The Stack Archive

China’s ‘Great Cannon’: a distinct cyber-superweapon revealed

Fri 10 Apr 2015

A new report by The Citizen Lab has identified a China-based ‘superweapon’ sitting next to the Great Firewall of China, based on recent attacks against anti-censorship activist site greatfire.org and related posts at online code repository Github.

Dubbed ‘The great cannon’ by CL, the new technology is described as ‘a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle’

The Citizen Lab individuated the Great Cannon by studying the lengthy attacks that recently took place against greatfire.org and two Github pages that the campaigning site maintained. The attacks began on March 16th and maintained ferocity for an unusual time, allowing CL to make a study until April 8th.

The deployment of GC against Greatfire is described by The Citizen Lab as a ‘significant escalation in state-level information control’, which seeks to reinforce and safeguard China’s censorship protocols and methods by ‘weaponizing users’. TGC ,which the report likens to the NSA’s QUANTUM system, is apparently capable of exploiting any foreign (non-Chinese) system that connects, or attempts to connect to China’s internal IP addresses, and which does not protect itself with https.


The Great Cannon is individuated by the report as an ‘in-path’ system which does not navigate or originate from China’s internal network but sits at the route-path between China and the rest of the world’s network, looking for TCP connection requests and throwing them back to the ‘outernet’ if they qualify either as a request for banned content or as a potential attack.

The GC is not involved in deep packet inspection or heuristic analysis, but is activated by traffic either originating from or directed to specific IP addresses – a ‘blacklist’. In this sense it is potentially vulnerable on two counts – firstly, it cannot interfere with any packets that it has already allowed through, even if subsequent data reveals that it should have taken action; secondly, it presumably will have to contend with ‘unfriendly’ action from or to unknown or unregistered IP addresses until it can add them to the blacklist.

Though distinct from the GFW in mission and approach, there is some evidence of common architecture in the Great Cannon – like GFW, GC is a multi-process cluster, and both share characteristics regarding the deployment of TTL side-channel injection. Additionally the two systems seem to occupy the same cyberspace. The Citizen Lab’s report states “We found that for our path, the GC acted on traffic between hop 17 and hop 18, the same link we observed as responsible for the GFW,”

The attack against Greatfire was directed via Chinese web-services company Baidu, which was apparently manipulated into sending hostile JavaScript files back to ‘offending’ requesters, which represented 1.75 per cent of all the traffic GC appeared to be monitoring. The boomeranged scripts then enlisted the unwitting users into DDoS attacks against greatfire.org and its two Github pages.

Also see:
Some curious search terms denied to the Chinese

Regarding the likely provenance of the Great Cannon, Citizen Lab comments; “That the GFW and GC have the same type of TTL side-channel suggests that they share some source code. We are unaware of any public software library for crafting packets that introduces this type of TTL side-channel,”

The report further asserts: “Deploying the Great Cannon is a major shift in tactics, and has a highly visible impact. It is likely that this attack, with its potential for political backlash […] would require the approval of high-level authorities within the Chinese government. These authorities may include the State Internet Information Office (SIIO),29 which is responsible for Internet censorship. It is also possible that the top body for cybersecurity coordination in China, the Cybersecurity and Informatization Leading Group (CILG),30 would have been involved”

The report concludes that this new weapon is not intended, or well suited, to aid China in its censorship ambit, but rather that its role is to ‘to inject traffic under specific targeted circumstances’. The final paragraphs express surprise that China would reveal a powerful new technology, capable of co-opting ‘foreign’ computers with such facility, in quite so public a manner:

“Conducting such a widespread attack clearly demonstrates the weaponization of the Chinese Internet to co-opt arbitrary computers across the web and outside of China to achieve China’s policy ends. The repurposing of the devices of unwitting users in foreign jurisdictions for covert attacks in the interests of one country’s national priorities is a dangerous precedent — contrary to international norms and in violation of widespread domestic laws prohibiting the unauthorized use of computing and networked systems,”


Asia China cybercrime hacking news politics
Send us a correction about this article Send us a news tip