Cybersecurity Case Study #2
Title: GitHub's Battle Against the Largest DDoS Attack
Introduction
GitHub, a platform where developers collaborate on projects, experienced an extraordinary
event on Wednesday, February 28, 2018, at around 12:15 pm EST. A massive wave of traffic,
1.35 terabits per second, hit the website, marking the most powerful distributed denial of service
(DDoS) attack ever recorded. Surprisingly, this attack did not require a botnet.
The Attack and Initial Response
A DDoS attack is like a digital traffic jam, where a website gets flooded with so much traffic that
it can't handle it all, causing it to slow down or even stop working. In this case, GitHub faced a
digital storm. For a few minutes, the website struggled with outages, but then it called for help
from its DDoS mitigation service, Akamai Prolexic. Prolexic acted as a shield, routing all the
traffic coming in and out of GitHub. It sent the data through special cleaning centers to separate
and block the bad traffic from the good.
Comparing to Previous Attacks
The attack was significantly larger than a similar attack that happened in 2016 against an
internet infrastructure company called Dyn. That attack reached 1.2 terabits per second and
caused connectivity issues across the United States. However, this time, the good guys were
prepared.
Defending Against the Attack
Akamai defended against the attack in several ways. In addition to Prolexic's general DDoS
defense infrastructure, the company had also recently implemented specific defenses for a type
of DDoS attack that comes from something called memcached servers. These servers are like
digital librarians that help speed up networks and websites by remembering and quickly
providing information. However, they're not supposed to be exposed on the public internet,
where anyone can access them.
The Role of Memcached Servers
Unfortunately, about 100,000 memcached servers were exposed online without any protection.
This meant that an attacker could access them and send them a special command, which the
server would respond to with a much larger reply. This is like asking a librarian a simple
question and getting a truckload of books in response!
Amplification Attacks
Unlike other DDoS attacks that use botnets (networks of infected computers) to flood websites
with traffic, memcached DDoS attacks don't need a botnet. Instead, attackers just pretend to be
their victim by using their victim's IP address and send small requests to multiple memcached
�servers. These servers then return 50 times the data of the requests back to the victim, causing
a massive traffic jam.
Implementing Defenses
As internet service and infrastructure providers noticed more memcached DDoS attacks
happening, they quickly worked to create defenses to block traffic from these servers.
Companies like Prolexic that defend against DDoS attacks added filters to block memcached
traffic if they detected a suspicious amount of it. And if internet backbone companies could
figure out the attack command used in a memcached DDoS, they could block any memcached
packets of that length.
Conclusion
GitHub had faced a major DDoS attack before, back in March 2015, which lasted for six days
and was possibly carried out by Chinese state-sponsored hackers. That attack was impressive
at the time, but DDoS techniques and platforms have evolved and grown increasingly powerful.
The GitHub attack serves as a reminder of the importance of implementing strong defenses
against DDoS attacks and addressing underlying vulnerabilities in internet infrastructure.
***This case study was adapted for use in the classroom from this article
