Section 3: Analysis of the DDoS Logs from the attack against GreatFire

The staff of provided the authors with server logs covering the period of March 18 to 28.16  (A report previously published by Great Fire uses a different sample.17) This period appears to capture the end of the DDoS attack on’s services, as shown by the size of server log files over this period:

To keep our analysis tractable, we examined a sample of the data from March 18th 11:00 GMT to March 19th 7:00 GMT, as seen from two of the three most commonly seen backend servers.  For each hour, we selected 30MB of compressed logs for each server.18  The total sample includes 16,611,840 web requests, with 13,183 unique source IP addresses. We used the MaxMind GeoIP2 Lite database19 from March 3rd, 2015 to assign a country of origin to each source IP address.  For any IP address that did not result in a definite geolocation using this tool (31 addresses), we looked up the address manually using service.
为了保证我们的分析是可追踪的,我们检查了一份从3月18日11:00(世界时)到3月19日7:00(世界时),来自于三个最常见的后台服务器中的两个的样本。对于每个小时,我们从每个服务器里取出30MB压缩过的日志。完全的样本包括了16611840个网页请求,里面有13183独特的源IP地址。我们从2015年3月3日开始使用MaxMind GeoIP2 Lite数据库来给每个源IP地址标定上属于哪个国家。对于任何无法使用这工具来得到地理位置的IP地址,我们手动在 上进行查询。

The figure below summarizes the top countries of origin, with China added for comparison.

Figure 3. Number of Unique IP addresses seen in DDoS log sample showing the top 5 countries/regions, with Chinese traffic included for comparison.
图3 DDOS日志中源IP地址最多的5个国家或地区的独特IP地址数,中国流量被加入以比对

Note that 8,827 (66.9%) of the IP addresses originate from Taiwan and Hong Kong, two regions where Chinese is the official language. China, however, accounted for only 18 requests.  This is consistent with malicious code injected into China-hosted websites at the border of the Chinese Internet.

To determine which websites have their responses altered by the injection of malicious code, we extracted the domain names of the 25 most frequently seen referrers in our dataset,20  finding that these domains account for 55% of the total requests in the sample.

Figure 4. Top 25 referrers found in the DDoS logs, grouped by domain. The top bar reflects domains directly in the DNS space. Manual verification confirms that all top 25 referrers use Baidu services such as advertising or analytics.
图4 在DDOS日志里找到的最多的25个引用,按域名分组。顶端的条是直接反映了在 DNS空间里的域名。手动确认过程确认了所有最多的25个引用都使用了百度的服务,例如广告或统计。

The most commonly seen domain is of total requests in the sample), a part of Baidu’s ad network.  Many non-Baidu sites display ads served through Baidu’s ad network, indicating that visitors to non-Baidu sites displaying ads also became targeted.21

We examined the top 25 domains, and linked each one to Baidu: in each case, the site is either a Baidu property or uses Baidu analytics, advertisements, or static resources.22 This finding indicates that Baidu was a major injection target for this attack. According to Alexa statistics, Baidu itself is the fourth-most visited site globally, the highest ranking China-based site on the global list,23 and has received an estimated 4.99 million unique visitors from the US alone in the past 30 days.24

We speculate that Baidu was chosen as an injection target because it is a simple way to target many users.

Section 4: Attributing the Great Cannon to the Chinese Government

We believe there is compelling evidence that the Chinese government operates the GC.  In recent public statements, China has deflected questions regarding whether they are behind the attack, instead emphasizing that China is often itself a victim of cyber attacks.25

Where is the GC Located?

We tested two international Internet links into China belonging to two different Chinese ISPs, and found that in both cases the GC was co-located with the GFW.  This co-location across different ISPs strongly suggests a governmental actor.

Who built the Great Cannon?

That the GFW and GC have the same type of TTL side-channel suggests that they share some source code.  We are unaware of any public software library for crafting packets that introduces this type of TTL side-channel.

What is the Great Cannon’s Function?

Our observations indicate that the GC’s design does not reflect technology well-suited for performing traffic censorship.  Its operation only examines the first data packet of a given connection, which provides a weak censorship mechanism compared to the GFW.  More generally, the GC’s design does not, in practice, enable it to censor any traffic not already censorable by the GFW.  Thus, the evidence indicates that the GC’s role is to inject traffic under specific targeted circumstances, not to censor traffic.

Who is the Great Cannon attacking?

The DDoS attack launched by the GC using “bystander” machines directly aligns with known political concerns of the Chinese government.  The Cyberspace Administration of China has previously referred to GreatFire as a “foreign anti-Chinese organization” (境外反华组).26  The particular GreatFire service targeted in this attack provides proxies to bypass the GFW using encrypted connections to Amazon’s CloudFront cloud service.

GreatFire also hosts two GitHub repositories, and, that provide technology for users who wish to circumvent Chinese government censorship.  The attack on GitHub specifically targeted these repositories, possibly in an attempt to compel GitHub to remove these resources. 

GitHub encrypts all traffic using TLS, preventing a censor from only blocking access to specific GitHub pages.  In the past, China attempted to block Github, but the block was lifted within two days, following significant negative reaction from local programmers.27

Related Posts