{
	"id": "7c11af64-eada-43c0-8b49-b4c01f34eec4",
	"created_at": "2026-04-06T01:30:03.254452Z",
	"updated_at": "2026-04-10T13:12:19.269134Z",
	"deleted_at": null,
	"sha1_hash": "add0b42425ed3571d2918676cb468c63e2de582b",
	"title": "Massive denial-of-service attack on GitHub tied to Chinese government",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37832,
	"plain_text": "Massive denial-of-service attack on GitHub tied to Chinese\r\ngovernment\r\nBy Dan Goodin\r\nPublished: 2015-03-31 · Archived: 2026-04-06 00:46:03 UTC\r\n“This attack demonstrates how the vast passive and active network filtering infrastructure in China, known as the\r\nGreat Firewall of China or ‘GFW,’ can be used in order to perform powerful DDoS attacks,” the Netresec\r\nresearchers wrote in a report published Tuesday. “Hence, the GFW cannot be considered just a technology for\r\ninspecting and censoring the Internet traffic of Chinese citizens, but also a platform for conducting DDoS attacks\r\nagainst targets world wide with help of innocent users visiting Chinese websites.”\r\nThe report included the following data, which was taken using the tshark packet sniffer. It shows that the TTL of a\r\nlegitimate SYN+ACK packet is 42, while three packets with a malicious payload have TTL values of 227, 228,\r\nand 229. The results suggest that the SYN+ACK packets are coming from the actual Baidu server, while the\r\npackets carrying the malicious payload are injected somewhere else:\r\ntshark -r baidu-high-ttl.pcap -T fields -e ip.src -e ip.dst -e tcp.flags -e ip.ttl\r\n192.168.70.160 61.135.185.140 0x0002 64 \u003c- SYN (client)\r\n61.135.185.140 192.168.70.160 0x0012 42 \u003c- SYN+ACK (server)\r\n192.168.70.160 61.135.185.140 0x0010 64 \u003c- ACK (client)\r\n192.168.70.160 61.135.185.140 0x0018 64 \u003c- HTTP GET (client)\r\n61.135.185.140 192.168.70.160 0x0018 227 \u003c- Injected packet 1 (injector)\r\n192.168.70.160 61.135.185.140 0x0010 64\r\n61.135.185.140 192.168.70.160 0x0018 228 \u003c- Injected packet 2 (injector)\r\n61.135.185.140 192.168.70.160 0x0019 229 \u003c- Injected packet 3 (injector)\r\n192.168.70.160 61.135.185.140 0x0010 64\r\n192.168.70.160 61.135.185.140 0x0011 64\r\nResearchers from GreatFire have issued their own report that also lays out evidence the attacks could not have\r\nbeen carried out without the cooperation of Chinese authorities. In an accompanying blog post, they went on to\r\nname the Cyberspace Administration of China and its head Lu Wei. The GreatFire researchers wrote:\r\nInserting malicious code in this manner can only be done via the Chinese Internet backbone. Even if\r\nCAC did not launch the DDoS attack directly, they are responsible for managing the internet in China\r\nand it is not possible that they did not know what was happening. These attacks have occurred under\r\nCAC’s watch and would have needed the approval of Lu Wei.\r\nLu Wei and the Cyberspace Administration of China have clearly escalated the tactics that they use to\r\ncontrol information. The Great Firewall has switched from being a passive, inbound filter to being an\r\nactive and aggressive outbound one. This is a frightening development and the implications of this\r\naction extend beyond control of information on the internet. In one quick movement, the authorities\r\nhttps://arstechnica.com/information-technology/2015/03/massive-denial-of-service-attack-on-github-tied-to-chinese-government/\r\nPage 1 of 2\n\nhave shifted from enforcing strict censorship in China to enforcing Chinese censorship on internet users\r\nworldwide. CAC can launch these attacks quickly and easily and they have the technical and financial\r\nresources behind them to continue to launch DDoS attacks against any website, anywhere in the world.\r\nThese attacks also illustrate the shortsighted nature of the Chinese authorities. Weaponizing Chinese\r\ninternet services stifles global confidence in Chinese entrepreneurs and contributes to the fragmentation\r\nof the global internet. The SEC has already asked Weibo to explain how the censorship apparatus works\r\n– Baidu, a publicly-listed company in the US, may be called in to do the same.\r\nWe correctly predicted last year that China would increase their use of MITM attacks in an effort to\r\ncensor encrypted websites. We now sadly predict that the DDoS attacks against us and GitHub are\r\nlikely to signal a ramping up of attacks against foreign internet properties. These kinds of attacks should\r\ndraw scorn and criticism from government officials of all countries around the world.\r\nSo far, there are no reports of Chinese officials responding to the accusations. In fairness, readers should\r\nremember that assigning responsibility to Internet-based attacks is extremely difficult. Attackers often manipulate\r\ntheir hacks to give the appearance they originated somewhere else. Still, there’s no doubt that Chinese authorities\r\ncarefully police that country’s Internet backbone. It’s hard to imagine how malicious code could be inserted into\r\nso many different China-based websites for five days straight without a government authority actively\r\nparticipating, or at least looking the other way, while it happened.\r\nSource: https://arstechnica.com/information-technology/2015/03/massive-denial-of-service-attack-on-github-tied-to-chinese-government/\r\nhttps://arstechnica.com/information-technology/2015/03/massive-denial-of-service-attack-on-github-tied-to-chinese-government/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://arstechnica.com/information-technology/2015/03/massive-denial-of-service-attack-on-github-tied-to-chinese-government/"
	],
	"report_names": [
		"massive-denial-of-service-attack-on-github-tied-to-chinese-government"
	],
	"threat_actors": [],
	"ts_created_at": 1775439003,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/add0b42425ed3571d2918676cb468c63e2de582b.pdf",
		"text": "https://archive.orkl.eu/add0b42425ed3571d2918676cb468c63e2de582b.txt",
		"img": "https://archive.orkl.eu/add0b42425ed3571d2918676cb468c63e2de582b.jpg"
	}
}