The Great Cannon Distributed Denial of Service (DDoS) tool was deployed again to launch attacks against the*LIHKG*social media platform used by Hong Kong protesters to coordinate during this year's anti-extradition protests.
Attackers use the Great Cannon*to consume the resources of a targeted website outside*the Great Firewall of China (GFW) with superfluous web traffic coming from Chinese users who had their insecure HTTP connections injected with malicious JavaScript code when visiting*insecure sites.*
Citizen Lab describes the Great Cannon as "not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle."
The LIHKG*Hong Kong-based website targeted with this DDoS*siege device is used as a platform for various other purposes besides organizing the leaderless protests and it was compared to Reddit in media reports.
Great Cannon operation (Image: AT&T Alien Labs)
LIHKG forum made into cannon fodder

"The Great Cannon is currently attempting to take the website LIHKG offline. LIHKG has been used to organize protests in Hong Kong," AT&T Alien Labs threat engineer Chris Doman discovered.
Attacks against the LIHKG social media site were initiated on August 31 using malicious code very similar to the one used in previous attacks against*Chinese-language news website*Mingjingnews starting with 2017.
LIHKG said in an official statement that they have "have reasons to believe that there is a power, or even a national level power behind to organize such attacks as botnet from all over the world were manipulated in launching this attack."
Here are the figures on the attack during the period 08:00 - 23:59 on 31 August 2019:
- Total request exceeded 1.5 billion;
- Highest record on unique visitors exceeded 6.5 million/hr;
- Highest record on the Total Request frequency was 260k/sec in which then lasted for 30 minutes before it is banned.
The JavaScript code was served from*http[:]//[.]js and http[:]//[.]js.
While the two URLs are used for delivering analytics tracking scripts, the Great Cannon will swap the benign tracking scripts and inject its own*malicious code designed to request a multitude of web resources from websites on its target list, attempting to overwhelm them and trigger a Denial of Service (DoS) state.
Even though at first, a single LIHKG page was targeted, the threat actors behind the DDoS siege later switched to attacking "multiple pages and attempted (unsuccessfully) to bypass DDoS mitigations that the website owners had implemented."
Malicious code used to bypass DDoS mitigations (Image: AT&T Alien Labs)
"It is unlikely these sites will be seriously impacted. Partly due to LIHKG sitting behind an anti-DDoS service, and partly due to some bugs in the malicious Javascript code," Doman added.
"Still, it is disturbing to see an attack tool with the potential power of the Great Cannon used more regularly, and again causing collateral damage to US-based services."
He also recommends sites that might be the target of such an attack to block the analytics tracking resources' URLs*if they are not served over a secure HTTPS connection.
China wrote a script that is made for DDoSing LIHKG.
In the script they included a feedback adress (
If you look up who is that, you will find Chinese companies.
This explains who caused the downage today.
ó throwawayconstant (@throwawayconst) August 31, 2019
A short Great Cannon history

The Great Cannon was first seen in action during an initial testing phase spotted by Google's Security Team with the help of**Safe Browsingís infrastructure*between March 3 and March 6, 2015.
On March 16, 2015, the Great Cannon resurfaced during attacks against the*Amazon CloudFront services rented by*, an organization known for monitoring and fighting against Chinese censorship.
"The attack sent 2.6 billion requests per hour at peak to GreatFire and pushed the organizationís bandwidth costs with Amazon to $30,000 a day," ThousandEyes' Young Xu*says.
"In this particular case, Javascript and HTML resources hosted on were replaced with Javascript that would repeatedly request resources from the attacked domains," stated Google Security Team engineer*Niels Provos at the time,
Later that month, the servers of GitHub were also the target of a DDoS attack, with the company calling it the "the largest DDoS (distributed denial of service) attack in github.comís history."