Recently, Github was hit by one of the largest DDoS attack ever recorded in history. The DDoS attack lasted only for nine minutes, but the servers were flooded with data volumes reaching almost 2Tbps. According to the GitHub Engineering team, the attack caused the site to shut down from 17:21 to 17:26 UTC on February 28.
What is a DDoS attack?
A DDoS or distributed-denial-of-service attack is a type of attack where multiple computer/servers/IoT devices are used to send a massive amount of requests to a target server/service. When the server starts processing these requests and tries to reply to them with a response containing the requested information, its causes the service/server to become unavailable for even the legitimate users as the resource get exhausted on replying to the mass requests.
How did the hackers manage to send such huge amount of data to the server?
In case of traditional DDoS attack, hackers compromise multiple computer, servers or IoT devices and use those devices to send a huge amount of request to a target server. For instance, if one system sends data of 1 MB to the server, 1 million compromised systems will together send 1 Terabyte of data to the server. The server won't be able to process such huge amount of data at once and therefore will crash.
Was this the case with GitHub DDoS attack?
However, in this case, hackers were able to achieve the DDoS attack by compromising few systems and amplifying the data send by those systems using an exposed memcached server. Memcached is a free and open-source, distributed memory object caching system that is intended for use in speeding up dynamic web applications by reducing database load.
It means that if one system was supposed to send a data of 1 MB to the server, the hackers amplified the data 51,000 times, therefore, 1 MB was amplified to 51 GB of data. Thus the hackers were able to carry out the DDoS attack by using a few compromised devices.
The DDoS attacks were able to flood the server with huge data by using a reflection/amplification vector that exploited numerous memcached servers to amplify the attack without the need of too many hacked devices amplifying the threshold to almost 51000 times the real attack bandwidth.
How to stay safe from GitHub like DDoS attack?
The general users should update their antivirus/anti-malware software. They should only use a legitimate antivirus software and update it with the latest signatures in order to protect their system from getting targeted. Also, you should keep an eye on the installed programs and software. If you see an application that seems to be unknown/unwanted, remove it, especially if the publisher of the software is unknown. Always keep your Operating system up to date.
On the other hand, Server Admins, must use proper Intrusion Detection Systems (IDS) and Log monitoring services to constantly track the kind of access server is granting to users. Also, web admins must carry out proper auditing and Vulnerability Assessment & Penetration Testing(VAPT) exercises to close as many loopholes as possible so that it isn't extremely easy to hack your servers and web applications to upload malicious miners/malwares.
According to Ankush Johar, Director at Infosec Ventures, in most cases, hackers carry out DDoS attacks by affecting vulnerable devices /servers at mass and making them a part of their botnet. They further use these compromised systems to carry out malicious attacks like cryptocurrency mining or distributed-denial-of-service attack
He said, “Consumers are suggested to take necessary security measures such as installing a legitimate antivirus and updating the OS regularly to prevent their system from getting targeted. System Admins, on the other hand, are advised to keep the servers secure by configuring an Intrusion detection system with firewalls and a proper auditing to mitigate such risks.”
