How GitHub Survived the Biggest DDoS Attack Ever Recorded?

Analysis of GitHub Attack in connection with cyber security concepts.

GitHub, a famous online code management site used by millions of developers, was the subject of one of the largest verifiable DDoS attacks on record. This attack had a throughput of 1.3 Tbps, transmitting 126.9 million packets per second.

There were no botnets participating in the GitHub DDoS attack because it was a memcached DDoS strike. Instead, the attackers took use of the amplification effect of memcached, a prominent database caching technology. The attackers were able to increase their attack by a factor of 50,000 by flooding memcached servers with faked queries.

Fortunately, GitHub was utilizing a DDoS protection service, which was promptly notified of the attack within 10 minutes of it beginning. This alert initiated the mitigation process, and GitHub was able to immediately stop the attack. The enormous DDoS attack lasted roughly 20 minutes in total.

Summary:

On February 28, 2018, Github was the victim of the largest DDoS attack ever recorded in human history. The attackers took advantage of a caching system known as Memchached. In this DDoS attack, the attackers used the “growth factor” in the Memcached.

Target:

In short, Target was the GitHub services.

GitHub.com web-site became unavailable for a while between UTC 17:21–17:26 and the attack was thought to be a DDoS attack. The goal was actually to prevent access to GitHub and to eliminate the availability of the site. “Availability is the third element of the security triad and is associated with the reliability, availability, and performance of computing resources (e.g., communication networks, data processing applications, servers) and data.” [1]

How:

Attackers used something called “memcaching” (a distributed memory system known for high performance and demand) to increase traffic volumes on GitHub massively.[2] The attack originated when the attackers misused Memcached instances that they had accessed on the internet. To do this, they initially cheated on GitHub’s IP address and took control of instances of Memcached that are said to be “accidentally accessible on the public internet”. (It is intended only on systems that are not open to the Internet, as no authentication is required.)

As a result, they increased the data volumes of Memcached systems by about 50 times with a large traffic flow as can be seen below:

Figure1 Source: https://github.blog/2018-03-01-ddos-incident-report/

Although DDoS attacks were very common, this attack had its own characteristic. Because the magnification factor is up to 51,000, which means it can send up to 51KB to the target for every byte sent by the attacker.

Method:

Several Memcached (UDP) servers are used as an amplification tool by the ‘attacker’using spoofed IP/IPs to direct responses of exploited Memcached servers to the victim’s IP.[3]

In this case, the DDoS attack involved an unusual way of escalating based on UDP-based Memcached traffic.

Attackers realized they can use the Memcached protocol to initiate attacks. First, the attacker placed a considerable load on a vulnerable Memcached server, and then the attacker spoofed the request message with the target’s source IP.

A few-byte requests sent to the vulnerable Memcached server, generated thousands of times larger responses to targeted IP addresses, resulting in a highly hardened DDoS attack. The servers then powered up by 50 times, thus prevented regular traffic from arriving at its destination.

The point that distinguishes this attack from other DDoS attacks is that no botnets are included in this attack, usually with DDoS attacks.

Conclusion:

This attack, which was made by sending a false request, did not need great skill or resources. It also does not require any authentication. The attackers used a security vulnerability by design, not a unique tool. Because of the design, the intent of Memcached was to provide the information quickly. However, the design of Memcached over UDP was not very suitable for today’s internet, and it had the potential to create creative weaknesses with very significant consequences.

So it might be a logical approach to go through a risk analysis to assess our system vulnerabilities, understand the impact of a DDoS attack under various scenarios, and determine the measures we should take for optimum risk reduction.

References:

1) Singh K., Singh A. (2018). Memcached DDoS Exploits: Operations, Vulnerabilities, Preventions and Mitigations, Conference Paper: 2018 IEEE 3rd International Conference on Computing, Communication and Security (ICCCS)

2) GitHub DDoS Incident Report

3) Web Article — “GitHub was hit with the largest ddos attack ever seen”

4) Web Article — “GitHub Knocked Briefly Offline Biggest DDoS Attack”

5) Web Article — “How GitHub braved the worlds largest ddos attack”

6) Web Article — “GitHub Hit By Largest DDoS attack ever recorded at 1.35-tbps”

7) Science Direct — Availability Attack Overview

8) Web Article — “The Worlds Largest DDoS Attack Took GitHub Offline For Less Than Ten Minutes”

[1] https://www.sciencedirect.com/topics/computer-science/availability-attack

[2] https://techcrunch.com/2018/03/02/the-worlds-largest-ddos-attack-took-github-offline-for-less-than-tensminutes/

[3] Singh K., Singh A. (2018). Memcached DDoS Exploits: Operations, Vulnerabilities, Preventions and Mitigations, Conference Paper: 2018 IEEE 3rd International Conference on Computing, Communication and Security (ICCCS)