Github was hit by the biggest DDoS attack ever recorded on Wednesday. According to Akamai Prolexic the attack peaked at 1.35 Tbps and this attack utilized memcached servers that return 50 times the data to the IP spoofed address of the victim.

[caption id=”attachment_3191” align=”aligncenter” width=”885”]15200088830osbzgqxgu_1_1_l Picture by Akamai Prolexic shows real-time traffic from the DDoS attack, the inbound traffic is a lot of higher than usual.[/caption]

Overview

A DDoS attack is one of the most common methods employed by hackers to take websites down: it involves bombarding sites with more traffic than they can handle, so as to overwhelm their servers and cause enough crashes to take the site offline temporarily.

This kind of attack is called an amplification attack and while it’s been used before the scale of this one was off the charts.

"This attack was the largest attack seen to date by Akamai, more than twice the size of the September 2016 attacks that announced the Mirai botnet and possibly the largest DDoS attack publicly disclosed," said Akamai, a cloud computing company that helped Github to survive the attack.
In a post on its engineering blog, Github said, "The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35 Tbps via 126.9 million packets per second."

The web monitoring and network intelligence firm ThousandEyes observed the GitHub attack on Wednesday. “This was a successful mitigation. Everything transpired in 15 to 20 minutes,” said Alex Henthorne-Iwane, vice president of product marketing at ThousandEyes. “If you look at the stats you’ll find that globally speaking DDoS attack detection alone generally takes about an hour plus, which usually means there’s a human involved looking and kind of scratching their head. When it all happens within 20 minutes you know that this is driven primarily by software. It’s nice to see a picture of success.”

No Botnet was involved

The attackers spoofed GitHub’s IP-address and sent queries to several memcached servers that are typically used to speed up database-driven sites. The servers then amplified the returned the data from those requests to GitHub, this happened around   amplified by 50 times.

Final Words

It’s nice to know that even with this much traffic, the attackers couldn’t do much harm besides interrupting GitHub’s service for a few minutes. Clearly, network infrastructure providers are getting better at handling DDoS attacks – but they’ll need to do more to stay a step ahead of hackers in the future, perfectly would be that even if an attack happens everything works like normal, but I guess that requires a new infrastructure.

Such attacks are useless in my opinion anyway. A5qMhta