Hmm, I wonder if this could backfire. If it's an <iframe>, couldn't GitHub insert code that framebusts? If it's some other mechanism, couldn't they block by referrer? If it's CORS, couldn't GitHub deny CORS requests? If it's a <script> tag, couldn't GitHub do some nasty XSS?
"script": Evaluates the response as JavaScript and returns it as plain text. Disables caching by appending a query string parameter, "_=[TIMESTAMP]", to the URL unless the cache option is set to true. Note: This will turn POSTs into GETs for remote-domain requests.
Oh dear. If GitHub can detect this, GitHub can basically XSS all sites using Baidu's analytics.
Edit 2: Oh, the insight-labs article says the attack has stopped.
Who should they "reflect" the attack back at? Baidu, who seem to be a victim of HTTP hijacking in this case? Or the Chinese government? If the latter, then where exactly do you focus the counter-attack?
China's GDP is 10 Trillion dollars. Github is not at all important to China, other than a source of tools to citizens use to circumvent their authoritative regime.
again, then why did they unblock it? it is important, we're in a new paradigm for software where developing in the open leads to higher quality software written faster than previous ways
It's hardly a new paradigm, it's just a place with a lot of software that you'd otherwise have to write from scratch. It's merely software development catching up with everything else.
I'm sure Github and free software is a goldmine to the country that built its economy on copying other people's stuff.
On the other hand, the capitalists running the communist party might scoff at the idea of software that everyone is allowed to copy, because that offers no advantage to the unscrupulous. At least I'd imagine they would scoff at copyleft, just like Github does.
As much as I love MLK and Gandhi, this assertion never made sense to me.
An eye for an eye would leave two people blind: the person who blinded the other, and the one that was blinded.
Once people start seeing the severe consequence of blinding someone (getting blinded back), they and everyone else would most likely stop, not continue blinding more people.
The reason it doesn't make sense to you is because you are assuming it is applied in an ideal perfect universe, while the statement is referring to the real world, where any retributive rule is applied by imperfect actors who make errors in the assignment of culpability (both in identification of who is responsible and in identify whether their act was justified in the first place.)
Such errors result in people who shouldn't be blinded themselves being blinded, and are themselves the subject of retaliation by the same error-prone process.
Well under your reading wouldn't it just leave them each without one eye. They may be blind but in most cases they will still have one other functioning eye. /pedantry
"Who paid retribution for the second blinding? The second paid for the first, I demand a third eye" ... ergo the aphorism.
That's correct, the only problem is it takes thousands of years for humanity as a whole to agree that the consequence is too severe to stand. On this time scale, the idea of not fighting wars because they cause damage is relatively new.
Just to clarify, did the DDOS stop due to GitHub adding that warning text making the hack reflect poorly on Baidu and hence the perpetrators being subjected to internal pressure? If not, GitHub would still have to serve that JS and hence would still be bombarded by millions of content request.
Even better, popping up a JS alert stops further JS execution, so this was a clever way for Github to throttle connections (rather than them being made every 2 seconds as per the hijacked Baidu JS)
I see; I missed the part where the resource request was executed every 2 seconds. The alert essentially would make the page unusable. From my understanding that Baidu is Google for china, the amount of productivity lost since people not being able to search, would mean the hack backfired spectacularly.
Well, except for the fact that it only impacts people who access Baidu from outside the Chinese firewall. People who access Baidu from inside China would not have their Baidu use interrupted.
It looks like what they did was change the url to only serve out the alert in plain text. Which is a lot less resources to use. I would also assume that they are willing to use those resources to fight back.
Imo they should have converted the targetted pages to a static cache and just document.body=page it, the users would notice (not able to access anything) and the pages would still be accessible on github.
Assuming this is the Chinese government, what's their end game here? They must believe that GitHub will bow to their will and remove Greatfire or block it from China. Permanently? That seems incredibly naive. Also, have they not considered the Streisand effect? Also, assuming they see Baidu as effectively a state asset, why poison that brand for such a temporary gain? It doesn't make sense.
That's true. I remember being incredibly disappointed in Google when they agreed to censor search results for China. Here's to hoping that GitHub is willing to stand up to this bully.
Censor but supply notice that they were censoring. And when China hacked into gmail, they left the country rather than continue to comply with their laws.
>Of course, they would call it "complying with local laws in all countries in which we operate".
If 'I was following orders.' isn't an excuse when you are in the military where disobeying orders can get you jailed if not killed, then no one should accept such reasoning when the pentalty is merely being unable to do business in an area.
GitHub was banned in Russia for less than a day and had started to comply with totally braindead removal requests. Why China would need months of attacks to make them do so?
I would be less inclined to oblige in the face of threats and actual attacks. Especially when done so publicly. I imagine companies like Facebook we quicker to oblige through actual negotiation and some sort of "business diplomacy."
They must believe that GitHub will bow to their will and remove Greatfire or block it from China. Permanently?
Well, yes? Extraterritorial law enforcement works fine for the US, they're quite happy to shut down gambling, copyright infringement, and so on regardless of where you are in the world.
In this case, it's git. It's inherently distributed. It's fairly easy to force Chinese users onto a local equivalent and block all those suspicious outgoing https/ssh connections to github.
Sure, but the power differential is much more balanced in this case it would seem. The U.S. government has a history of giving asylum to Chinese dissidents. I'm not sure that forcing users onto a local equivalent would work, it's not git that's the scarce and valuable resource here, it's GitHub. It's the collaboration, being part of the conversation on PRs and Issues, etc. It's currently the center of the web development universe. Greatfire is a brilliant poison pill. I guess we'll have to wait and watch carefully to understand the end game. My prediction is that GitHub continues to mount a defense long enough for U.S. authorities to get involved and at that point the DDoS will stop. I'm either missing something huge (it's not China), or it's an incredibly naive attempt that will fail: just today's blip.
This particular content was hosted on github not because of git per se, but because github is an easy way to host some content and CN cannot block the whole github domain because the tech sector in CN relies too much on github.com, hence it would create a damage to a growing economic sector.
Github has been known to remove files and repositories simply because employees don't like them, despite them not actually breaking any ToS. They've also been known to block access to files/repos to users in certain countries. I wouldn't be surprised if attacks on those repos would cause it to get removed.
Sure. The two most popular examples are the C Plus Equality repo and the Operation Disrespectful Nod repo, which were a satirical programming language and a Gamergate resource list for contacting advertisers, respectively.
It's not proof that _he_ necessarily removed it, but considering it wasn't brought down by the actual repo maintainer, and that any repos created to replace it by other users at the time were taken down as well, it's a safe assumption that someone at GH did.
There's several more sources regarding this, but I'm on a terrible mobile connection at the moment. Googling around will get you a bit more info for the story.
The US's tech prestige was damaged by the revelations that of mass US spying. One could ask "Why did the US poison their branch for such temporary gain?"
GitHub was blocked completely by GFW. But many developers in China complained, because GitHub is too important. Now it becomes available again.
I think they choose Baidu just because its scripts are widely used.
> Do note that "Free Speech" doesn't exist over there as a concept.
1. Free speech as a right isn't critical to the Streisand effect, and
2. "Free speech" as a concept certainly exists in China. The formal orientation of the government with respect to the concept (and quite possibly the public perception of the value of the concept) is very different than in Western liberal democracies, but the concept certainly exists, just as the concept of, say, "theocracy" exists in most places, even the places that don't practice it.
The US government should prohibit US companies from complying with censorship demands from China. It already does something like that to prevent US companies from complying with the Arab League boycott of Israel.[1]
Very interesting to look at the original content of https://github.com/greatfire/ and https://github.com/cn-nytimes. One appears to be a collection of resources for proxying around the Great Firewall [1] and the other has a number of clones of the New York Times translated in Mandarin [2][3].
I didn't realize until now that part of the NYT's strategy in having a Mandarin version may be due in part to it's being blocked in China -- a reply to China's censors, of sorts.
The only thing the average web user would take away from such a popup is that github.com is annoying or spying on them, and then proceed to bombard github with messages to knock it off (reminds me of when a blog temporarily became the #1 search term for "facebook login", oh the hate that blog received for "breaking my Facebooks")
alert("The site you are visiting contains malicious JavaScript. It uses your machine as part of a cyber attack. You must immediately alert owners of this website to remove Baidu analytics which distributes the malware.")
Or perhaps use it to advertise a Baidu competitor.
Okay, I'm guessing this isn't on Baidu so much as the Chinese governments, but incentivizing Chinese corporations to object to government attacks isn't a terrible idea.
From what I've read about Chinese leadership, it's incorrect to label Xi as "in charge", at least if you mean in a dictatorial fashion. The CCP seems to run by the consensus of top party leaders. Xi certainly has more authority/sway than the rest, but I doubt he's making all of the decisions alone.
Like every organization there is a need to maintain good relationship with others. This means you have to make compromise and make deal. This means people aren't always 100% in charge. You can choose to do things against the will of some powerful enemy, and you will face the consequence. So Xi can make all the decisions here. He can say "I want this to be done" and his officials will carry out. At this very moment, Xi is absolutely in charge of everything, especially given his popularity.
He's the de jure head of state. The de facto rulers of China are the "princeling" descendants of revolution-era party leaders (http://en.wikipedia.org/wiki/Princelings).
He is certainly one of them, and perhaps the most influential, but he is certainly not powerful enough to be "the ruler".
This is a very clever attack. I wonder if the same attack can be used on other sites or if it exploits something about Github.
Github's data is difficult to cache and many pages load piecemeal using turbolinks which itself creates lots of un-cacheable requests (cacheable only until someone pushes a new commit).
So it would appear to be next to impossible to stop a distributed attack.
> I wonder if the same attack can be used on other sites or if it exploits something about Github.
It doesn't exploit anything GitHub-specific! The way it's done is applicable to any site. The reason is that it uses the <script> loophole around the Same Origin Policy (<script> can be loaded cross-domain, thanks Eich...). They basically just inject this every two seconds:
The browser will request that page expecting a script. And it'll get HTML, but that's not valid JS and just ignore it, but the DDOS is successful.
However, this also makes all sites with the malicious JS vulnerable to an XSS attack by GitHub, like GitHub is currently doing. If you visit that URL, you get this:
alert("WARNING: malicious javascript detected on this domain")
Though I think the same trick could be done with, say, <img> or <style>, and those wouldn't allow XSS (though <style> could fuck with the page, certainly). Sloppy coding, Chinese Government employee...
I was wondering if you can prevent this by looking at the "Accept" header in the request but it seems accept is "/" for scripts. I'd expect the browsers rather to send "application/javascript".
Then the answer from my server will be 400 because I don't have a javascript representation of this url.
> Though I think the same trick could be done with, say, <img> or <style>, and those wouldn't allow XSS
You can XSS with SVG "images" [1]. Though up-to-date browsers should be patched against this.
The other option is having an image which said the same as the alert() message. Again, using SVG, this needn't be much bigger file size than the JS response [2]
Sadly you can't guarantee that. If it was an advert, then yes, most likely it would be visible (baring ad blockers, but then they should hopefully block the attack anyway so that's a non-issue). But if it was a tracking image, then the dimensions would likely only be 1px^2.
I use those two specific examples (ad and tracking) because that seems to be the two instances in which this JS was MITM'ed.
> They basically just inject this every two seconds:
Isn't that the difficult part, ie. to intercept a request to a server and inject malicious code. In this case as all request goes through the great firewall, the hack was trivial.
The retaliation from GitHub is quite clever although not great for the user or Baidu.
Github's website is very easy to cache: read heavy, non-realtime. Especially if you consider they can go into a cache-friendly mode where they disable push notifications ("you just pushed to this branch", etc).
They look real time now, but that is best effort: they don't have to be. Nobody will lament Github suddenly saying "we're under heavy load, changes will take a minute to propagate and real time notifications are turned off".
Note that this attack is read-only; there's no creating new issues or PRs or any other write operation (that would be different).
It's comparable to Wikipedia, which has close to 100% cache hits on popular pages. (sorry can't find the source for this right now)
The git repositories are another story, but that's not so easily attacked through JS.
Still, with an attack of this magnitude, no matter how cacheable, you're going to feel it.
PS: I forgot about one thing; their HTTP interface to diffs. That's a huge surface of fresh data to request which will have to go to the backend. Like you could do with Wikipedia history diffs. Perhaps they would have to cut that off for users who do not have a cookie set from a project or user home page... Okay, I spoke too soon. Github has a huge amount of fresh data to request and a targeted attack on things like git diffs (let every user request a different diff) can't just be solved by HTTP caches.
> I forgot about one thing; their HTTP interface to diffs.
Right -- pretty much any page that uses pjax / turbolinks to load segments of the page: each is an expensive query going to the backend.
GH recently added a timeout for the diff page if it's too large which probably also caches the "too large" status. The sweet spot for an attack would be the pages that don't time out but still create a 95th percentile request.
The JavaScript code instructs Visitors browsers to Request the Github Pages of Anti-censorship group Greatfire and the Chinese Language Edition of the New York Times . These groups turned to a developer source code control tool to host their information with the knowledge that China was unable to block Github because of the huge cost to its technology industry.
Seems like these groups hosted content that the Chinese government didn't approve of, and tried to put it on github to avoid it being blocked. The Chinese government responded by DDoS-ing the two repositories to bend github itself into removing/blocking the content.
One can still use a hammer even if I break his kneecaps with it beforehand.
China is just as reliant on the West as the West is reliant on China. The use of that as leverage doesn't have to be limited to one side of that equation.
I suspect at the time one or the other puts their foot in the sand, that it will escalate to a conventional war.
Let us hope that day never ever happens. It would be awful for both sides no matter the "winner". As I learned from spending a year as a UAV Pilot in Iraq from 2003-2004, in war, as soon as a single person on either side is injured, both sides permanently lose. There is no real "winner". Just one side that loses less.
Unless you can make the case that risking commercial relations with the current largest economy in the world over these attacks makes sense... I would say never.
I agree. It would be nice to see the president or some government official at least publicly acknowledge that a US-based company is currently under attack by the Chinese government.
GitHub should cut China off from all services until the attack stops. It is clearly something the Chinese government doesn't want, or they'd just block GitHub in the Great Firewall themselves.
You seem to think China (or the folks running the great firewall) would be unhappy losing GitHub. I don't think they'd care as long as those two repos were effectively invisible to users.
The childish part of me says to alter the redirect code to be a bit more...shocking. I think the attack would stop a lot more quickly if baidu users were subjected to, say, goatse or 2g1c.
Side note: the written language that Beijing requires all school children to learn is usually called "Standard Written Chinese" even though it's based on the grammar of Mandarin. Depending on the differences in grammar between the local dialect and Mandarin, it's more or less difficult to learn the standard written grammar. We usually don't say "written Mandarin", but less formal writing using the grammar of one of the other dialects would usually be called "Written Cantonese". etc.
My manager speaks a dialect that's pronounced differently, but has a grammar close to Mandarin. The majority of people here in Hong Kong speak Cantonese, which is grammatically more different and uses a lot more slang and references to popular culture. I'm told that growing up here, leaving at age 15, and coming back at 25 makes it very difficult to follow daily conversations and read certain types of publications for the first few months because of the amount of slang used and how rapidly Cantonese changes.
I thought the same thing, but then I checked the "Original" because I just couldn't believe it (considering that German to English isn't even that good) and it turns out it's in English
If I understand correctly, there is almost no way to stop this attack because it uses client side JavaScript code. If Baidu doesn't remove this malicious js from its http response, github will continue to suffer.
In hindsight, GitHub moving away from GitHub Pages from the github.com domain to github.io makes this whole situation less severe. Imagine all the GitHub-Pages-powered sites that would have been down at the moment.
That's why websites should stop including javascript from third party sources. For my analytics, I use liveinternet.ru because it runs the javascript locally on my website but passes the browser information via an image embed. Liveinternet has no ability to execute malicious code and yet I can still use them as a fully functioning analytics.
How much more difficult is using liveinternet.ru, out of curiosity? Google analytics got popular because all you had to do was paste a single line to the bottom of your site and google would handle the rest.
It's just as easy, it's a small snippet of code you paste at the bottom of your site. However, the site doesn't have a pretty design like Google but that's why I prefer it - it's simple and works with NoScript.
Is the best way to currently prevent this is via full ssl?
Additionally, how can a site like Amazon.com run non-ssl protected pages and prevent mitm-ing? (e.g. http://www.amazon.com/dp/B00TYBBNAW/ doesn't redirect to https, but only when ordering, etc.)
Chinese govt is telling the world with this attack that:
(1) GFW can interfere with incoming traffic.
(2) GFW can f* with people all around the world.
(3) You can't block a Chinese cyber attack simply by cutting off Chinese users.
(4) The Chinese govt is a d*head.
The Chinese government is telling the world with this attack that, if you choose to interfere with Chinese sovereignty by means of the Internet, or to enable those who would do that, then there’s a cost.
Note the way the attack is targeted. It’s not just an indiscriminate DDoS of Github, although that’s been the effect — instead, they’re aiming specifically at two repos whose content, being designed and built with the aim of circumventing the technical means by which are implemented a significant goal of China's domestic policy, enables no more or less than a direct attack on the sovereignty of the Chinese government.
To use that content is to say: "You may not run your country in the fashion you choose, because it does not suit me that you should do so."
To host that content is to say: "In this matter, we take the side of those attacking the sovereignty of the Chinese government, by making it easy for them to share and improve the tools with which they do so."
What you're seeing, then, is the quite reasonable response of the Chinese government to these statements. Yes, it's annoying for those of us who use Github, and no doubt it's much worse than merely annoying for those who administer Github. That is the point. Github is being encouraged to consider how much it's worth to them to maintain the stance they've implicitly taken in this matter. I'm looking forward to seeing how they respond.
Wow. That was just a jokey comment about how angry I was about the Chinese govt.
As one of the billion people who live inside the Intranet "protected" by the GFW, I guess I can say I'm quite aware about how and why this happened. Let's start from the beginning.
For those who host things Chinese govt doesn't like, it usually just block the website altogether (Twitter, FB, and recently Google). But it had tried to block Github, twice. Each time there is a huge response from the Chinese webizens (mainly programmers) calling to unblock it.
Another way to block certain content from a website is to filter by keyword (like Wikipedia). But GH is encrypted so that's a no. The govt even tried to use some fake SSL certificates to MITM it. So some "smart" guys exploited this feature and created the repo greatfire/wiki and things like this.
Then some evil guys from GFW thought of this way, directing the attack at these user accounts, to warn GH to remove these accounts.
What I don't agree with you is the word "reasonable" (and the "no"). First, it's never "reasonable" to DDoS attack a website. Second, if you can't block the content, you have a choice to block the website and take the bitter from every single webizen against you. Finally, I believe it's the website owner's choice to choose who / what they want to use their website. Since GH is a U.S. company (I guess), it doesn't have to listen to a sh*t from the Chinese govt.
I totally agree with you - the Chinese government has some right to protect their sovereignty, but if github or the American way of life is so offensive, then block the website and tools outright. I live here too, and it's kind of offensive when (speaking generally now) Chinese people want cherry-picked access to Western technology, science, design, creativity etc. but then aggressively reject the culture that produced them.
Content blocking only does so much, as evidenced by the existence of tools specifically designed for its circumvention, and presumably effective at same.
And of course it's up to the website owner whose content they host. They don't have to take down those repositories. But, unless the DDoS stops, they have to choose between taking down those repos and continuing to stand the gaff.
No you think every piece of Chinese text written on the Internet belongs is under the control of Chinese government?
Github is a US company that hosts their service in US, Chinese government cannot possibly have sovereignty over that. If you believe there is righteous reason behind it, then you are supporting internet terrorism.
China has sovereignty over Chinese citizens. If you believe there is righteous reason to circumvent Chinese sovereignty with the collusion of some subjects of the Chinese regime, then you are supporting Internet terrorism.
(The problem with rhetoric is that it can point both ways. Study the definitions of "sovereignty" and "terrorism" in international law, then try again.)
China's sovereignty extends only as far as its borders. It has no legitimate say in the goings-on outside. GitHub is located outside of this domain, under the sovereignty of a nation that allows and condones its activity. It's really US sovereignty that's under attack here, if anything.
This is almost an argument. But when a given nation's citizens attack the sovereignty of another nation, and their own government declines to curtail such behavior, this qualifies as an implicit endorsement. That's why people call it "cyber-warfare"; what we observe here is a border skirmish with less than the usual quantity of gunfire. As I said earlier, I look forward to seeing who wins.
But GitHub has in no way attacked China's sovereignty, so as long as GitHub's servers are located within the territory of nations that allow their business to operate. If China has a problem with its citizens accessing content hosted on foreign servers, it certainly has the right to block access. If Chinese citizens then become perturbed due to their reliance on that foreign service, that's a Chinese problem, not GitHub's.
If I were to stand on a sidewalk outside of a church with signs saying "You're God is false, Heaven doesn't exist, you're going to die and disappear forever," and a parishioner decided to punch me in the face to stop me, they would be in the wrong, not me.
You think any country has the right to censor news from reaching the people who live in its borders? That that regime has rights that supercede the people? That free speech must succumb to the wishes of government censors?
I think the concept of natural rights, such as that to free speech, is a lovely idea, whose only drawback is that it's not in any sense grounded in reality. I think the Chinese government, being sovereign, has the power to legislate its subjects' rights, just as that of the United States has over that of its citizens. And I think that for the citizens of one nation, to act directly against enforcement of another nation's said legislation, qualifies as an attack against that other nation's sovereignty.
None of these thoughts is tremendously controversial in its own right, save where they conflict with cherished beliefs which I do not happen to share.
Why did GitHub not just put a Bitcoin miner or a BOINC client instead of the alert? The Chinese is not going to care about the warning anyway, it would be more educational to peg their CPU to 100% usage and make some spare change while you're at it.
This DDoS is mainly punishing people who are using VPN to skirt The Great Firewall (and people who use GitHub). What is the point of 'punishing' people who aren't doing this on purpose?
That's a fairly neat attack, to be fair to them. I don't see why Github, upon receiving these requests, wouldn't just do the same back to China and absolutely hammer some of their resources in return?
>While Github is receiving a fair percentage of Baidu's traffic, though...
Yeah that's my thinking on it. They're being handed traffic, or more correctly having it thrown at them maliciously, which they could in turn redirect back at some point in the Chinese infrastructure.
Who do they reflect the attack to though? Baidu? They might not even know this is happening (well they probably do now, but not sure what they can do). The GFW infrastructure itself certainly isn't publicly addressable.
They could just mirror all the git repos minus what they find objectionable. github isn't immune to pressure. They would probably like to sell a lot of github enterprise and whatnot in China.
>"Requests to Baidu’s content data network are being intercepted and sending back some javascript code instead of the original requested file. The javascript code instructs visitors browsers to request the Github pages of anti-censorship group Greatfire andthe Chinese language edition of the New York Times."
I must be misunderstanding - is there a salient piece of info missing?
It makes no sense for the Chinese government to attempt to foil censor bypassing by sending all users of Baidu a link to a project on GitHub that enable censor bypassing.
As an outcome is to inform all affected Baidu users of bypass tools and a non-government controlled newspaper this looks more likely to be a rogue element to me.
It doesn't even look like what I'd call DDoS - sending genuine users to your site who might be interested in your product, isn't that an unpaid affiliate scheme?!?
The Great Firewall intercepts requests to Baidu's CDN from outside China, specifically HTTP requests for Baidu's analytics scripts.
Users from outside China who visit web properties that use Baidu's analytics get malicious JS that injects <script> tags every two seconds to spam github.com with requests.
Nobody would notice that attack, except GitHub cottoned onto this and replaced the github pages with JS that spawns a little alert() popup.
That puts the blame strictly on the Chinese government. And specifically the military that controls the firewall.
Sounds to me like an act of aggression by a state army against a non-combatant on foreign soil. What if a helicopter with a red star on it flew into California in the middle of the night and set fire to Github's offices? What's the difference?
This was worded misleadingly. This is indeed a DDoS: code has been injected to load the Github pages in the background using XHR without the user's knowledge. The host page itself is not redirected (or visibly affected in any way[1]).
Furthermore, only people outside of China are affected by this -- Chinese citizens don't have this code injected.
[1]: Actually there is a mistake in the injected code that causes the result of the XHR request to be interpreted as JavaScript, and then executed. Hence GitHub has tried to mitigate the attack by replying 'alert("WARNING: malicious javascript detected on this domain")' to notify the user that this is happening.
> Actually there is a mistake in the injected code that causes the result of the XHR request to be interpreted as JavaScript, and then executed
That's not a mistake. GitHub, like 99.99% of the Internet, doesn't allow cross-origin XHR for their pages (that's a security vulnerability). So they have to use <script> which doesn't follow the Same Origin Policy.
Though that's a bit silly, given they could've also used <img> which wouldn't be vulnerable to XSS.
So the text I quoted should say something like [with appropriate expansion and fact checking]:
"Requests from other countries to Baidu's CDN in China are intercepted by the government firewall - the returned web pages load content from GitHub or NYT that is hidden from the user. Each affected Baidu user outside China's browser sends content requests to those content suppliers whenever they follow a link in Baidu's search results. With Baidu's immense popularity this is causing a DDoS of the content suppliers servers preventing genuine user's browser requests from being handled."
What's the actual injected code? Presumably one can get it by requesting a link on a Baidu SERP?
Edit: ooh, take a look at the more detailed look from insight-labs: http://insight-labs.org/?p=1682
It's XMLHttpRequest ($.ajax), but with dataType: "script". Looking at the jQuery docs (http://api.jquery.com/jquery.ajax/):
"script": Evaluates the response as JavaScript and returns it as plain text. Disables caching by appending a query string parameter, "_=[TIMESTAMP]", to the URL unless the cache option is set to true. Note: This will turn POSTs into GETs for remote-domain requests.
Oh dear. If GitHub can detect this, GitHub can basically XSS all sites using Baidu's analytics.
Edit 2: Oh, the insight-labs article says the attack has stopped.