Skip to main content

China's 'Great Cannon' can intercept and redirect web traffic

China's 'Great Cannon' can intercept and redirect web traffic

Share this story

Alongside the Great Firewall, China has been developing a new way to intercept and redirect internet traffic, according to a new report from Citizen Lab. The report looks at the recent denial-of-service attack against Github, which flooded the site with bad traffic for five days, resulting in intermittent downtime. China's cybersecurity administration had been suspected as the source of attacks, but the new report lays out the evidence in more damning detail, showing the redirection occurring as traffic enters China Telecom, indicating it is part of the same infrastructure as China's Great Firewall.

The attack on Github worked by tampering with an analytics script that the Chinese web giant Baidu distributes. Anyone visiting a site with the script would normally send back data to Baidu and receive a reply, but the Cannon intercepted that data in transit, inserting a new script that would blast Github with bad traffic. It isn't the first time the tactic has been used, but it's the most high-profile example, and it put China's new web powers on full display. The same tactics could also be used to inject malware into any unencrypted communication with the Chinese web, including ads or analytics scripts, in a stealthier version of a network injection attack.

The report was possible in part because the attack against Github went on for days, long after Github's mitigation efforts had blunted the attack. That gave researchers a chance to run tests and assess what triggered the Great Cannon injections and what didn't. At the same time, the duration of the attack suggests China didn't care about keeping the Great Cannon secret, and may have been showing off the new weapon as a kind of deterrent. A denial-of-service attack against a popular American site is also one of the most visible ways to deploy the tool. "I would assume China would’ve had this sort of capability," said ICSI's Nicholas Weaver, one of the report's lead researchers, "but I would’ve also assumed that they wouldn’t want to broadcast this to the world."

"I would’ve... assumed that they wouldn’t want to broadcast this to the world."

Many have already called for US retaliation for the Github attack — with one researcher describing it as "attacks by a nation state against key United States internet infrastructure." The NSA has similar capabilities through the QUANTUM program, revealed by Edward Snowden, but it has never used them in such an aggressive and public way. Still, the existence and nominal secrecy of those programs may make it difficult to go after the newly revealed weapon through diplomatic channels.

Still, it's unclear how the rest of the web might blunt the Great Cannon's power going forward. HTTPS encryption can be used to protect against the attack, but the Chinese government strongly discourages HTTPS among Chinese companies for just this reason. As a result, the biggest blow may be to companies like Baidu as they seek to integrate with the global web. Baidu was a tempting target for the Great Cannon because its analytics script was so widely used — but now that the capabilities of the Great Cannon are public, sites may be more wary of using code that might be vulnerable to it. That would be bad news for Baidu, but also any Chinese companies looking to serve ads or other plugins to the rest of the web.