The headquarters of Baidu in Beijing. New censorship tool the Great Cannon is said to have redirected traffic from the popular Chinese site in a massive distributed denial of service attack. (AFP/Liu Jin)
The headquarters of Baidu in Beijing. New censorship tool the Great Cannon is said to have redirected traffic from the popular Chinese site in a massive distributed denial of service attack. (AFP/Liu Jin)

China’s Great Cannon: New weapon to suppress free speech online

China, rated as the eighth most censored country in the world, in a report released by CPJ today, has long had a strong line of defense against free speech online. Its Golden Shield Project, launched by the Ministry of Public Security in 1998, relies on a combination of technology and personnel to control what can be expressed and accessed behind the Great Firewall of China.

To strike at its enemies the accusation, very often made by victims of an attack, has been that China uses a mix of official and unofficial teams of computer adepts (read: hackers) to stifle overseas sites the government feels pose a threat. China has always denied the accusations. Google “China denies hacking” for a seemingly unending list of accusations and denials.

But an April 10 report from Citizen Lab said a new strategy, and the software to support it, had recently come into use. Large-scale distributed denial of service (DDoS) attacks on at least two Web pages hosted outside China were “carried out by a separate offensive system, with different capabilities and design, that we term the ‘Great Cannon’,” the report said. For CPJ, Citizen Lab, based at the University of Toronto, is a go-to source on digital issues–we first started relying on their expertise in 2009.

Citizen Lab’s report on the Great Cannon was certainly an attention getter: This month news outlets including The New York Times, Guardian, and Fortune magazine ran headlines on Citizen Lab’s claim that there had been a leap in technology or tactics that upped China’s ability to cause harm outside its borders. We’ve been reporting on the increasingly harsh anti-media tactics of President Xi Jinping’s government soon after he came to power in March 2012, but this Great Cannon seemed like something well beyond that.

Sufficiently alarmed, CPJ’s Asia program asked our staff technologist, Tom Lowenthal, the resident expert in operational security and surveillance self-defense, to explain what the Great Cannon is.

Can you explain what’s going on in layman’s terms? Do the headlines warning China has “weaponized the Internet” and turned users into “weapons of cyberwar” match the reality?

TL: China’s newly revealed capabilities are apparently pretty far-reaching. The Great Cannon is a tool that works with the Great Firewall. Although the Great Firewall looks at every connection crossing the Chinese border, it’s not fast enough to edit them on the fly. And it doesn’t directly block connections. When the Firewall sees a connection it wants to censor, it sends out fake “this conversation is over” messages–called TCP RST packets for those in the know. That tricks computers at both ends of the conversation into giving up. It is a very efficient, if abrupt, approach to censorship. A user knows when they’ve been cut off.

The Cannon is more technically complex and subtle. It has the ability not just to eavesdrop and inject new messages, but to completely rewrite a connection. If you send me one thing, and it goes through the Cannon, I might receive something different, without knowing it wasn’t your real message. It seems to be as good as the American NSA QUANTUM system that tracks messaging across the world, which was disclosed in Edward Snowden’s leak of NSA material.

For China and the U.S. (and who knows which other countries) it’s a classic, widely used man-in-the-middle (MiM) system. But unlike the Firewall’s relatively heavy handed censorship, the Cannon’s changes are difficult to detect, even for tech-savvy researchers. The Firewall can currently censor the whole of China at once. But it’s important to note that the Cannon can only do its work on messages that move in and out of China.

Those recent DDoS attacks you mentioned demonstrate just one way the Cannon can be used. According to Citizen Lab research, the Cannon used its rewriting capability on just under 2 percent of connections made to the advertising systems of Baidu –a popular Chinese website that doesn’t use HTTPS–from outside China. When Baidu’s systems sent advertising-related JavaScript messages to readers’ computers, the Cannon was able to read those messages and replace that JavaScript–basic coding language used widely on the Internet–with a malicious version. That “bad” JavaScript co-opted readers’ computers to repeatedly connect to what is reported to have been the Cannon’s real targets: code-sharing site GitHub and anti-censorship site Between them, those affected computers acted like a launch platform to carry out a DDoS attack.

If it took an insider like Snowden to reveal the NSA’s system, why did China appear to so blatantly deploy this capacity? As you say, according to Citizen Lab, China used it to attack GreatFire and GitHub. I get that both are a constant annoyance to China’s Internet control mechanisms, but they seem like pretty small targets to wheel out such ostensibly huge fire power.

TL: That’s an important question and I don’t know the answer. As you say, GitHub may be a minor inconvenience to the Chinese regime, but it isn’t a strategic geopolitical target. The DDoS attack, which GitHub said it believed was an effort to coerce it to remove content, wasn’t suffienct to take the site down.

Maybe these attacks were just a test, and the Cannon has not reached full capacity. Perhaps China is just flexing its muscles. Maybe this is just to demonstrate that the NSA isn’t alone in its capabilities. Maybe it’s an implicit threat against anyone else who angers the Chinese regime. It’s hard to imagine that revealing the Cannon was an accident. It was used in an attack the targets were going to notice and investigate.

Are there other, more serious attacks underway that haven’t been publicized by China or other countries? And the description of the attacks in the popular press sounded like just extra-large DDoS attacks, something we’ve been seeing for more than a decade. Surely there has to be more to it.

TL: The DDoS attacks were just one example of what the Cannon can do. Some of the other uses for this tool could be much subtler.

The Cannon appears to be able to edit any connection crossing the Chinese border. Combined with a targeting system like the NSA’s TURMOIL, a wide-ranging Internet surveillance tool, it could also be used as a potent malware-delivery tool. As researchers at Citizen Lab previously demonstrated, any unencrypted connection can be used to infect and take over a computer using a MiM attack. At its core, the Cannon is a large-scale MiM engine. It could be used to attack the computer of anyone outside China reading a website inside China, or vice-versa. These attacks may already be happening, but unless the victims of such an attack are engaged in careful analysis, it would be impractical for them to notice or conclude that the attack had been performed at the Chinese border.

The Cannon could be a prototype for the next generation of censorship and misinformation tools–a replacement for the Great Firewall. The Firewall currently only terminates connections–you can either access a site or you can’t. The Cannon could make censorship more subtle. An article critical of the Chinese government, for instance, could be replaced with praise. Instead of blocking access to prohibited articles, all links could be removed, hiding evidence that they exist.

This sounds more like an arms race than a hackathon. Is there parity–do other countries have the same capacity for disruption?

TL: The “Five Eyes” group–an intelligence-sharing agreement between Australia, Canada, New Zealand, the U.K., and the U.S., which started during World War II–certainly has similar capabilities. The QUANTUM/TURMOIL system revealed by Snowden can do the same things we’ve seen from the Cannon. QUANTUM/TURMOIL isn’t limited to a border though. It’s more globally distributed and can attack a much-wider range of connections.

It’s hard to know about other countries’ capabilities. We know about QUANTUM/TURMOIL only because Snowden revealed it. We know about the Great Cannon only because China apparently chose to show it off.

China and the Five Eyes group have a major strategic advantage–access to a wide range of Internet traffic. If a smaller nation developed similar technical capabilities, it is unlikely it could, for example, perpetrate a DDoS attack on the same scale. The number of cross-border connections would be lower.

China has long been a leader in national-level Internet-tampering. Other nations are already following its example, but may not be as fully developed yet.

If I don’t operate a website, do I have to worry about somehow getting hit or being used as a base for an attack?

TL: Yes on both counts. If you access a website located in China, the Cannon has the opportunity to rewrite your connection and co-opt you into an attack–like the attacks on GitHub and Or, the Cannon could serve you custom malware and take over your computer.

You may not know whether you’re accessing a site hosted in China. The domain name of a site doesn’t tell you where it’s hosted. Even if you do know where a site is hosted, that doesn’t tell you about all the third-party resources embedded on it–like those Baidu advertisements. You might be accessing a site which merely incorporates some resources from inside China.

On April 8 you blogged about GitHub coming under a DDoS attack and how the site’s use of HTTPS protected it. Is it enough that everyone add an “s” to their HTTP address?

TL: HTTPS protects a website and that site’s readers. Your connection is encrypted, so you aren’t at risk of getting DDoS-enabling JavaScript or other targeted malware from that site. However, if you visit any sites available over HTTP, those connections are at risk. And by visiting them, so are you.

The HTTPS Everywhere add-on from digital rights group Electronic Frontier Foundation automatically uses the HTTPS version of a site whenever one is available. If a site is available only over HTTP, the add-on can also block the connection.

And that’s just the Web. There’s also email, instant messaging, streaming video–any connection that isn’t securely encrypted is an avenue for attack.

So, HTTPS is necessary to protect you, but not completely sufficient?

TL: Nothing protects everyone from everything–safety is a matter of degree. HTTPS protects everyone who uses it. But until all connections are robustly encrypted like HTTPS, everyone is at risk from tools like the Great Cannon.