The online version control and code distribution platform Github has suffered a series of massive distributed denial of service (DDoS) attacks on Wednesday, February 28, 2018, causing service disruption by forcing its website Github.com to go offline.
In the first phase of the attack, Github’s website suffered a shocking 1.35 terabits per second (Tbps) spike while in the second phase Github’s network monitoring system detected 400Gbps spike. The attacks lasted for over 8 minutes and due to the massive traffic used by the attacks, this is the largest DDoS attack ever witnessed.
Previously, the French telecom OVH and Dyn DNS suffered the largest DDoS attacks with 1 Tbps traffic flow. Both attacks were carried by hackers using Mirai, a malware popular for infecting IoT devices to carry large-scale DDoS attacks.
However, in the case of Github, the DDoS attacks were possible due to a critical security flaw in Memcached servers which was identified Akamai, Arbor Networks, and Cloudflare. According to researchers, implementation of the Memcached servers’ UDP protocol is flawed and anyone can launch a major DD0S attack without much ado.
The researchers call it an amplification attack. Github, on the other hand, has confirmed that it was an amplification attack using the Memcached-based approach that peaked at 1.35Tbps via 126.9 million packets per second.
If hackers manage to prepare the amplification attack well, they can launch an attack with lowest possible IP spoofing capacity, as low as 1Gbps, and successfully launch very large attacks that can reach up to hundreds of gigabits per second.
In its blog post, Github’s Sam Kottler explained the attack and wrote that “Spoofing of IP addresses allows Memcached’s responses to be targeted against another address, like ones used to serve GitHub.com, and send more data toward the target than needs to be sent by the unspoofed source. The vulnerability via misconfiguration described in the post is somewhat unique amongst that class of attacks because the amplification factor is up to 51,000, meaning that for each byte sent by the attacker, up to 51KB is sent toward the target.”
To read the original article: