China used the Great Cannon DDoS Tool against forum used by Hong Kong protestors

Pierluigi Paganini December 05, 2019

China is accused to have used the “Great Cannon” DDoS tool to launch attacks against LIHKG, a forum used by Hong Kong residents to organize protests.

The Great Cannon Distributed Denial of Service (DDoS) tool was used again by the Chinese government, this time it was used to target the LIHKG forum used by Hong Kong protesters to coordinate their protests against the Beijing government.

The last time the Great Cannon was used by the Chinese authorities was in 2017 when it was involved in DDoS attacks on the Mingjingnews.com site, a US-based Chinese media outlet.

The Great Cannon has been used in the past to knock-out two anti-censorship GitHub pages and the GreatFire.org (a portal that exposes internet censorship worldwide).

“We show that, while the attack infrastructure is co-located with the Great Firewall, the attack was carried out by a separate offensive system, with different capabilities and design, that we term the “Great Cannon.”” states a report published by Citizen Lab researchers published in 2015. The Great Cannon is not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.” 

According to a report published by AT&T Cybersecurity, the tool was used again by Chinese authorities to target the LIHKG Hong Kong-based website.

Great Cannon DDoS

“The Great Cannon is currently attempting to take the website LIHKG offline. LIHKG has been used to organize protests in Hong Kong. Using a simple script that uses data from UrlScan.io, we identified new attacks likely starting Monday November 25th, 2019.” reads the analysis published by AT&T.

Websites are indirectly serving a malicious javascript file from either:

  • http://push[.]zhanzhang.baidu.com/push.js; or
  • http://js.passport[.]qihucdn.com/11.0.1.js

Normally these URLs serve standard analytics tracking scripts. However, for a certain percentage of requests, the Great Cannon swaps these on the fly with malicious code”

The DDoS attacks began on August 31, but later switched to attacking “multiple pages and attempted (unsuccessfully) to bypass DDoS mitigations” implemented by the target website.

According to LIHKG, its platform received a total number of request that exceeded 1.5 billion, the highest record on unique visitors exceeded 6.5 million/hr and the highest record on the total request frequency was 260k/sec in which then lasted for 30 minutes before it is banned.

“It is unlikely these sites will be seriously impacted. Partly due to LIHKG sitting behind an anti-DDoS service, and partly due to some bugs in the malicious Javascript code,” added AT&T.

“Still, it is disturbing to see an attack tool with the potential power of the Great Cannon used more regularly, and again causing collateral damage to US-based services.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Great Cannon, China)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment