LIHKG, a Reddit-like forum in Hong Kong has been under the attack of China’s great cannon, a tool used to launch distributed denial-of-service attacks (DDoS) by inserting script that intercepts massive amounts of web traffic and redirects them to targeted websites.

LIHKG has been a major forum for distributing information and discussing strategy about Hong Kong's anti-extradition protests since March. The attack was launched ahead of an August 31 rally, flagged as “illegal” by Hong Kong police.

According to an official statement published by the forum, between 08:00 to 23:59 on August 31, the website received 1.5 billion total requests. At the peak of the attack, the forum received 260 thousand requests per second and 6.5 million unique visitors per hour. As the scale of attack was unprecedented, the forum administrator believe it was state-backed:

We have reasons to believe that there is a power, or even a national level power behind such attacks as botnet from all over the world were manipulated in launching this attack.

The security team has quickly restored the website with protective measure – a CAPTCHA on the anchoring page. However, LIHKG's mobile app was disrupted for a few days and is still unstable.

As the news spread, local and overseas tech circles reached out to help the forum to find out where is the attack coming from. As anticipated, the DDoS was redirected by a script from Chinese companies:

China wrote a script that is made for DDoSing LIHKG.

In the script they included a feedback adress (116.255.226.154).

If you look up who is that, you will find Chinese companies.

This explains who caused the downage today.

Script: https://t.co/pyyl12bFCx#HongKong #LIHKG pic.twitter.com/RzIEVRV1LT — throwawayconstant (@throwawayconst) August 31, 2019

According to LIHK massive traffic to the forum was redirected through Chinese Internet companies Qihucdn.com and Baidu.

Domain information record shows that Qihucdn.com’s Registrant State/Province is Beijing and name server is 360safe.com, same with Qihoo 360, a leading Chinese Internet platform company which claims to “protect users’ computers and mobile devices against malware and malicious websites”. The company has been notorious for whitelisting malwares.

Since Qihoo’s security protection product is widely used by mainland Chinese netizens and small companies, users from LIHKG accused the company of staging the DDoS attack by inserting feedback script through their “security service”.

Likewise, Baidu, the biggest search engine in China was redirecting traffic to LIHKG. The website was also involved in another massive DDoS attack targeting Github back in 2015.

The Great Cannon

Technical reports about the 2015 Github DDoS incident explained that the attack was launched through some man-in-the-middle device which intercepted web requests coming into China from elsewhere in the world, and then replaced the content with JavaScript code that would attack the targeted site. Specifically in the case of Github, it intercepted Baidu's analytics and redirected traffic to Github and hence the attack appears to be coming “from everywhere”.

Such kind of aggressive attack has been termed as “the Great Cannon” by Citizen Lab, a human rights-based research center on Information and Communication Technology at the University of Toronto.

The research center found out in 2015 that the Great Cannon can “manipulate the traffic of ‘bystander’ systems outside China, silently programming their browsers to create a massive DDoS attack”. The attack is similar to NSA's QUANTUM system, capable of “targeting any foreign computer that communicates with any China-based website not fully utilizing HTTPS.”

Cybersecurity expert Chris Doman reviewed the java script of LIHKG's attack and pointed out on Twitter:

It looks like the attackers upgraded the code during the attack to check for Cloudflare and target more URLs: pic.twitter.com/2wqP9gj7pR — chris doman (@chrisdoman) September 2, 2019

While LIHKG has blocked all IPs from mainland China, when someone from overseas visited Baidu or Qihoo360 hosted in mainland China, the script would point them to LIHKG and hence the forum faced a massive DDoS attack coming from all over the world:

In 2015 when Github was attacked, Baidu denied its involvement and responsibility as the attack was launched through a man-in-the-middle device. Who is capable of controlling the device that is capable of inserting script to redirect web-traffic from China to the target? The finger is pointed at the mainland Chinese government which is also in control of the Great Fire Wall that blocks sensitive websites and filters sensitive keywords.

What happened to LIHKG is not a single incident, a majority of independent media outlets and citizen forums in Hong Kong are subjected to state-level DDoS attacks from mainland China. In 2014, citizen-led voting site and news site Apple Daily were subjected to DDoS attacks, in an attempt to silence voices supporting the Occupy Central Campaign and a civil referendum that sought to bring about change to the local election system. However, the local authorities had not conducted any investigation into attacks directed at civilians. Now a majority of local independent media outlets and activist sites have to block IPs from mainland China and subscribe to expensive security plans to keep themselves accessible to internet users.

As for the latest round of attacks on LIHKG, very likely, no entity would be made accountable for the malicious act. Netizens can only take very passive protective measure to prevent assisting similar kind of attacks: