Interestingly, attackers did not use any botnet network, instead weaponized misconfigured Memcached servers to amplify the DDoS attack.
Earlier this week we published a report detailing how attackers could abuse Memcached, popular open-source and easily deployable distributed caching system, to launch over 51,000 times powerful DDoS attackthan its original strength.
itHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic.
Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets.
After eight minutes, attackers relented and the assault dropped off.
The scale of the attack has few parallels, but a massive DDoS that struck the internet infrastructure company Dyn in late 2016 comes close.
That barrage peaked at 1.2 Tbps and caused connectivity issues across the US as Dyn fought to get the situation under control.
“We modeled our capacity based on fives times the biggest attack that the internet has ever seen,” Josh Shaul, told vice president of web security at Akamai hours after the GitHub attack ended.
“So I would have been certain that we could handle 1.3 Tbps, but at the same time we never had a terabit and a half come in all at once.
It’s one thing to have the confidence. It’s another thing to see it actually play out how you’d hope.”
A few bytes of the request sent to the vulnerable server trigger tens of thousands of times bigger response against the targeted IP address.
“This attack was the largest attack seen to date by Akamai, more than twice the size of the September 2016 attacks that announced the Mirai botnet and possibly the largest DDoS attack publicly disclosed,” said Akamai, a cloud computing company that helped Github to survive the attack.
In a post on its engineering blog, Github said, “The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.
It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second.
Expect More Record-Breaking DDoS Attacks
Though amplification attacks are not new, this attack vector evolves thousands of misconfigured Memcached servers, many of which are still exposed on the Internet and could be exploited to launch potentially more massive attacks soon against other targets.