Incident Of The Week: Historic DDoS Attacks Strike GitHub, Service Provider

Dan Gunderman

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine the latest round of immensely powerful distributed denial of service (DDoS) attacks that affected GitHub, and then just days later an unnamed U.S. service provider.

GitHub, a web-based hosting service, fought off a DDoS attack last Wednesday at around noon EST. 1.35 terabits per second of traffic struck the service, making it the most powerful attack of its kind ever recorded. While GitHub managed its incident response, its DDoS mitigation service Akamai Prolexic rerouted traffic elsewhere – while also zeroing in on the malicious activity. Eight minutes later, the assault ceased, according to Wired.

After news of the 1.3Tbps DDoS offensive was confirmed by Akamai, NETSCOUT Arbor acknowledged an even heavier, 1.7Tbps strike against a customer of a U.S.-based service provider.

See Related: Incident Of The Week: 'RedDrop' Malware Targets Android Fleets

As the corresponding report from Arbor’s VP of Global Sales Engineering and Operations, Carlos Morales, notes, the denial-of-service attack was orchestrated the same way as the late-month GitHub bombardment. Hackers leveraged open Memcached servers to their advantage.

According to their website, Memcached is a free and open-source, distributed memory object caching system intended for use in speeding up web applications by alleviating database load. Essentially, Memcached allows hackers to amplify their attack efforts (exponentially).

The NETSCOUT Arbor report reads:  “It’s a testament to the defense capabilities that this Service Provider had in place to defend against an attack of this nature that no outages were reported because of it.”

According to the same report, the previous record that was documented by the provider’s DDoS threat data system was 650Gbps – leveled at a Brazilian target in 2016.

“The sheer number of servers running Memcached openly will make this a lasting vulnerability that attackers will exploit,” NETSCOUT Arbor wrote. “It is critically important for companies to take the necessary steps to protect themselves.”

NETSCOUT urges enterprises to work with DDoS mitigation service providers that have sufficient scale and expertise to block terabit-sized overload attacks.

“Until the internet community is able to adjust and make significant progress on Memcached servers, we should expect terabit attacks to continue,” Arbor wrote in conclusion. In the meantime, a wave of unfathomably large data attacks is on the horizon.

See Related: Incident Of The Week: 'Olympic Destroyer' Malware Strikes Winter Games

Furthermore, in a post from Qihoo 360’s Network Security Research Laboratory (NetLab), Xu Yang confirmed that since Feb. 24, there has been a general uptick in the frequency of DDoS events.

In what NetLab calls “Stage Two” of this DDoS timeline – from March 1-5 – there were an average of 1,938 daily attacks. Before Feb. 24, the average was less than 50.

Still, the report suggests that since the late-month surge, the trend has been relatively stable.

NetLab also outlined the top DDoS targets. Some of them include big players such as Google and Amazon, the gaming industry, adult sites, security industry sites and even politically affiliated organizations such as the National Rifle Association (NRA).