What do you do if your website is targeted by a massive DDoS (Distributed Denial of Service) attack? Most smaller websites would simply crumble under the load and crash. However, if you’re GitHub, the world’s leading developer platform, and have the assistance of Akamai Prolexic, one of the world’s best DDoS mitigation services, you could probably just walk it off – even if the attack is at an unprecedented scale. That’s exactly what happened on Wednesday, February 28, when GitHub’s website was hit by 1.3 terabits of data per second, the largest recorded DDoS attack in history.
The platform suffered intermittent outages before requesting help from Akamai, who took over traffic and began routing it all through its significantly larger servers, easing the strain while also filtering out malicious packets of data. The attackers eventually gave up and GitHub resumed regular service – in less than 10 minutes.
In an incident report about the attack, GitHub wrote, “Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack...The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.” The attack was at a scale never seen before – the last DDoS attack that came even close to this one was another massive attack on the servers of internet infrastructure company Dyn in late 2016 (it peaked at 1.2 Tbps, but caused outages and connectivity issues across the United States).
Perhaps most interesting of all, this attack did not use a single botnet, as is common to most DDoS attacks. Generally, DDoS attacks attempt to bring down websites or internet servers by blasting them with more traffic volume than they can handle, causing crashes that force the website and/or server to go offline temporarily. The easiest way to generate such large volumes of traffic is by using botnets – a network of Internet-connected platforms, each running one or more bots that direct a steady stream of traffic at the target. However, in the case of the GitHub attack, the attackers changed their strategy, using something called an “amplification attack”.
Amplification attacks rely on “Memcached servers”, database caching systems that are used to help speed up websites and platforms. However, there are no authentication protections on these servers, meaning that if exposed to the public, an attacker can access them, sending them a small data packet that the server responds to with a much larger reply, up to 50 times the data of the original query. This is exactly what the GitHub attackers used. They spoofed the platform’s IP address and sent small queries to multiple memcached servers, which sent the data back to GitHub – amplified 50 times.
While Akamai was able to successfully mitigate the GitHub attack without too much trouble, thanks to infrastructure that was set up to handle traffic five times the amount seen in the Dyn attack, the company anticipates the rise of more memcached servers-based amplification attacks in the future. A blog post on the company website yesterday stated, “Because of its ability to create such massive attacks, it is likely that attackers will adopt memcached reflection as a favourite tool rapidly...Additionally, as lists of usable reflectors are compiled by attackers, this attack method’s impact has the potential to grow significantly.”