Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Github was hit by 1.35Tb DDoS attack establishing a new record
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Github was hit by 1.35Tb DDoS attack establishing a new record

This week GitHub was hit by 1.35Tb DDoS attack. It thus established a new record. After few minutes the attack was mitigated by Akamai, who was called in by GitHub.

Interestingly, the attackers used misconfigured Memcached servers to amplify the DDoS attack.
Memcached servers that are exposed to the world offer a huge attack multiplier - for each byte sent to them with a spoofed sender's address, you can expect a 51 kbyte response sent to the faked address. As a result, attackers can achieve the effect of 51,000 times more powerful than if they attacked the victim's server directly, further hiding their identity.
You can read more here: https://githubengineering.com/ddos-incident-report/
...and here: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

What are your thoughts? Will you update your Memcached configuration now?

«1

Comments

  • How they measure its bandwidth? Surely they don't have 1tbps fiber to it?

  • jetchiragjetchirag Member
    edited March 2018

    MrPsycho said: Will you update your Memcached configuration now?

    No choice there!

  • ClouviderClouvider Member, Patron Provider

    @omelas said:
    How they measure its bandwidth? Surely they don't have 1tbps fiber to it?

    Erm, as per the graph on the border routers.

    Thanked by 1Aidan
  • @omelas said:
    How they measure its bandwidth? Surely they don't have 1tbps fiber to it?

    from akamai? they switch to akamai when DDoS happen

  • omelas said: How they measure its bandwidth? Surely they don't have 1tbps fiber to it?

    Every single networking gear reports how many packets in/out it has transferred. Including their size. Later on, it was automatically summarized and presented on the graph.
    If you are curious if they have 1tbps "fiber", then yes. They do. By combining multiple links, they were able to receive 1.35Tb as per the graph. Don't compare it to your home internet - it doesn't work like that. It's not about what your ISP lets you use. It's about the gear that can handle enough packets. Internet isn't point-to-point. Packets go through lots of networks until they reach the final destination. As you can see on the graph Akamai was able to receive a total of 1.35Tb of data per sec.

    Thanked by 2Clouvider PandaRain
  • stefemanstefeman Member
    edited March 2018

    Why censor image?

  • stefeman said: Why censor image?

    Don't ask me, ask Github. They were the ones that censored it. I simply reuploaded image from their blog for imgur.com

  • Attracting such a huge DDoS is something to be proud off right? I mean you must be doing something right for so many assholes to hate you!

  • Abdussamad said: Attracting such a huge DDoS is something to be proud off right? I mean you must be doing something right for so many assholes to hate you!

    I believe it was either a whitehat that tried to visualize the attack potential or a guy that wanted to test his capabilities.

  • The funny thing is, this method is already utilized by booters.

  • ZerpyZerpy Member

    Mitigated bits being 1.3 Tbps - so the same as OVH just had - now we want the exact number from both to see who has the biggest ddos pe***.

  • 6ixth6ixth Member

    It was me.

  • 6ixth said: It was me.

    U fund de wae to DDoS GitHub?

    Thanked by 1Wolveix
  • @MrPsycho said:

    6ixth said: It was me.

    U fund de wae to DDoS GitHub?

    What?

  • AlexBarakovAlexBarakov Patron Provider, Veteran
    edited March 2018

    Vastly exaggerated numbers.

    EDIT: Personal opinion.

  • TomTom Member

    @AlexBarakov said:
    Vastly exaggerated numbers.

    How come?

  • NeoonNeoon Community Contributor, Veteran

    Wasn't the Mirai botnet 1.6Gbit?

  • AidanAidan Member

    @AlexBarakov said:
    Vastly exaggerated numbers.

    How so?

  • Just a sidenote: Those 0.05TB that were not mitigated are 50 Gb, not exactly a tiny almost nothing.

    Oh and, I suggest you take this kind of attack not as a monster-maximum but as the new normal, at least in terms of a trend. The 2 main ingredients are common enough, namely udp and asymmetric request/response size.

    Obviously both the memcached team and many (most?) users are utterly incompetent retards who ignored very basic rules, but one would be very mistaken to believe that that is an exception.

    I'm waiting for symantec to get more active in the DDOS protection snakeoil business...

    Thanked by 2default Ole_Juul
  • We are getting soon close to breaking the internet if the target is not a anycast network. Bets when it will happen?

  • WHTWHT Member

    And why someone will ddos github?

  • @WHT said:
    And why someone will ddos github?

    Why not?

  • FHRFHR Member, Host Rep

    @AlexBarakov said:
    Vastly exaggerated numbers.

    This incident was discussed on NANOG mailing list, those are not exaggerated numbers, this was real traffic. Server and network providers like Digital Ocean and NTT took measures to limit the impact - e.g. NTT started to rate-limit udp/11211 (memcached) on all their external interfaces.

    It seems like memcached has an amplification factor of around 50000. And it's not that hard to scan the whole internet and find unfirewalled memcached servers.

    Thanked by 1PandaRain
  • FHRFHR Member, Host Rep

    @WHT said:
    And why someone will ddos github?

    Someone probably wanted to test firepower of their newest booter. So they chose some target who they knew would mitigate the attack and publicly share numbers.

  • AlexBarakovAlexBarakov Patron Provider, Veteran

    @FHR said:

    @AlexBarakov said:
    Vastly exaggerated numbers.

    This incident was discussed on NANOG mailing list, those are not exaggerated numbers, this was real traffic. Server and network providers like Digital Ocean and NTT took measures to limit the impact - e.g. NTT started to rate-limit udp/11211 (memcached) on all their external interfaces.

    It seems like memcached has an amplification factor of around 50000. And it's not that hard to scan the whole internet and find unfirewalled memcached servers.

    While it was only a personal opinion, I can confirm that any sane provider I work for or work with has taken measures to limit the impact.

  • again... like in 2014... Fuck, I really hate these exploits... Btw, I heard few days ago about new exploit related to torrent network and ddos attacks organization by that (I don't talk about leaked exploit with uTorrent and RSS), I talk about something a little bit different...

  • RhysRhys Member, Host Rep

    AlexBarakov said: EDIT: Personal opinion.

    cringe

  • @Rhys said:

    AlexBarakov said: EDIT: Personal opinion.

    cringe

    We can be really glad to have such valuable, well spoken and insightful commenters like you here ...

    @AlexBarakov

    Could you tell us a bit more about your point of view ("Vastly exaggerated numbers.")?
    I was a bit bewildered, too, when I read that but I guess you have a reason for your opinion and I'd be interested in it.

  • adxnadxn Member, Host Rep

    @6ixth said:
    It was me.

Sign In or Register to comment.