Yesterday, the internet’s favorite code repository, GitHub, was hit by a record 1.35-terabyte-per-second denial-of-service attack—the most powerful recorded so far. Yet, the website only endured a few minutes of intermittent downtime.
Yesterday, the internet’s favorite code repository, GitHub, was hit by a record 1.35-terabyte-per-second denial-of-service attack—the most powerful recorded so far. Yet, the website only endured a few minutes of intermittent downtime.
The attacker, likely realizing their efforts were for naught, withdrew after less than an hour. GitHub was able to suffer the attack and keep kicking thanks to Akamai’s DDoS mitigation service.
“Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack,” GitHub wrote in an autopsy of the event Thursday. “The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.”
Per GitHub, the angry little person (or people) responsible employed an amplification attack, whereby an attacker spoofs a target’s IP address and repeatedly sends byte-sized (UDP) requests to memcached servers—data-caching systems, which are intended to improve database performance, that problematically return a hugely disproportionate amount of data.
Because the attacker spoofed GitHub’s IP, the responses flooded toward the site at more than a terabyte per second.
Tod Beardsley, research director at Rapid7, called the attack a “harbinger of the new world of DDoS.”
“Unless and until these vulnerable memcached servers are themselves booted off the Internet,” Beardsley said, “they will remain as an irresistibly attractive means for firing packet cannons at any target one might choose, all with no botnet infrastructure required.”
The good news is, you can mitigate a memcache-based amplification attacks by setting up an incoming rate-limit on port 11211, according to Akamai.
“Because of its ability to create such massive attacks, it is likely that attackers will adopt memcached reflection as a favorite tool rapidly,” the company wrote in a Thursday blog post. “Additionally, as lists of usable reflectors are compiled by attackers, this attack method’s impact has the potential to grow significantly.”
