On the 3rd of January 2018, GitHub, which is one of the world’s biggest software development platforms, was attacked by 1.35 terabits per seconds’ worth of traffic, at once; hence marking the world’s strongest distributed denial of service attack.
As soon as the attack started, GitHub instantly went offline, but as this happened, a digital system begun assessing the situation and what type of attack the platform was dealing with. In less than 10 minutes, the system used its DDoS mitigation service, Akamai Prolexic as an intermediary. The service then begun rerouting all traffic associated with GitHub, through scrubbing centres, which worked by identifying and blocking ill-intended packets of data. After a couple of more minutes, the offensive was stopped and GitHub was back online. Given the massive strength of the attack, the fact that it was stopped after only 10 minutes was a big surprise for both GitHub and their DDoS mitigation service.
In a press statement, Josh Shaul, the vice president for web security over at Akamai mentioned that: “We modelled our capacity based on five times the biggest attack that the internet has ever seen (…) So I would have been certain that we could handle 1.3 Tb/s, but at the same time we never had a terabit and a half come in all at once. It’s one thing to have the confidence. It’s another thing to see it actually play out how you’d hope."
The Specifics of the Attack and Defence Mechanisms
Understanding how Akamai defended GitHub from the attack is an important lesson on how to deal with DDoS attacks. With this in mind, apart from using their general DDoS defence mechanism, Akamai also used recently-implemented mitigations for DDoS attacks that start from memcached servers. These memcached servers represent a sure-fire way for DDoS attackers to increase their power, as the database caching systems are used to speed up websites. Therefore, by accessing memcached servers, attackers can send command packets, which will then be given a much stronger reply.
To put things better into perspective, the world’s second biggest DDoS attack (1.2 Tb/s) was aimed at Dyn, which is a US-based internet infrastructure company. Reports indicate that the attack disrupted internet traffic all across the east coast, as malicious requests were being sent by tens of millions of IP addresses, in what Dyn referred to as ‘a very sophisticated and complex attack’. However, there were some differences between the two attacks: they both used slightly different techniques, and the attackers behind the Dyn incident were apparently more motivated, as they refused to quit after the first attack was stopped.
However, the main difference here is that the Dyn attack was based on botnets, whereas the GitHub memcached DDoS attack works differently, and hence does not require a malware-driven botnet. In other words, attackers simply need to spoof the IP address of the victim, and begin sending small requires to their memcached servers (10 per second for each server was enough). As memcached servers are coded to send back a much bigger response, they’re bound to return at least 50 times the request data back to the victim, hence creating an easy-to-orchestrate and extremely powerful amplification attack.
Following the attack, the internet infrastructure network alongside ISPs and DDoS protection services, went ahead and begun implementing numerous server protection measures, that would make memcached servers unable to involuntarily participate in such attacks in the future. Additionally, server owners have been asked to install firewalls, or remove the vulnerable servers from the internet, as an effort to reduce the possibility of such attacks from happening in the future. Additionally, several DDoS protection groups implemented new filters that can immediately detect and block traffic coming from memcached servers, in case suspicious amounts of traffic are detected. The actual command for the attack has also been filtered out by the internet security community. Despite this event, internet security is quickly improving. ThousandEyes, a web monitoring and internet intelligence firm that observed the attack, mentioned that: "This was a successful mitigation. Everything transpired in 15 to 20 minutes (…) If you look at the stats you’ll find that globally speaking DDoS attack detection alone generally takes about an hour plus, which usually means there’s a human involved looking and kind of scratching their head. When it all happens within 20 minutes you know that this is driven primarily by software. It’s nice to see a picture of success."
It is unclear yet why GitHub was chosen as the target for the memcached server attack, yet the code platform was also targeted for six straight days back in March 2015, by Chinese hackers. However, it is believed that there were no hidden reasons apart from the fact that GitHub is a high-profile platform, therefore making it impressive for the hackers to take down. While it is possible for the DDoS attack to have been driven by ransom demands, the fact that it was mitigated this quickly, most likely made it impossible for the attackers to demand ransom in the first place.
The attack against GitHub luckily ended well for the platform, as it quickly resumed service a couple of minutes later. However, the event itself showcases how networks can be manipulated into launching DDoS attacks of massive scales. While DDoS attacks remain common on the internet, ISPs, web hosting companies, and DDoS protection services are actively researching better ways of dealing with the attacks.