Cyber Incident Victim: Greatfire.org
Date:
Mar 2015
Location:
China
Summary
A Chinese activist-operated website mirroring censored content experienced a massive distributed denial-of-service attack, generating 2.6 billion hourly requests that increased operational costs to $30,000 daily through cloud hosting services. The assault coincided with heightened pressure from Chinese authorities, who previously labeled the platform as foreign-hosted and anti-China while urging technology partners to sever ties. Attack traffic surged to 2500 times normal levels, targeting all mirrors of internationally blocked platforms. The incident followed historical adversarial actions including DNS poisoning against the site's content delivery network and attempted interception of encrypted communications. Administrators sought technical assistance to mitigate the attack while facing potential service collapse if assaults intensified.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In March 2015, Greatfire.org—a Chinese activist group providing tools to circumvent internet censorship—faced a sustained distributed denial-of-service (DDoS) attack that generated 2.6 billion requests per hour, overwhelming its infrastructure. The attack targeted all GreatFire website mirrors hosting content from platforms like Facebook and Google, which are blocked in mainland China. Charlie Smith, the site administrator, reported a 2,500-fold increase in traffic compared to normal levels, resulting in daily server costs of $30,000 due to the group’s reliance on cloud infrastructure. Smith attributed the attack’s timing to a recent Wall Street Journal article published days earlier, marking GreatFire’s first major DDoS incident. The attackers employed brute-force methods to disrupt services, a tactic Smith characterized as a last-resort censorship measure when subtler methods fail. Amazon Web Services, the hosting provider, had not confirmed whether it would waive the unexpected costs at the time of reporting. GreatFire upgraded its servers to handle the traffic surge but expressed concern that intensified attacks could cripple operations. Smith publicly appealed for technical assistance from DDoS mitigation experts to counter the assault.
The incident occurred amid escalating pressure from Chinese authorities, who had recently labeled GreatFire a foreign “anti-China website” and urged unspecified technology partners to sever ties with the group. This followed prior attacks allegedly orchestrated by Beijing, including a November 2014 DNS poisoning campaign against GreatFire’s EdgeCast content delivery network, which caused widespread outages. Attackers had also attempted to intercept GreatFire’s encrypted email communications shortly before the DDoS incident. The activists maintained that China’s censorship apparatus resorted to such aggressive tactics due to the impracticality of directly blocking major platforms like Google without causing excessive collateral damage to other services. Despite server upgrades, GreatFire’s infrastructure remained vulnerable to further escalation in attack volume, highlighting the asymmetric nature of the conflict between activist groups and state-backed adversaries.