Github suffered a DDoS barrage the likes of which tower over any such attack previously. About 1.35 terabits per second of traffic hit Github all at once on Wednesday and Akami was called in to give them a hand and reroute traffic until the attack abated. IT security experts commented below.
Ashley Stephenson, CEO at Corero Nework Security:
“The recent 1.34Terabit attack on GitHub demonstrates how quickly the DDoS landscape can change. It is just a few days since the memcached reflection/amplification vulnerability became widely known. Within a week the largest DDoS ever reported lands on our doorstep, an event that will make mainstream news. Meanwhile, Corero has observed a steady ramp in the past few days of memcached based attacks on the wider community. The terabit attack will grab the “biggest and baddest” headlines casting a shadow that will obscure the thousands of businesses worldwide that have been hit with smaller but equally disruptive DDoS attacks leveraging the memcached vector during the past week. Of additional note is the GitHub report of the time delay in the response to this attack. Time to mitigation was around 10 minutes meaning the attack succeeded in impacting Github service, mission accomplished for the attackers who were flexing their DDoS muscles. However, technology is now available for sub-second detection and mitigation of attacks and fully automated signaling for cloud assist to eliminate this downtime. Thousands of businesses enjoy this real-time DDoS protection today.”
Sammy Migues, Principal Scientist at Synopsys:
“This massive DDoS attack was possible because organisations operating memcached servers failed to implement some very basic security practices. The impact was minimal because GitHub was commendably prepared to survive an attack much larger than this. Unless the unwitting operators of these memcached servers take corrective action, it is inevitable that other ill-equipped targets will fall victim to similar DDoS attacks and suffer a much longer outage.
To prevent this, operators of memcached servers should take the following steps:
- Ensure your memcached server is not exposed to the Internet.
- In every perimeter facing firewall you have, immediately block all access from the Internet to UDP port 11211
- Disable UDP on all memcached servers.
On a more macro level, ISPs need to block spoofed packets from exiting their networks, and protocol developers need to better understand velocity checking and amplification attacks.”
