On 28-Feb-2018, GitHub faced an attack that stopped their services for about 10 mins and fully recovered in 15 minutes. With 1.35 Tbps of traffic, this was biggest every DDoS attack in the recorded history of the internet. This attack – DDoS aka Distributed Denial Of Service – has taken various shapes and forms and keeps on hitting the services across the internet.
What is DDoS?
DoS is a cyber attack where attackers target a specific server or service on the internet so that the legitimate users are denied access to that server or service. When such an attack involves usage of several machines (essentially several IP addresses), it is termed as Distributed Denial Of Service attack or DDoS.
When a single or only a few machines are used for DoS, it is easy for the service provider to block the attack using the IP addresses or range of IP addresses. However, this becomes extremely difficult when the attack happens from several computers across the globe as it becomes difficult to identify which traffic is legitimate and which is not.
Types of DDoS
- Application Layer DDoS – In this attack, a particular service or a function from a website is targeted by the attacker with the intention of disabling that function.
- Advanced Persistent DDoS – In this type of attack, the attacker uses powerful computing resources to attack the victim at multiple layers including application layer and network layer. It involves sending several million requests per second to target followed by SQL injection and XSS attacks. Such attacks persist over long periods.
- DDoS Extortion – Attackers start with very low volume attack and ask for ransom, typically in cryptocurrency with the threat to increase the volume of attack.
- Amplification – In this attack, publicly accessible servers such as DNS servers are used to send large volumes of data to target servers with only small-sized payload, hence the name “Amplification”. This type of attack typically uses UDP where source IP is not verified and is thus easy to spoof IP and direct the response to the target server.
The attack the GitHub witnessed was of Amplification type. Attackers used publicly available Memcached servers to direct UDP response to GitHub Servers.
To protect from DDoS various techniques have been used over a period of time. A firewall such as Application Delivery Controllers, WAF etc have been found to be effective to a large extent.