On February 28, 2018, GitHub’s widely used code hosting service experienced a monumental distributed denial-of-service (DDoS) attack, peaking at an unprecedented 1.35 terabits per second (Tbps). This incident marks a significant milestone in the realm of cybersecurity, illustrating both the evolving nature of attack methods and the vulnerabilities that persist across the internet.
Rather than leveraging a traditional botnet, the attackers exploited misconfigured Memcached servers to amplify their assault. Memcached, an open-source caching system, was manipulated to generate a staggering amplification factor, with reports indicating that the attack’s potency could exceed 51,000 times the original request size.
Akamai Technologies, a cloud service provider that assisted GitHub during the incident, characterized the assault as “the largest attack seen to date,” surpassing previous attacks like those attributed to the Mirai botnet in September 2016. The DDoS incident reportedly originated from over a thousand distinct autonomous systems (ASNs) encompassing tens of thousands of unique endpoints.
The attack, known as “Memcrashed,” involved the sending of forged requests from the attackers to an exposed Memcached server. This method entailed spoofing the IP address of the intended victim, resulting in massive responses directed at GitHub. In essence, a few bytes of data sent to a vulnerable Memcached server elicited responses that were tens of thousands of times larger and targeted the victim’s infrastructure.
According to GitHub’s engineering blog, the method employed resulted in an extraordinary response rate of 126.9 million packets per second directed toward GitHub’s servers. Such a volume can overwhelm even well-prepared defenses, underlining the necessity of vigilant infrastructure management and configuration.
As the cybersecurity landscape continues to evolve, amplified attacks exploiting misconfigured servers pose a growing threat. The remnants of this incident serve as a reminder for organizations to prioritize the security of their systems. It is crucial for administrators to implement stringent measures, such as firewalls and rate-limiting, to prevent Memcached servers from being exploited as tools for amplifying DDoS attacks.
Looking ahead, the potential for record-breaking DDoS incidents became starkly apparent with this attack. The vast number of vulnerable Memcached servers still present on the internet suggests that similar, or even more severe, assaults could be forthcoming, targeting not just GitHub but potentially any organization relying on exposed infrastructure.
Understanding the tactics used in this attack could be informed through the MITRE ATT&CK framework, particularly concerning techniques associated with initial access and amplification. Cyberspace remains a dynamic battleground, and staying informed is essential for business owners keen on fortifying their defenses against emerging threats.
In conclusion, as organizations grapple with the aftermath of this incident, the implications for cybersecurity practices cannot be overstated. Ensuring robust configurations and implementing preventive measures is no longer merely prudent; it is essential to safeguarding critical digital assets in an increasingly hostile online environment.