>"Requests to Baidu’s content data network are being intercepted and sending back some javascript code instead of the original requested file. The javascript code instructs visitors browsers to request the Github pages of anti-censorship group Greatfire andthe Chinese language edition of the New York Times."
I must be misunderstanding - is there a salient piece of info missing?
It makes no sense for the Chinese government to attempt to foil censor bypassing by sending all users of Baidu a link to a project on GitHub that enable censor bypassing.
As an outcome is to inform all affected Baidu users of bypass tools and a non-government controlled newspaper this looks more likely to be a rogue element to me.
It doesn't even look like what I'd call DDoS - sending genuine users to your site who might be interested in your product, isn't that an unpaid affiliate scheme?!?
The Great Firewall intercepts requests to Baidu's CDN from outside China, specifically HTTP requests for Baidu's analytics scripts.
Users from outside China who visit web properties that use Baidu's analytics get malicious JS that injects <script> tags every two seconds to spam github.com with requests.
Nobody would notice that attack, except GitHub cottoned onto this and replaced the github pages with JS that spawns a little alert() popup.
That puts the blame strictly on the Chinese government. And specifically the military that controls the firewall.
Sounds to me like an act of aggression by a state army against a non-combatant on foreign soil. What if a helicopter with a red star on it flew into California in the middle of the night and set fire to Github's offices? What's the difference?
This was worded misleadingly. This is indeed a DDoS: code has been injected to load the Github pages in the background using XHR without the user's knowledge. The host page itself is not redirected (or visibly affected in any way[1]).
Furthermore, only people outside of China are affected by this -- Chinese citizens don't have this code injected.
[1]: Actually there is a mistake in the injected code that causes the result of the XHR request to be interpreted as JavaScript, and then executed. Hence GitHub has tried to mitigate the attack by replying 'alert("WARNING: malicious javascript detected on this domain")' to notify the user that this is happening.
> Actually there is a mistake in the injected code that causes the result of the XHR request to be interpreted as JavaScript, and then executed
That's not a mistake. GitHub, like 99.99% of the Internet, doesn't allow cross-origin XHR for their pages (that's a security vulnerability). So they have to use <script> which doesn't follow the Same Origin Policy.
Though that's a bit silly, given they could've also used <img> which wouldn't be vulnerable to XSS.
So the text I quoted should say something like [with appropriate expansion and fact checking]:
"Requests from other countries to Baidu's CDN in China are intercepted by the government firewall - the returned web pages load content from GitHub or NYT that is hidden from the user. Each affected Baidu user outside China's browser sends content requests to those content suppliers whenever they follow a link in Baidu's search results. With Baidu's immense popularity this is causing a DDoS of the content suppliers servers preventing genuine user's browser requests from being handled."
What's the actual injected code? Presumably one can get it by requesting a link on a Baidu SERP?
I must be misunderstanding - is there a salient piece of info missing?
It makes no sense for the Chinese government to attempt to foil censor bypassing by sending all users of Baidu a link to a project on GitHub that enable censor bypassing.
As an outcome is to inform all affected Baidu users of bypass tools and a non-government controlled newspaper this looks more likely to be a rogue element to me.
It doesn't even look like what I'd call DDoS - sending genuine users to your site who might be interested in your product, isn't that an unpaid affiliate scheme?!?