back to article Gits club GitHub code tub with record-breaking 1.35Tbps DDoS drub

What's purported to be the world's largest distributed denial of service attack to date – measuring 1.35Tbps – knocked GitHub offline for a few minutes yesterday. The massive tsunami hit at 1721 UTC. During the assault, the popular code sharing website's admins noticed thousands of systems and devices slamming GitHub's web …

  1. Anonymous Coward
    Happy

    for a few minutes, it's not worth it

    "What's purported to be the world's largest distributed denial of service attack to date – measuring 1.35Tbps – knocked GitHub offline for a few minutes yesterday."

    Largest attack,

    For a FEW Minutes.

    I am disappointed, but I am happy.

    a DDOS quake that rattled few bones.

    1. Anonymous Coward
      Anonymous Coward

      Re: for a few minutes, it's not worth it

      it was only a few minutes because they got a CDN to nail it, not because that's was the length of the attack

    2. JLV Silver badge

      Re: for a few minutes, it's not worth it

      Well, maybe.

      But what would it do to a less prepared outfit than Github? Who already had a wakeup call a year or so ago with was attributed to perhaps Chinese retaliation for some packages china objected to.

      I do wonder. Won't the bandwidth bills eventually show up at the memcache user sites? Prompting them to take thumbs out of rectal cavity and secure them?

  2. DeKrow
    Pirate

    Grey hat response...

    Would an appropriate response to those who take too long* to secure their systems be to cross-fire DDoS's between the various insecure systems until they magically become either secure, offline, or blocked by upstream network providers?

    *tolerance dependent upon seriousness of potential in combination with inaction after notification.

    1. bombastic bob Silver badge
      Pirate

      Re: Grey hat response...

      creating a self-perpetuating loop would be even worse...

  3. Nate Amsden Silver badge

    learn new things almost every day

    Been supporting apps that use memcache I want to say for about 11 years now and never knew it listened on udp. Obviously my memcache servers are never exposed to interwebs, but do find it interesting that the developers that have wanted memcache never mentioned it either.

    I'd wager probably not alone in not knowing that.

    1. Anonymous Coward Silver badge
      Boffin

      Re: learn new things almost every day

      Not once in those 11 years have you run netstat to check that it was listening? Oops

  4. Steve Aubrey
    Pirate

    Really?

    Remediation has been in the memcached documentation for years - I used it when I installed (since replaced) memcached at $WORK.

    At the time, I thought "Nobody would be so silly as to leave that open, would they??" Then I did a quick search and found many publicly open. 'tain't like the bad guys have to wait on somebody else to compile a list.

    I never thought about using the amplification against somebody - shows why I'm not in the black hat realm. Securing my own? Yup. Weaponizing? Never crossed my mind.

  5. DNTP

    "Programmers should also think..."

    "...can this be exploited to reflect large amounts of traffic from small requests"

    To those techies out there having trouble visualizing this concept, just imagine your local beancounter popping into your cubicle and asking, "Could you take a look at my PC? I'm having this tiny little problem..."

    1. Anonymous Coward
      Anonymous Coward

      Re: "Programmers should also think..."

      > imagine your local beancounter popping into your cubicle and asking, "Could you take a look at my PC? I'm having this tiny little problem..."

      Or imagine going to your colleague from accounting and asking "I have a quick question, it's about taxes / mortgage / car lease / divorce / etc."

      It is quite normal that people tend to misestimate the complexity of a task in a domain with which they are not familiar.

  6. Anonymous Coward
    Anonymous Coward

    ...in their report...

    "it is highly likely that this record attack will not be the biggest for long," Akamai warned in its report. Good business generator/ advert for Akamai...!

  7. AndersBreiner

    Tabloidtastic headline.

    That headline is a work of art.

  8. Anonymous Coward
    Anonymous Coward

    If you were a chef...

    ...you wouldn't leave your stove on the pavement.

    Who are these dumb-f**ks who expose private infrastructure to the internet anyway?

    1. Uplink
      Holmes

      Re: If you were a chef...

      "Who are these dumb-f**ks who expose private infrastructure to the internet anyway?"

      Everybody who wants to run a business online but knows fuck all about computers. Individuals or small groups of individuals who want to make money, but not hire IT experts or learn stuff themselves. Or they hire IT "experts", with quotes included, who throw up a WordPress with a Memcached plugin (for performance or something), take the money and go.

      I had an epiphany about such a scenario quite recently. My software developer veil is preventing me from even thinking of lots of things "normal" people do without blinking (e.g. write your e-learning content in PowerPoint and attempt to put that online by "embedding" it in WordPress because it works on your computer like that).

    2. JLV Silver badge

      Re: If you were a chef...

      true but systems like postgres install w incoming connections pretty much all disabled except for localhost. still very easy to play with, but opening needs a modicum of thought.

      this is not the first time this type of stuff has happened - mongodb was similar a while back

    3. bombastic bob Silver badge
      Devil

      Re: If you were a chef...

      they're people who don't understand firewalls and private/public address spaces

  9. DrXym Silver badge

    A few minutes

    Well that was worth it then.

    Besides which, Git is distributed so the worst that happened was some people couldn't push or pull commits for a bit.

  10. Anonymous Coward
    Stop

    "Only a few minutes"

    Please go back, read and comprehend.

    "At that point, GitHub turned to Akamai to filter out the malicious traffic, ending the attack's effect after five or so minutes."

    The attack, for those that think otherwise lasted longer than 5 minutes, but thanks to a CDN (Cloudflare are another one), the EFFECTS were stopped, not the attack.

    1. DropBear Silver badge

      Re: "Only a few minutes"

      Yawn. Let me know when baddies get marks for effort instead of "EFFECTS". Everyone else is quite correctly pointing out that as long as this kind of attack is relatively easily diverted, regardless of exactly what does that take, it's not going to be very popular against "whales".

  11. TheRealRoland

    Still some stuff happening?

    I see intermittent glitches on anything atlassian - JIRA, Confluence mainly; US East Coast, Central Time zone as well. It all seems stable, but even the main atlassian site itself was still down, a minute ago.

  12. Brian Miller Silver badge

    Research to implementation, priceless

    Wasn't there a post recently warning about this? It doesn't take much to patch something up to take advantage of this "vulnerability."

    As for leaving critical things out in the open, it unfortunately happens too often. An incompetent manager doesn't oversee an incompetent techie, and then stuff goes live. I worked at one place where they had no clue about configuring iptables or NTP for their product. And they threw up all kinds of roadblocks which amounted to, "we don't want to do our jobs."

    And so of course things like this happen.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019