The Great Cannon is a distributed denial of service tool (“DDoS”) that operates by injecting malicious Javascript into pages served from behind the Great Firewall. These scripts, potentially served to millions of users across the internet, hijack the users’ internet connection to make multiple requests against the targeted site. These requests consume all the resources of the targeted site, making it unavailable:

1. The “Great Cannon” Has Been Deployed Again
Summary
The ​Great Cannon​ is a distributed denial of service tool (“DDoS”) that operates by injecting
malicious Javascript into pages served from behind the ​Great Firewall​. These scripts, potentially
served to millions of users across the internet, hijack the users’ internet connection to make
multiple requests against the targeted site. These requests consume all the resources of the
targeted site, making it unavailable:
Figure 1:​ Simplified diagram of how the Great Cannon operates
The Great Cannon was the subject of intense research after it was used to ​disrupt access​ to the
website Github.com in 2015. Little has been seen of the Great Cannon since 2015, however
we’ve recently observed new attacks, which are detailed below.
Most Recent Attacks against LIHKG
The Great Cannon is currently attempting to take the website ​LIHKG​ offline. LIHKG has been
used to organise protests in Hong Kong. Using a ​simple script​ that uses data from ​UrlScan.io​,
we identified new attacks likely starting Monday November 25th, 2019.
Websites​ are indirectly serving a malicious javascript ​file​ from either:
● http://push.zhanzhang.baidu.com/push.js​; or

2. ● http://js.passport.qihucdn.com/11.0.1.js
Normally these URLs serve standard analytics tracking scripts. However, for a certain
percentage of requests the Great Cannon swaps these on the fly with malicious code:
Figure 2: ​Malicious code​ served from the Great Cannon
The code attempts to repeatedly request the following resources through an image proxy on the
LIHKG website (at ​https://i.lih.kg/540/ ​) in order to overwhelm the LIHKG website and
prevent it from being accessible:
● https://66.media.tumblr.com/e06eda7617fb1b98cbaca0edf9a427a8/tumblr_oqrv3wHXoz1sehac7o1
_540.gif
● https://live.staticflickr.com/65535/48978420208_76b67bec15_o.gif
● https://i.loli.net/2019/09/29/hXHglbYpykUGIJu.gif
● https://na.cx/i/XibbJAS.gif
● https://na.cx/i/UHr3Dtk.gif
● https://na.cx/i/9hjf7rg.gif
● https://na.cx/i/qKE4P2C.gif
● https://na.cx/i/0Dp4P29.gif
● https://na.cx/i/mUkDptW.gif
● https://na.cx/i/ekL74Sn.gif
● https://i.ibb.co/ZBDcP9K/LcSzXUb.gif
● https://na.cx/i/6hxp6x9.gif
● https://img.eservice-hk.net/upload/2018/08/09/181951_60e1e9bedea42535801bc785b6f48e7a.g
if
● https://na.cx/i/E3sYryo.gif
● https://na.cx/i/ZbShS2F.gif
● https://na.cx/i/LBppBac.gif
● http://i.imgur.com/5qrZMPn.gif
● https://na.cx/i/J3q35jw.gif
● https://na.cx/i/QR7JjSJ.gif
● https://na.cx/i/haUzqxN.gif
● https://na.cx/i/3hS5xcW.gif
● https://na.cx/i/z340DGp.gif
● https://luna.komica.org/23/src/1573785127351.gif
● https://image.ibb.co/m10EAH/Atsps_Smd_Pc.gif
● https://img.eservice-hk.net/upload/2018/06/02/213756_d33e27ec27b054afcc911be1411b5e5a.g
if
● https://media.giphy.com/media/9LZTc9dQjAAL5jmuCK/giphy.gif
● https://img.eservice-hk.net/upload/2018/06/13/171314_55de6aac9af0e3c086b83bf433493004.g
if

3. These may seem like an odd selection of websites and memes to target, however these meme
images appear on the LIHKG forums so the traffic is likely intended to blend in with normal
traffic. The URLs are appended to the LIHKG image proxy url (eg; ​https://na.cx/i/6hxp6x9.gif
becomes ​https://i.lih.kg/540/https://na.cx/i/6hxp6x9.gif?t=6009966493​) which causes LIHKG
to perform the bandwidth and computationally expensive task of taking a remote image,
changing it’s size, then serving it to the user.
Impact
It is unlikely these sites will be seriously impacted. This is partly due to LIHKG sitting behind the
anti-DDoS service Cloudflare, and partly due to some bugs in the malicious Javascript code. We
won’t discuss the bugs here as it would provide suggestions on how to improve the attack.
Still, it is disturbing to see an attack tool with the potential power of the Great Cannon in use
more regularly, and again causing collateral damage to US based file-hosting services.
Mitigations
These attacks would not be successful if the following resources were served over HTTPS
instead of HTTP:
● http://push.zhanzhang.baidu.com/push.js
● http://js.passport.qihucdn.com/11.0.1.js
You may want to consider blocking these URLs when not sent over HTTPS.
Timeline of Historical Great Cannon Incidents
Below we have described previous Great Cannon attacks, including previous attacks against
LIHKG in September 2019.
2015: GreatFire and GitHub
During the 2015 attacks, DDoS scripts were sent in response to requests sent to a ​number of
domains​, for both Javascript and HTML pages served over HTTP from behind the Great
Firewall.
A number of distinct stages and targets were identified:
● March 3 to March 6, 2015: Initial, ​limited test firing​ of the Great Cannon starts.
● March 10: Real attacks start against a Chinese-language news site (Sinasjs.cn).
● March 13: New attacks against an organisation that monitors censorship (GreatFire.org).

4. Figure 3:​ Snippet of the code used in early Great Cannon attacks. Later scripts were improved
to not require external javascript libraries.
● March 25: Attacks against GitHub.com start, targeting content hosted from the site
GreatFire.org and a Chinese edition of the New York Times. This resulted in a ​global
outage​ of the GitHub service.
Figure 4:​ The URLs targeted in the attack against Github.com.
● March 26th - Attacks began using code hidden with the Javascript obfuscator “​packer​”:

5. Figure 5:​ Snippet of the obfuscated code. Current attacks continue to use the same
obfuscation.
Research by ​CitizenLab​ identified multiple likely points where the malicious code is injected.
The Great Cannon operated probabilistically, injecting return packets to a certain percentage of
requests for Javascript from certain IP addresses. As noted by commentators at the time, the
same functionality could also be used to insert exploitation code to enable “​Man-on-the-side​”
attacks to compromise key targets.
2017 and Onward: Attacks against Mingjingnews
In August 2017, Great Cannon attacks against a Chinese-language news website
(​Mingjingnews.com​) were ​identified​ by a user on Stack Overflow. The code in the 2017 attack is
significantly re-written and is largely unchanged in the attacks were seen in 2019.
Figure 6:​ An excerpt of the code to target Mingjingnews.com in 2017.

6. We have continued to see ​attacks against​ Mingjingnews in the last year.
2019: Attacks Against Hong Kong Democracy Movement
On August 31, 2019, the Great Cannon ​initiated​ an attack against a website (lihkg.com) used by
members of the Hong Kong democracy movement to plan protests.
The Javascript code is very similar to the packed code used in the attacks against Mingjingnews
observed in 2017 and onward, and the code was served from at least two locations:
- http://push.zhanzhang.baidu.com/push.js
- http://js.passport.qihucdn.com/11.0.1.js
Initial versions targeted a single page on lihkg.com.
Figure 7:​ The Javascript code originally targeting lihkg.com.
Later versions targeted multiple pages and attempted (unsuccessfully) to bypass Cloudflare
DDoS mitigations that the website owners had implemented.
Figure 8:​ The Javascript code later targeting lihkg.com.

7. Detection
We detect the Great Cannon serving malicious Javascript with the following Suricata rules from
Alien Labs and Emerging Threats Open.
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"AV INFO JS File associated with Great
Cannon DDoS"; flow:to_server,established; content:"GET"; http_method; content:"push.js";
http_uri; content:"push.zhanzhang.baidu.com"; http_host; flowbits:set,AVCannonDDOS;
flowbits:noalert; classtype:misc-activity; sid:xxx; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"AV INFO JS File associated with Great
Cannon DDoS"; flow:to_server,established; content:"GET"; http_method; content:"11.0.1.js";
http_uri; content:"js.passport.qihucdn.com"; http_host; flowbits:set,AVCannonDDOS;
flowbits:noalert; classtype:misc-activity; sid:xxx; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"AV INFO Potential DDoS attempt related
to Great Cannon Attacks"; flow:established,to_client; content:"200"; http_stat_code;
file_data; content:"isImgComplete"; flowbits:isset,AVCannonDDOS;
reference:url,otx.alienvault.com/pulse/5d6d4da02ee2b6fbff703067; classtype:policy-violation;
sid:xxx; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"AV INFO JS File associated with Great
Cannon DDoS"; flow:to_server,established; content:"GET"; http_method; content:"hm.js";
http_uri; content:"hm.baidu.com"; http_host; flowbits:set,AVCannonDDOS; flowbits:noalert;
classtype:misc-activity; sid:xxx; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"AV MALWARE GreatCannon Malicous JScript
Inbound"; flow:established,to_client; content:"200"; http_stat_code; file_data;
content:"!function(n){"; depth:1000;
content:"1e9*n[a][s](9*n[a][g]())+n[a][s](999999999*n[a][g]())"; distance:0;
content:"n[y]=3e5,n[_]=1482184792,n[p]=1e6"; distance:0;
reference:url,otx.alienvault.com/pulse/5d6d4da02ee2b6fbff703067; classtype:trojan-activity;
sid:xxx; rev:1;)
ET WEB_CLIENT Great Cannon DDoS JS M1 sid:2027961
ET WEB_CLIENT Great Cannon DDoS JS M2 sid:2027962
ET WEB_CLIENT Great Cannon DDoS JS M3 sid:2027963
ET WEB_CLIENT Great Cannon DDoS JS M4 sid:2027964
Additional indicators and code samples are available in the Open Threat Exchange ​pulse​.