For the first time in over a decade, China’s citizens are able to browse the internet freely. Politburo spokesmen have tried putting a positive spin on recent events, but Guo Shengkun – the Minister of Public Security – has not been seen in days and is assumed to be under house arrest.

Fifteen days ago, Github – a web repository which hosts much of the world’s open-source software projects – came under sustained distributed denial-of-service attacks. While the company is often subject to such activity, this particular attack bore the hallmarks of a similar approach they experienced in March 2015.

Then, any internet browser visiting any site containing JavaScript code sourced from Baidu, China’s most popular web-service, became an involuntary member of a botnet making calls on Github. The denial-of-service attack saw 1% of China’s web bandwidth directed at two pages on Github’s infrastructure; that for the Chinese-edition of the New York Times, and Great Fire, a social-activism service aimed at providing news to Chinese users. While China denied it, it was widely assumed that only the government would have such access to run a “Man-On-The-Side” attack in this way.

Github, though, is no ordinary web service. Their 9 million users are among the most technically savvy in the world; many of them are also senior technical staff at the world’s most popular web services. In retaliation, they unleashed Operation Public Shield. At one point some 5% of global internet traffic was directed at the Great Firewall. Yesterday the wall came down.

“The United States government in no way condones the events of the last few days. We do not advocate that civilians target any government’s infrastructure,” said a US spokesperson. But it is unclear how the US, or China, are able to respond when the world’s most sophisticated tech citizens take matters into their own hands.

ANALYSIS >> SYNTHESIS: How this scenario came to be

March 2015: Github attacked by Chinese DDoS army
On 11 March, Github – a web repository which hosts much of the world’s open – and proprietary software source-code – announces that it is experiencing unusual traffic load. After investigation, they realize that a distributed denial-of-service (DDoS) attack is being directed at two specific projects: the Chinese-edition of the New York Times, and Great Fire, a social-activism service aimed at providing news to Chinese users.

Security investigators track the source of the attack to Baidu, China’s largest search engine.

“Baidu has an analytics product and an ads product, much like Google Analytics and Google AdSense, which are used on all kinds of websites via JavaScript. China has set the Great Firewall of China to modify some of Baidu’s assets so that any non-Chinese IP gets a modified version of the Baidu analytics and ad code. The modification causes every web browser visiting a Chinese site using a Baidu analytics/ad product to load files from the ‘greatfire’ and ‘cn-nytimes’ projects on Github (both of which are designed to circumvent Chinese government censorship) once every two seconds. The effect is that people all over the world outside of China are unwilling participants in a DDoS against Github,” explains John Haller, a software developer, writing on Hacker News.

It takes five days for Github to regain control of their servers and for the attack to subside.

“This attack demonstrates how the vast passive and active network filtering infrastructure in China, known as the Great Firewall, can be used in order to perform powerful DDoS attacks,” says Erik Hjelmvik of Netresec, an internet security monitoring service. “The Great Firewall cannot be considered just a technology for inspecting and censoring the Internet traffic of Chinese citizens, but also a platform for conducting DDoS attacks against targets worldwide with help of innocent users visiting Chinese websites.”

Security researchers across the world express concern but, for now, the attack appears to have been countered.

May 2016: China unleashes fury at Convention of the Sea
On 9 May, ASEAN leaders, in a rare – and panicked – show of unity convene a Convention of the Sea under the auspices of the UN. China’s island-building in the South China Sea, as well as their increasingly aggressive demands for recognition of their ‘ownership’ of key fishing and gas resources, has unnerved regional leaders.

The Convention is abandoned after the host, Singapore, experiences critical failure of civil infrastructure. Automated hotel booking systems and the airport traffic management system are subjected to a major DDoS in the days leading up to event. With planes unable to land, and visitors unable to secure accommodation, organizers are left in disarray.

“WAS THAT A WAR?” asks a headline in the New York Times. Mandiant, a cybersecurity firm, issues a sternly-worded report detailing how China’s cyber-attack happened. It appears that, as with the Github attack in 2015, the Great Firewall was used to inject code into visitors of websites based in China. Leaders in the US and EU issue grim warnings, but appear unwilling to challenge China over this issue.

“It is unprofessional and groundless to accuse the Chinese military of launching cyber-attacks without any conclusive evidence,” says Guo Shengkun, the Minister of Public Security.

November 2016: The fall of the Great Firewall
In June, Emily Church at X-Prize, a global innovation challenge fund, launches their DDoS X-Prize.

“We have seen an exponential rise in the disruption caused by DDoS attacks on our internet services. This is only just bearable by large companies, but completely destructive to smaller startup firms. Today X-Prize, in partnership with Github, announces a US$10 million prize to the first organization that can develop a free and open-source mechanism to eliminate the top ten attack vectors which account for 94% of DDoS attacks.”

Overnight, hundreds of projects are launched on Github. Thousands of developers from around the world begin to study the public source-code repositories and test out the solutions.

“This is tremendous,” says Simon Laverick of Intellectual Ventures, a venture capital firm. “Our startups are using some of these early code releases and have experienced tremendous reduction in DDoS threats.”

On 11 November Github sees a sudden wave of DDoS attacks flooding their servers. Analysts report that China’s man-on-the-side attack is injecting code into Baidu, TaoBao, QQ, Sina Weibo, 360.cn and a host of other popular Chinese websites. The volume of traffic being pushed towards Github is equivalent to 5% of China’s bandwidth.

Github’s infrastructure begins to wobble. A thread on Hacker News titled “Operation Public Shield” quickly draws the attention of thousands of developers. While some developers begin work on improving Github’s defenses using code from various X-Prize projects, others look for a way to counter the Great Firewall directly.

On 23 November, Operation Public Shield is launched.

“We have redirected 25% of our Bitcoin mining operations to focus on dismantling the Great Firewall,” says one anonymous responder writing in Hacker News. In a comment thread now spanning over 15,000 posts, hackers coordinate their response.

At one point some 5% of internet traffic is directed at the Great Firewall.

On 26 November the wall collapses.

“The US government in no way condones the events of the last few days. We do not advocate that citizens take matters into their own hands,” says a US spokesperson. But it is unclear how the US, or China, are able to respond when the world’s most sophisticated tech citizens take matters into their own hands.