All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Github was hit by 1.35Tb DDoS attack establishing a new record
This week GitHub was hit by 1.35Tb DDoS attack. It thus established a new record. After few minutes the attack was mitigated by Akamai, who was called in by GitHub.
Interestingly, the attackers used misconfigured Memcached servers to amplify the DDoS attack.
Memcached servers that are exposed to the world offer a huge attack multiplier - for each byte sent to them with a spoofed sender's address, you can expect a 51 kbyte response sent to the faked address. As a result, attackers can achieve the effect of 51,000 times more powerful than if they attacked the victim's server directly, further hiding their identity.
You can read more here: https://githubengineering.com/ddos-incident-report/
...and here: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
What are your thoughts? Will you update your Memcached configuration now?
Comments
How they measure its bandwidth? Surely they don't have 1tbps fiber to it?
No choice there!
Erm, as per the graph on the border routers.
from akamai? they switch to akamai when DDoS happen
Every single networking gear reports how many packets in/out it has transferred. Including their size. Later on, it was automatically summarized and presented on the graph.
If you are curious if they have 1tbps "fiber", then yes. They do. By combining multiple links, they were able to receive 1.35Tb as per the graph. Don't compare it to your home internet - it doesn't work like that. It's not about what your ISP lets you use. It's about the gear that can handle enough packets. Internet isn't point-to-point. Packets go through lots of networks until they reach the final destination. As you can see on the graph Akamai was able to receive a total of 1.35Tb of data per sec.
Why censor image?
Don't ask me, ask Github. They were the ones that censored it. I simply reuploaded image from their blog for imgur.com
Attracting such a huge DDoS is something to be proud off right? I mean you must be doing something right for so many assholes to hate you!
I believe it was either a whitehat that tried to visualize the attack potential or a guy that wanted to test his capabilities.
The funny thing is, this method is already utilized by booters.
Mitigated bits being 1.3 Tbps - so the same as OVH just had - now we want the exact number from both to see who has the biggest ddos pe***.
It was me.
U fund de wae to DDoS GitHub?
What?
Vastly exaggerated numbers.
EDIT: Personal opinion.
How come?
Wasn't the Mirai botnet 1.6Gbit?
How so?
Just a sidenote: Those 0.05TB that were not mitigated are 50 Gb, not exactly a tiny almost nothing.
Oh and, I suggest you take this kind of attack not as a monster-maximum but as the new normal, at least in terms of a trend. The 2 main ingredients are common enough, namely udp and asymmetric request/response size.
Obviously both the memcached team and many (most?) users are utterly incompetent retards who ignored very basic rules, but one would be very mistaken to believe that that is an exception.
I'm waiting for symantec to get more active in the DDOS protection snakeoil business...
We are getting soon close to breaking the internet if the target is not a anycast network. Bets when it will happen?
And why someone will ddos github?
Why not?
OVH got it too:
This incident was discussed on NANOG mailing list, those are not exaggerated numbers, this was real traffic. Server and network providers like Digital Ocean and NTT took measures to limit the impact - e.g. NTT started to rate-limit udp/11211 (memcached) on all their external interfaces.
It seems like memcached has an amplification factor of around 50000. And it's not that hard to scan the whole internet and find unfirewalled memcached servers.
Someone probably wanted to test firepower of their newest booter. So they chose some target who they knew would mitigate the attack and publicly share numbers.
While it was only a personal opinion, I can confirm that any sane provider I work for or work with has taken measures to limit the impact.
again... like in 2014... Fuck, I really hate these exploits... Btw, I heard few days ago about new exploit related to torrent network and ddos attacks organization by that (I don't talk about leaked exploit with uTorrent and RSS), I talk about something a little bit different...
cringe
We can be really glad to have such valuable, well spoken and insightful commenters like you here ...
@AlexBarakov
Could you tell us a bit more about your point of view ("Vastly exaggerated numbers.")?
I was a bit bewildered, too, when I read that but I guess you have a reason for your opinion and I'd be interested in it.