Great Cannon DDoS operation fires on Hong Kong protesters

Hong Kong’s LIHKG website, a localised forum service akin to Reddit that is being used to organise and co-ordinate the ongoing pro-democracy protests in the Special Administrative Region (SAR), has been targeted with distributed denial of service (DDoS) attacks originating from the so-called Great Cannon, a China-based tool allegedly operating with government support.

Little has been heard from the Great Cannon since it was first used in 2015, targeting censorship monitoring community GreatFire.org and open source software development community GitHub, but threat researcher Chris Doman of AT&T’s AlienVault security unit – now known as AT&T Cybersecurity – has now implicated it in a series of attacks.

First publicly identified by researchers at the University of Toronto, the Great Cannon “fires” on its targets by injecting malicious JavaScript into pages served from behind China’s Great Firewall. The malicious script is served to millions of users and hijacks their connections to make multiple requests against the target, overwhelming it and presenting as a standard DDoS attack.

In the case of LIHKG, the code repeatedly requested a number of different resources, including images and meme content hosted on the likes of Tumblr and other locations, that appears on the LIHKG forums. These content URLs are appended to the LIHKG image’s proxy URL, which means LIHKG’s resources are then consumed by accessing the content, changing its size and serving it to the user.

“It is unlikely these sites will be seriously impacted,” said Doman in a blog post disclosing the renewed activity, “partly due to LIHKG sitting behind an anti-DDoS service, and partly due to some bugs in the malicious JavaScript code.”

However, he said it was “disturbing” that a tool like the Great Cannon was being used once again, especially as the attacks are causing collateral damage to US-based hosting services.

LIHKG had already disclosed an “unprecedented” DDoS attack that took place on 31 August 2019, during which it saw 1.5 billion total requests made and 6.5 million unique “visitors” per hour, causing congestion and server overloads, but said its data and members’ personal information were not compromised. The site’s administrators thanked their DDoS mitigation service provider, Cloudflare, for its assistance.

Although DDoS is arguably one of the more crude methods of conducting a cyber attack, some of the most damaging cyber incidents of recent years have been caused by DDoS, most famously the Mirai internet of things (IoT) botnet attack, which took multiple websites offline by targeting DNS services provider Dyn.

Three years on, its descendants continue to be an active security threat. According to Trend Micro researchers, Mirai has been so successful that it has stifled innovation among threat actors to some extent.

More recently, a November 2019 DDoS attack on the systems of the UK’s Labour Party was claimed by hacking group Lizard Squad, which has historically specialised in such tactics.

A recent report on the DDoS attack landscape by Kaspersky showed that the number of these attacks is growing rapidly, with 18% more conducted during the second quarter of 2019 compared to 2018.

“This trend is rather worrying for businesses,” said Alexey Kiselev, Kaspersky DDoS protection team business development manager. “Many are well protected against high volumes of junk traffic, but DDoS attacks on the application layer require the targets to identify illegitimate activity even if its volume is low.

“We therefore recommend that businesses ensure their DDoS protection solutions are ready to withstand these complex attacks.”