The GitHub which is one the largest open source platform for code sharing; was hit by the largest DDoS attack ever recorded in history. The DDoS attack lasted only for nine minutes, but the servers were flooded with data volumes reaching almost 2Tbps.
What is a DDoS attack?
A DDoS or distributed-denial-of-service attack is a type of attack where multiple computer/servers/IoT devices are used to send a massive amount of requests to a target server/service. When the server starts processing these requests and tries to reply to them with a response containing the requested information, its causes the service/server to become unavailable for even the legitimate users as the resource get exhausted on replying to the mass requests.
How did the hackers manage to send such huge amount of data to the server?
In case of traditional DDoS attack, hackers compromise multiple computer, servers or IoT devices and use those devices to send a huge amount of request to a target server. For instance, If one system sends data of 1 MB to the server, 1 Million compromised systems will together send 1 Terabyte of data to the server. The server won’t be able to process such huge amount of data at once and therefore will crash.
However, in this case, hackers were able to achieve the DDoS attack by compromising few systems and amplifying the data send by those systems using an exposed Memcached server.
What is Memcached Server?
Memcached is a free and open-source, distributed memory object caching system that is intended for use in speeding up dynamic web applications by reducing database load. It depends on the libevent library. Memcached runs on Microsoft Windows and Unix-like operating systems such as Linux and MacOS.
How does Memcached work?
The Memcached caching system works is same like pulling data from the database but in its case, it depends on certain conditions. The Memcached installed server cached the data which is going to be used by certain web applications. When app requests for some information that stored in a database or generate any query the Memcached first checks that data exist in the cache or not. If that is available in cache records, then it just pulls and fulfills the demand and there will be no need to query the database that saves it form extra load. But if the data which need by an application not available in the cache system then it retrieves directly from the database and also going to be cached by Memcached for future use. Moreover, whenever some information changed in the old data the cache needs to be a refresh or flush to give the updated information.
It means that if one system was supposed to send a data of 1 MB to the server, the hackers amplified the data 51,000 times, therefore, 1 MB was amplified to 51 GB of data. Thus the hackers were able to carry out the DDoS attack by using a few compromised devices.
According to the GitHub Engineering team, the attack caused the site to shut down from 17:21 to 17:26 UTC on February 28.
The DDoS attacks were able to flood the server with huge data by using a reflection/amplification vector that exploited numerous Memcached servers to amplify the attack without the need of too many hacked devices amplifying the threshold to almost 51000 times the real attack bandwidth.
How to stay safe:
- Update your antivirus/anti-malware software: Users are advised to use a legitimate antivirus software and update it with the latest signatures in order to protect their system from getting targeted.
- Remove unwanted programs/software: Users are advised to keep an eye on the installed programs and software. If you see an application that seems to be unknown/unwanted, remove it, especially if the publisher of the software is unknown.
- Keep your system updated: Users are advised to keep their Operating system up to date.
For Server Admins:
- Monitor access to your web server: Use proper Intrusion Detection Systems (IDS) and Log monitoring services to constantly track the kind of access your server is granting to users.
- Regular security auditing + VAPT: Its highly advised that the web admins carry out proper auditing and Vulnerability Assessment & Penetration Testing(VAPT) exercises to close as many loopholes as possible so that it isn’t extremely easy to hack your servers and web applications to upload malicious miners/malware.
Comments from Ankush Johar, Director at Infosec Ventures – “In most cases, hackers carry out DDoS attacks by affecting vulnerable devices /servers at mass and making them a part of their botnet. They further use these compromised systems to carry out malicious attacks like cryptocurrency mining or distributed-denial-of-service attack. Consumers are suggested to take necessary security measures such as installing a legitimate antivirus and updating the OS regularly to prevent their system from getting targeted. System Admins, on the other hand, are advised to keep the servers secure by configuring an Intrusion detection system with firewalls and a proper auditing to mitigate such risks.”