and linked each one to Baidu: in each case, the site is either a Baidu property or uses Baidu analytics, advertisements, or static resources.22 This finding indicates that Baidu was a major injection target for this attack. According to Alexa statistics, Baidu itself is the fourth-most visited site globally, the highest ranking China-based site on the global list,23 and has received an estimated 4.99 million unique visitors from the US alone in the past 30 days.24
我们检查了最多的25个域名,然后将每一个都和百度联系起来:在每个情形下,网站要么是百度所有,要么使用了百度统计,广告,或静态资源。这一发现显示了百度在这次攻击中是一个主要的注入目标。根据Alexa统计,百度自己在全球网站中访问量排第四,在中国网站中排第一,在过去30天内大约有499万不同的访问者从美国访问百度。

We speculate that Baidu was chosen as an injection target because it is a simple way to target many users.
我们推测百度被选为注入目标是因为这是一个针对很多用户的简单方法。

Section 4: Attributing the Great Cannon to the Chinese Government
第四节:巨炮是如何归属中国政府的

We believe there is compelling evidence that the Chinese government operates the GC.  In recent public statements, China has deflected questions regarding whether they are behind the attack, instead emphasizing that China is often itself a victim of cyber attacks.25
我们相信有实在的证据显示中国政府操作着巨炮。在最近的公共发言中,中国回避了他们是否是攻击的幕后主使这一问题,取而代之宣称中国经常是虚拟攻击的受害者。

Where is the GC Located?
巨炮位于哪里?

We tested two international Internet links into China belonging to two different Chinese ISPs, and found that in both cases the GC was co-located with the GFW.  This co-location across different ISPs strongly suggests a governmental actor.
我们测试了属于两个不同中国ISP的国际互联网进入中国的链路,然后发现两种情形下巨炮都和GFW在一起。跨域不同ISP的位置一致强烈的表明了这是政府行为。

Who built the Great Cannon?
谁建造了巨炮?

That the GFW and GC have the same type of TTL side-channel suggests that they share some source code.  We are unaware of any public software library for crafting packets that introduces this type of TTL side-channel.
GFW和巨炮有相同的TTL这一事实表明他们分享部分源代码。我们不知道任何制造的包拥有这种类型的TTL旁路信道的公开的软件库。

What is the Great Cannon’s Function?
巨炮的功能是什么?

Our observations indicate that the GC’s design does not reflect technology well-suited for performing traffic censorship.  Its operation only examines the first data packet of a given connection, which provides a weak censorship mechanism compared to the GFW.  More generally, the GC’s design does not, in practice, enable it to censor any traffic not already censorable by the GFW.  Thus, the evidence indicates that the GC’s role is to inject traffic under specific targeted circumstances, not to censor traffic.
我们的描述意味着了巨炮的设计并没有反映出适合于进行通信审查的技术。对于给定连接,它的操作只检查了第一个数据包,比起GFW,这是一个弱审查机制。更普遍的是,巨炮的设计在实际上是无法审查任何已经被GFW审查的流量的。因此,这一证据意味着巨炮的角色是针对特定的场合进行流量注入而不是审查通信。

Who is the Great Cannon attacking?
谁是巨炮的攻击目标?

The DDoS attack launched by the GC using “bystander” machines directly aligns with known political concerns of the Chinese government.  The Cyberspace Administration of China has previously referred to GreatFire as a “foreign anti-Chinese organization” (境外反华组).26  The particular GreatFire service targeted in this attack provides proxies to bypass the GFW using encrypted connections to Amazon’s CloudFront cloud service.
由巨炮发动的使用“旁观者”机器的DDOS攻击直接根据已知的中国政府的政治考虑进行调整。中国网络管理部门之前宣称greatfire是“境外反华组”。被这次攻击当成目标的greatfire的特别服务提供使用了通向亚马逊的CloudFront云服务的加密连接的代理来绕过GFW。

GreatFire also hosts two GitHub repositories,https://gitub.com/greatfire and https://github.com/cn-nytimes, that provide technology for users who wish to circumvent Chinese government censorship.  The attack on GitHub specifically targeted these repositories, possibly in an attempt to compel GitHub to remove these resources. 
greatfire也在github上托管了两个库:https://gitub.com/greatfire https://github.com/cn-nytimes,提供技术给那些想要规避中国政府审查的用户。这次针对github的攻击特别针对这些库,可能是出于强迫github移除这些资源的企图。

GitHub encrypts all traffic using TLS, preventing a censor from only blocking access to specific GitHub pages.  In the past, China attempted to block Github, but the block was lifted within two days, following significant negative reaction from local programmers.27
github用TLS加密了所有通信,使得审查者无法只阻挡对特定github页面的访问。在过去,中国试图封锁github,但是封锁持续了不到两天时间之后,跟着来了本国程序员的显著的消极反应。https://citizenlab.org/2015/04/chinas-great-cannon/

Related Posts