GitHub is a web-based hosting service mostly used for deploying computer code with additional features such as source code management (SCM), bug tracking, task management etc. Several days ago, it was the victim of the largest recorded DDoS attack ever.
What is the DDoS attack? Simply put, Distributed Denial of Services attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. Targets are a wide variety of important resources, from banks to news websites. Since GitHub service is very large and many programmers are using it, no wonder it can be susceptible to random network and hacking attacks.
There are several ways to perform the DDoS attack
- Occupation of all the TCP connections to infrastructure devices such as application servers, load balancers, firewalls etc.
- Entire usage of possible bandwidth creating insurmountable congestion. Within target network or between target network (service) and the rest of the internet.
- Fragmentation attack using numerous pieces of packets. This causes the “flooding” of packets and target is unable to reassemble them and thus the performance is slowed down.
- Targeting the specific aspect of an application or service and thus generating a low traffic rate
The ddos attack can also multiply traffic they send through DNS reflection. Attacker sends small requests to a DNS server and asks it to send up to 70x big replies to the victim. If the victim has internet connected printer with an outdated testing service called Chargen, an attacker can ask a device to reply with a stream of random characters.
What happened to GitHub?
Apparently, GitHub got 1,35 terabits per second of traffic attack several days ago. That DDoS attack holds the current record as the largest one ever recorded. After 10 minutes into the attack and traffic struggle, GitHub has automatically called for help. DDoS mitigating service, Akamai Prolexic, immediately stepped in and acted as a mediator between GitHub and attackers. Prolexic routed all the traffic out to scrubbing centers to filter out and block malicious packets. After 8 minutes, the attack has subsided.
Publicly exposed memcached servers are the problem
Attackers used DNS reflection style amplification method with memcached servers. These database caching systems work to speed networks and websites, but they shouldn’t be exposed to the public. About 100.000 memcached servers sit exposed to public internet with no authentication protection. This means that attacker can access them and send special series of small requests (10 queries per second per server). Memcached servers then respond creating 50 times bigger reply to the victim.
The main problem is these servers. The community that tracks the memcached attack trend is addressing the issue by asking owners of those servers to take them off the internet behind firewalls on internal networks. Prolexic can also add filters to block memcached traffic if they detect the suspicious amount of it.
According to internet service provider CenturyLink, there are 300 individual scanners that are searching for memcached boxes. This means that there are at least 300 bad guys looking for exposed servers. ISP can filter the actual command so no one can actually start the attack using memcached servers.
GitHub, with the help of Akamai Prolexic, successfully managed to survive the DDoS attack. The duration of attack was 15 to 20 minutes because software detected it very fast and reacted accordingly. For now, it’s the best solution for resisting the attacks until “problematic” servers get off public internet eye.
If you like this article, maybe you will like this one too! Give it a shot. – AI as better lawyer than humans
Having several years of experience in creating written content (from short articles to long in depth reviews) I, as a freelancer, has become proficient in tackling numerous themes regarding technology and usage of software. In the spare time I find interest in sightseeing, playing video games and learning how to code.