It is well known that recently a large scale DDOS attack was carried out against Github. The obvious attacker: Great Fire Wall in China, did this by HTTP Hijacking.

A lot of Chinese websites use Baidu’s Analytic service to collect visiting information as an alternative to Google Analytics, which is not available in mainland China. The GFW hijacked the Baidu’s Analytic Javascript file of all in bounding requests, i.e. from outside China to inside China, and changed the content of it so that this piece of Javascript code will visit several certain Github pages every 2 seconds. This caused a heavy burden on Github’s servers and eventually became a DDOS attack in which GFW made use of millions of Chinese people who are outside China but visiting Chinese websites to achieve its goal.

HTTP hijacking is so common in China that it is not a surprise for me to hear that GFW eventually made use of this to attack Github. In China, every ISP is using HTTP hijacking to push ads to end users. In fact, some of the hijacking code is so ugly written that it will even hijack some API HTTP requests like Json response. It has been confirmed by some of the users of an open source android app which I contributed to. They reported this issue several days ago and such circumstances will only happen when using certain ISP service.

The reason why there are so many HTTP hijacking in China may lie in two reasons. First, the ISP market is not a free market and only some of nationally owned companies are allowed to provide Internet service. Second, few websites use HTTPS to deliver their contents, which made them vulnerable to MITM attacks.