ake78 (3D & photo) - Fotolia

Great Cannon DDoS operation fires on Hong Kong protesters

AT&T’s security unit has evidence that China is pressing its Great Cannon DDoS tool into service once again, specifically to target pro-democracy protests in Hong Kong

Hong Kong’s LIHKG website, a localised forum service akin to Reddit that is being used to organise and co-ordinate the ongoing pro-democracy protests in the Special Administrative Region (SAR), has been targeted with distributed denial of service (DDoS) attacks originating from the so-called Great Cannon, a China-based tool allegedly operating with government support.

Little has been heard from the Great Cannon since it was first used in 2015, targeting censorship monitoring community GreatFire.org and open source software development community GitHub, but threat researcher Chris Doman of AT&T’s AlienVault security unit – now known as AT&T Cybersecurity – has now implicated it in a series of attacks.

First publicly identified by researchers at the University of Toronto, the Great Cannon “fires” on its targets by injecting malicious JavaScript into pages served from behind China’s Great Firewall. The malicious script is served to millions of users and hijacks their connections to make multiple requests against the target, overwhelming it and presenting as a standard DDoS attack.

In the case of LIHKG, the code repeatedly requested a number of different resources, including images and meme content hosted on the likes of Tumblr and other locations, that appears on the LIHKG forums. These content URLs are appended to the LIHKG image’s proxy URL, which means LIHKG’s resources are then consumed by accessing the content, changing its size and serving it to the user.

“It is unlikely these sites will be seriously impacted,” said Doman in a blog post disclosing the renewed activity, “partly due to LIHKG sitting behind an anti-DDoS service, and partly due to some bugs in the malicious JavaScript code.”

However, he said it was “disturbing” that a tool like the Great Cannon was being used once again, especially as the attacks are causing collateral damage to US-based hosting services.

LIHKG had already disclosed an “unprecedented” DDoS attack that took place on 31 August 2019, during which it saw 1.5 billion total requests made and 6.5 million unique “visitors” per hour, causing congestion and server overloads, but said its data and members’ personal information were not compromised. The site’s administrators thanked their DDoS mitigation service provider, Cloudflare, for its assistance.

Read more about mitigating DDoS attacks

  • Automation can significantly improve response times during a distributed denial of service attack, reducing the potential damage to targeted organisations.
  • Network layer and application layer DDoS attacks are significant threats. Learn about the differences between them and what you can do to reduce their effects.
  • Although most scrubbing services can help fend off distributed denial of service attacks, a more comprehensive mitigation strategy is required to remain unscathed.

Although DDoS is arguably one of the more crude methods of conducting a cyber attack, some of the most damaging cyber incidents of recent years have been caused by DDoS, most famously the Mirai internet of things (IoT) botnet attack, which took multiple websites offline by targeting DNS services provider Dyn.

Three years on, its descendants continue to be an active security threat. According to Trend Micro researchers, Mirai has been so successful that it has stifled innovation among threat actors to some extent.

More recently, a November 2019 DDoS attack on the systems of the UK’s Labour Party was claimed by hacking group Lizard Squad, which has historically specialised in such tactics.

A recent report on the DDoS attack landscape by Kaspersky showed that the number of these attacks is growing rapidly, with 18% more conducted during the second quarter of 2019 compared to 2018.

“This trend is rather worrying for businesses,” said Alexey Kiselev, Kaspersky DDoS protection team business development manager. “Many are well protected against high volumes of junk traffic, but DDoS attacks on the application layer require the targets to identify illegitimate activity even if its volume is low.

“We therefore recommend that businesses ensure their DDoS protection solutions are ready to withstand these complex attacks.”

Read more on Hackers and cybercrime prevention

Data Center
Data Management