Hong Kong Reddit-like LIHKG faces unprecedented DDoS attacks redirected from Chinese Internet companies

Screen capture from LIHKG during DDoS attack.

LIHKG, a Reddit-like forum in Hong Kong has been under the attack of China’s great cannon, a tool used to launch distributed denial-of-service attacks (DDoS) by inserting script that intercepts massive amounts of web traffic and redirects them to targeted websites.

LIHKG has been a major forum for distributing information and discussing strategy about Hong Kong's anti-extradition protests since March. The attack was launched ahead of an August 31 rally, flagged as “illegal” by Hong Kong police.

According to an official statement published by the forum, between 08:00 to 23:59 on August 31, the website received 1.5 billion total requests. At the peak of the attack, the forum received 260 thousand requests per second and 6.5 million unique visitors per hour. As the scale of attack was unprecedented, the forum administrator believe it was state-backed:

We have reasons to believe that there is a power, or even a national level power behind such attacks as botnet from all over the world were manipulated in launching this attack.

The security team has quickly restored the website with protective measure – a CAPTCHA on the anchoring page. However, LIHKG's mobile app was disrupted for a few days and is still unstable.

As the news spread, local and overseas tech circles reached out to help the forum to find out where is the attack coming from. As anticipated, the DDoS was redirected by a script from Chinese companies:

According to LIHK massive traffic to the forum was redirected through Chinese Internet companies Qihucdn.com and Baidu.

Domain information record shows that Qihucdn.com’s Registrant State/Province is Beijing and name server is 360safe.com, same with Qihoo 360, a leading Chinese Internet platform company which claims to “protect users’ computers and mobile devices against malware and malicious websites”. The company has been notorious for whitelisting malwares.

Since Qihoo’s security protection product is widely used by mainland Chinese netizens and small companies, users from LIHKG accused the company of staging the DDoS attack by inserting feedback script through their “security service”.

Likewise, Baidu, the biggest search engine in China was redirecting traffic to LIHKG. The website was also involved in another massive DDoS attack targeting Github back in 2015.

The Great Cannon

Technical reports about the 2015 Github DDoS incident explained that the attack was launched through some man-in-the-middle device which intercepted web requests coming into China from elsewhere in the world, and then replaced the content with JavaScript code that would attack the targeted site. Specifically in the case of Github, it intercepted Baidu's analytics and redirected traffic to Github and hence the attack appears to be coming “from everywhere”.

Such kind of aggressive attack has been termed as “the Great Cannon” by Citizen Lab, a human rights-based research center on Information and Communication Technology at the University of Toronto.

The research center found out in 2015 that the Great Cannon can “manipulate the traffic of ‘bystander’ systems outside China, silently programming their browsers to create a massive DDoS attack”. The attack is similar to NSA's QUANTUM system, capable of “targeting any foreign computer that communicates with any China-based website not fully utilizing HTTPS.”

Cybersecurity expert Chris Doman reviewed the java script of LIHKG's attack and pointed out on Twitter:

While LIHKG has blocked all IPs from mainland China, when someone from overseas visited Baidu or Qihoo360 hosted in mainland China, the script would point them to LIHKG and hence the forum faced a massive DDoS attack coming from all over the world:

In 2015 when Github was attacked, Baidu denied its involvement and responsibility as the attack was launched through a man-in-the-middle device. Who is capable of controlling the device that is capable of inserting script to redirect web-traffic from China to the target? The finger is pointed at the mainland Chinese government which is also in control of the Great Fire Wall that blocks sensitive websites and filters sensitive keywords.

What happened to LIHKG is not a single incident, a majority of independent media outlets and citizen forums in Hong Kong are subjected to state-level DDoS attacks from mainland China. In 2014, citizen-led voting site and news site Apple Daily were subjected to DDoS attacks, in an attempt to silence voices supporting the Occupy Central Campaign and a civil referendum that sought to bring about change to the local election system. However, the local authorities had not conducted any investigation into attacks directed at civilians. Now a majority of local independent media outlets and activist sites have to block IPs from mainland China and subscribe to expensive security plans to keep themselves accessible to internet users.

As for the latest round of attacks on LIHKG, very likely, no entity would be made accountable for the malicious act. Netizens can only take very passive protective measure to prevent assisting similar kind of attacks:

Start the conversation

Authors, please log in »


  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.