Github DDOS Attack

                                                                                                        Github DDOS Attack 

Introduction :

Cyber attacks have become common scenario these days. Denial of service (DoS) and distributed denial of service (DDos) are common types of those that—as the name implies—renders websites and other online resources unavailable to intended users. The speciality of these types of attacks is that unlike other cyber attacks which attempt to breach data and useful information of businesses, these render the website absolutely useless for use by its users.
The differences between DoS and DDoS are important. In a DoS attack, a single Internet connection is made use of to either exploit a software vulnerability or flood a target with fake requests—usually in an attempt to exhaust server resources. On the other hand, multiple connected devices across the internet are used to launch the DDos attacks.These multi-person attacks are generally harder to deflect, mostly due to the sheer volume of devices involved. DDOs attacks target the host network to flood it with volumes of traffic and render it completely useless.


Denial of service assaults often last for days, weeks and even months at a time, making them extremely destructive to any online organization. They affect revenues, company reputation and also consumer trust.
Mentioned here is one such malicious attack.
On 28th February 2018, GitHub 'Memcrashed'. Hit with what is dubbed to be the biggest attack of its kind till date. A Distributed Denial of Service (DDoS) attack peaking at the rate of 1.35 Tbps without using a single botnet network. 

So what does ' Memcrashed ' mean?

It is an amplification DDoS attack made using weaponised Memcached servers, a popular, open-source and easily deployable distributed caching system. These servers allow data to be cached so that the strain on heavier data stores such as a disk or a database can be eased. This server, which is installed by default on many Linux versions, has been designed to work with a large number of open connections. It communicates using UDP (normally port 11211), meaning it allows communication with no authentication.These servers are typically found in cloud server environments on systems not directly exposed to the internet. But because of the use of UDP, these Memcached instances are "inadvertently accessible on the public internet", as said by GitHub in their official report. 

The attackers can exploit this 'inadvertent access' to spoof the IP address of the origin of the request to the server so that the Memcached servers responding to these requests all respond to this spoofed address. The worse thing about a Memcached attack is that it can amplify the attack traffic up to 51000 times of the original attack strength. Because of this amplification effect, even a few bytes of requests, sent results tens of times larger, against the victim's IP address. 


The above graph shows a distribution of the data flow that happened during the ddos attack. The data servers were flooded with the data and the data rate shot up to 51k times than the usual.

GitHub says, "The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the Memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second."

Solutions to the problem mentioned:


One immediate remedy to this problem was proposed by Prolexic. All the traffic that was being pushed on Github was routed to different path and distributed. This helped to reduce the data content on one particular link and thus the attack was prevented within 8 minutes. The DDOS mitigation service jumped in the meantime. The situation took a brief amount of time for settlement after the attack, but one drawback was that Github served several intermediary issues. The entire Github server was offline for several amount of time which lead to loss of several million users operating on the Github for their projects. For full-proof solutions to such problems one must ensure that Memcache,DNS and other potential reflectors are not exposed to public and kept secured. Also, port 11211 must be blocked by the user for prevention of any attacks.The Mirai botnet served with similar problem. The methods to prevent these attacks are :

1. Making use of firewalls  - Blocking senders IP Address via default packet handling on the device.

The malicious data must be checked for and prevented as per security issues.
2. Making use of specialised equipment / load balancers - Load balancing solutions for your ISP Connections so that the traffic is handled in a round-robin or overflow scenario. 
3. ISP Mitigation. (Internet Service Provider must interfere in these situations and help with the prevention of attack.)
4. 3rd Party Mitigation. (several other 3rd party may also mitigate in these issues for proper rectification and help )

Steps 3 and 4 are usually combined, for large attacks, you will need to depend on the co-ordination of your ISP and a 3rd Party cloud mitigation service.



Comments