Baidu's content data network (CDN), the computers that serve Baidu analytics and Baidu ads has been hijacked and is being used to launch a distributed denial of service (DDOS) attack on popular developer tool Github.

The China Twitterverse has been buzzing today with reports of weird javascript errors on sites linking to Baidu assets (like Baidu analytics) when accessed outside of the Great Firewall.

Baidu search results of malicious js
Baidu search results of malicious js

Requests to Baidu’s content data network are being intercepted and sending back some javascript code instead of the original requested file. The javascript code instructs visitors browsers to request the Github pages of anti-censorship group Greatfire and the Chinese language edition of the New York Times. These groups turned to a developer source code control tool to host their information with the knowledge that China was unable to block Github because of the huge cost to its technology industry.

Malicious JS
Malicious JS

This DDOS attack is interesting for a few reasons:

  1. It leverages unsuspecting website visitors with uncompromised machines to create a DDOS attack
  2. It makes a China based attack appear to come from outside of China by only inserting the compromising javascript code in Baidu CDN requests made outside of China
3. It attacks one of the most popular developer site that the Great Firewall has tried unsuccessfully to block in the past because of Chinese developer backlash
  3. It appears to be an attempt to pressure Github, a non-news organization, to censor content that China objects to.
  4. This outbound attack appears to be originating from the government controlled Great Firewall.

More information and detailed technical analysis here and demo video by Seven Shippo.