A self-motivating engineer with strong teamwork, resource management, and communication skills. A highly-focused puzzle-solver proficient in top-down design, code maintenance, and group leadership. A future-oriented software developer and strategist concerned with long-term viable solutions.


Old Paper – “GitHub GHOST Attack” (March 2015)

Below is the full text of a short paper I wrote in college regarding the then-recent GitHub DDoS attack. I dug it up on an old hard drive and thought it might be interesting to others.


WHAT

On March 27, 2015, GitHub reported that it was experiencing a distributed denial of service attack, which had apparently begun the night before. Further analysis has traced the attack to third-parties exploiting the Baidu Analytics JavaScript plugin on the page.

The style of attack employed is known as “Man on the Side”, and is similar to the better-known “man in the middle” attack. The stages are simple:

  1. User (ALICE) requests a page from Site (BOB)
  2. BOB sends a page to ALICE containing third-party scripts from a third-party server CHINA
  3. A malicious party MAL detects the request to CHINA using passive techniques
  4. MAL sends malicious scripts in place of the requested script

In this case, GitHub users were attempting to load the Baidu Analytics script from Chinese servers. The attackers detected the requests’ entry onto the Chinese passive infrastructure and supplied three malicious packets containing JavaScript code. This distributed the attack to 1/100 users of the popular site. Each infected user attempted to load two specific pages on the GitHub servers at a rapid rate, which resulted in the DDoS experienced.

The malicious code has been formatted for easier reading, and is presented below.[i]

WHY

Distributed Denial of Service attacks are malicious ventures which do not provide direct profit to the attackers. They are attacks on the availability of the targeted resource, the cost of which is relative to the business lost and the time spent in the down/recovery period. This is a tremendously costly attack when employed against popular sites such as Facebook, GitHub, or Amazon.

HOW

It is not simple to prevent DDoS attacks. Obvious answers such as increasing the number of servers and ports available are costly and result in recurring costs without return on investment. Firewalls designed to prevent the commonly employed attacks on the TCP handshake protocol are ineffective against the variety of attack employed in this case. Techniques designed to prevent rapid refresh attacks can undermine valid JavaScript operations, which can severely hinder the operations of the site.

The following techniques could potentially prevent this attack from recurring, though there are no guarantees:

  • Carefully screen the scripts you wish to employ on your site, checking for exploitability and overall reliability of the company
  • Avoid scripts which are loaded through an untrusted passive infrastructure such as the “Great Firewall of China”, as these can potentially be exploited
  • Deploy Intrusion Detection to protect against malicious insertion
  • Strategically drop packets and request retransmission, as third-parties rarely retransmit (but valid servers usually do)

[i] http://www.netresec.com/?page=Blog&month=2015-03&post=China%27s-Man-on-the-Side-Attack-on-GitHub

Leave a Reply

Your email address will not be published. Required fields are marked *

4 + eleven =