At about 12:15 PM ET on Wednesday, GitHub suffered through what may be the largest DDoS attack ever recorded, with a peak incoming traffic of 1.35 Tbps.
While flooding a website with an enormous amount of data is part and parcel of such an attack, what makes this instance stand out is the use of more sophisticated amplification techniques, aimed at further exacerbating the impact of an attack on the host servers.
The technique employed relied not on the use of bots, but rather the use of memcached servers. They are designed to increase the speed of networks internally, but should not be exposed to the internet. However, according to DDoS mitigation service Akamai, as many as 50,000 such servers may be linked to the internet and are, therefore, vulnerable to an attack.
Such servers do not have authentication protocols, and connecting one to the internet means anyone can query them. This is why they are prime candidates in the use of DDoS amplification attacks.
A memcached 'get' request on a system results in a response that pulls the necessary values from the memory and sends them to the target server. This way, an attack can be conducted by first implanting a large payload on a memcached server, and then spoofing a 'get' request with the IP of the target site/server. The result is that a small 'get' request will result in a much larger amount of traffic (the payload) being sent to the target server.
This serves as a means of amplification and the use of multiple memcached servers can result in the kind of massive DDoS attack experienced by GitHub. Such an attack can have an amplification factor of as much as 51,000, meaning a single byte sent to the memcached server would result in 51 KB of data being sent to the target.
Fortunately for GitHub, which emerged from the attack relatively unscathed, the company was able to seek help from Akamai within 10 minutes of the attack. The firm, which specialises in mitigating DDoS attacks, took over as an intermediary for all traffic coming to GitHub. Its servers are both able to withstand much larger capacities of traffic than a normal site can and also able to filter unwanted traffic to lighten the load.
Ultimately, the attack ended 8 minutes after Akamai got involved and GitHub confirmed that the confidentiality or integrity of user data on the site was never at risk.
A report from Akamai last month also showcased the increasing threat posed by DDoS attacks, as not only has their frequency increased significantly over the past year, but so-called 'mega attacks' have also become 140% more popular in the same period.