GitHub Survived the Biggest DDoS Attack Ever Recorded (wired.com)

← Back to Stories (view on slashdot.org)

GitHub Survived the Biggest DDoS Attack Ever Recorded (wired.com)

Posted by BeauHD on Sunday March 4, 2018 @11:23AM from the denial-of-service dept.

A 1.35 terabit-per-second DDoS attack hit GitHub all at once last Wednesday. "It was the most powerful distributed denial of service attack recorded to date -- and it used an increasingly popular DDoS method, no botnet required," reports Wired. From the report: GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off. "We modeled our capacity based on fives times the biggest attack that the internet has ever seen," Josh Shaul, vice president of web security at Akamai told WIRED hours after the GitHub attack ended. "So I would have been certain that we could handle 1.3 Tbps, but at the same time we never had a terabit and a half come in all at once. It's one thing to have the confidence. It's another thing to see it actually play out how you'd hope."

Akamai defended against the attack in a number of ways. In addition to Prolexic's general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers. These database caching systems work to speed networks and websites, but they aren't meant to be exposed on the public internet; anyone can query them, and they'll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them, and send them a special command packet that the server will respond to with a much larger reply.

144 comments

Min score:

Reason:

Sort:

Too bad slashdot used to cause these by Anonymous Coward · 2018-03-04 11:26 · Score: 0

Now itâ(TM)s just causes a couple ad blockers to go off.
1. Re:Too bad slashdot used to cause these by ArchieBunker · 2018-03-04 11:29 · Score: 0
  
  Still hilarious that slashdot can't fix the unicode bug. Go ahead and find me another site with that problem. I'll wait.
  
  --
  Only the State obtains its revenue by coercion. - Murray Rothbard
2. Re: Too bad slashdot used to cause these by Anonymous Coward · 2018-03-04 11:47 · Score: 2, Insightful
  
  What problem?
  Unicode support is just a troll. Nobody would use it for anything except trolling.
  What's next? You kids want emojis on /.? Should we just go full 4chan and have images?
3. Re: Too bad slashdot used to cause these by ArchieBunker · 2018-03-04 12:04 · Score: 0
  
  Anyone using OSX can't use an apostrophe.
  
  --
  Only the State obtains its revenue by coercion. - Murray Rothbard
4. Re: Too bad slashdot used to cause these by Anonymous Coward · 2018-03-04 12:16 · Score: 1
  
  Sounds like an OSX problem. Why can't they send the appropriate code? It's not like it's some strange and wonderful new character.
5. Re: Too bad slashdot used to cause these by Anonymous Coward · 2018-03-04 12:16 · Score: 0
  
  That's because they're illiterate morons.
6. Re: Too bad slashdot used to cause these by Mr0bvious · 2018-03-04 12:21 · Score: 2
  
  Please explain why it's not OSX's fault it's not able to speak ASCII?
  We're hear to listen.
  
  --
  Never happened. True story.
7. Re: Too bad slashdot used to cause these by PhunkySchtuff · 2018-03-04 12:22 · Score: 2
  
  Because macOS / OS X sends a proper apostrophe character, not a prime character. It's an informal standard that's evolved since the 70's that a Prime character is used as an ppostrophe, but the prime character (which is a vertical or near vertical tick) is not an apostrophe, not is it a single quotation mark (ask smart quotes, or unicode characters) - although from a typographical perspective, using a single quotation mark as an apostrophe is a lot closer (or even identical, depending on the font) than using a prime symbol.
  https://en.wikipedia.org/wiki/...
  https://en.wikipedia.org/wiki/...
  https://en.wikipedia.org/wiki/...
  I know Unicode only dates back as far as the late 80's or early 90's...
  
  --
  Specialist Mac support for creative pros, Melbourne
8. Re: Too bad slashdot used to cause these by Anonymous Coward · 2018-03-04 12:36 · Score: 0
  
  I ignore Apple fanboys out of principle.
9. Re: Too bad slashdot used to cause these by war4peace · 2018-03-04 12:39 · Score: 1
  
  There are many websights that don't support ASCII...
  
  --
  ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
10. Re: Too bad slashdot used to cause these by Anonymous Coward · 2018-03-04 12:48 · Score: 2, Insightful
  
  Oh, the old we're going to be pedantic wankers because we can.
  Who gives a flying rats right ring if it is not "technically the correct character", that's the most pedantic stupid shit I've ever heard.
  This would be valid if using "a prime character" was confusing in a typical context.
  You know what? It's not. Never have I been reading something and had that: "What the fuck is a prime character doing in that word, I'm confused, I'm not sure I can read and understand this."
  Never, happened. True story.
11. Re:Too bad slashdot used to cause these by Anonymous Coward · 2018-03-04 12:54 · Score: 0
  
  Still hilarious that slashdot can't fix the unicode bug. Go ahead and find me another site with that problem. I'll wait.
  As much as I hate to defend Slashdot, this is not a "unicode bug" on their part. The "problem" is:
  dumbass websites that don't just use plain ASCII characters.
  dumbass people who don't edit what they post and fix the characters that don't copy/paste properly.
12. Re: Too bad slashdot used to cause these by 140Mandak262Jamuna · 2018-03-04 12:55 · Score: 1
  
  Anyone using OSX cant use one specify Telugu character.
  It is widely believe that Telugu character is an ageing past his prime actor name Nakarjuna.
  
  --
  sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
13. Re: Too bad slashdot used to cause these by Anonymous Coward · 2018-03-04 13:05 · Score: 2, Informative
  
  You can configure osx and ios to send regular ascii quotes and not "smart quotes".
  (Sent from a mac)
14. Re: Too bad slashdot used to cause these by demonlapin · 2018-03-04 13:17 · Score: 1
  
  Can't I? I've posted from iPads and Macs, never seem to have this problem. Maybe it's something that I changed early on, but I don't remember doing it on either platform. I don't use Safari, though.
  
  Posted from an iMac running High Sierra.
15. Re:Too bad slashdot used to cause these by EzInKy · 2018-03-04 13:20 · Score: 0
  
  The world has survived millions of years without Unicode support. Just why in the hell do you need it here?
  
  --
  Time is what keeps everything from happening all at once.
16. Re: Too bad slashdot used to cause these by EzInKy · 2018-03-04 13:23 · Score: 1
  
  The rest of the world will get along just fine without OSX apostrophes.
  
  --
  Time is what keeps everything from happening all at once.
17. Re: Too bad slashdot used to cause these by Anonymous Coward · 2018-03-04 13:32 · Score: 0
  
  Unicode has been a problem since day one. *DO NOT USE IT* except where critically necessary for multiple language support.
  7-bit ASCII, like plain old nuts and bolts in mechanical design. Rather than over-architecting complex and one-off solutions, It's related to one of the best rules of design. Keep It Simple, Stupid!!!!
18. Re: Too bad slashdot used to cause these by viperidaenz · 2018-03-04 13:45 · Score: 1
  
  What's wrong with using a regular unicode apostrophe?
  https://www.fileformat.info/in...
  What unicode char is OS X using? If it was using apostrophe, it would be perfectly fine.
  Here it is again: '
19. Re:Too bad slashdot used to cause these by Anonymous Coward · 2018-03-04 13:48 · Score: 0
  
  If you haven't figured it out already, its done on purpose to identify iSheep
20. Re: Too bad slashdot used to cause these by PhunkySchtuff · 2018-03-04 13:48 · Score: 2
  
  What's wrong with using a regular unicode apostrophe?
  https://www.fileformat.info/in...
  What unicode char is OS X using? If it was using apostrophe, it would be perfectly fine.
  Here it is again: '
  That's a prime character you've used (and that I've used in this sentence too)
  The apostrophe character is when you have text substitutions turned on, or something like that. It uses the key on the keyboard which has the single and double quotes on it. The curly apostrophe (smart quotes or typographical quotes) is Opt + ] for the opening single quote and Shift + Opt + ] for the closing single quote, or curly apostrophe: ’
  “Here’s the curly apostrophe used in a sentence enclosed in typographical quotes and an ellipsis at the end”
  
  --
  Specialist Mac support for creative pros, Melbourne
21. Re: Too bad slashdot used to cause these by PhunkySchtuff · 2018-03-04 13:50 · Score: 1
  
  Well, I’ll be fucked - that seems to work. I haven’t tested typographical quotes on /. for years as “everyone” knows that they don’t work. Quite clearly they do.
  
  --
  Specialist Mac support for creative pros, Melbourne
22. Re: Too bad slashdot used to cause these by murdocj · 2018-03-04 13:51 · Score: 1
  
  Dang I wish I could mod you up.
23. Re:Too bad slashdot used to cause these by murdocj · 2018-03-04 13:52 · Score: 2
  
  How am I going to post in Klingon w/o Unicode support?
24. Re: Too bad slashdot used to cause these by Anonymous Coward · 2018-03-04 13:58 · Score: 0
  
  Most Apple fanboiz are gay. Nuff said.
25. Re: Too bad slashdot used to cause these by Anonymous Coward · 2018-03-04 14:01 · Score: 0
  
  The rest of the world will get along just fine without OSX.
26. Re: Too bad slashdot used to cause these by viperidaenz · 2018-03-04 14:12 · Score: 1
  
  No, that character I used is the unicode apostrophe character.
  Unicode prime is 0x2032
  I was going to paste in a unicode prime char alongside an apostrophe, but when I preview the post slashdot strips out the prime char.
  What you've used in "Here’s" is the unicode right-single-quotation-mark char. https://www.fileformat.info/in...
  Code x2019
  I'm sorry but you're completely wrong.
27. Re: Too bad slashdot used to cause these by PhunkySchtuff · 2018-03-04 14:25 · Score: 1
  
  Whatever - the fact is that typographical quotes do work on /. so how come some posts are rendered as per the parent post of this long and useless thread - “Now itâ(TM)s just causes”?
  
  --
  Specialist Mac support for creative pros, Melbourne
28. Re: Too bad slashdot used to cause these by viperidaenz · 2018-03-04 14:31 · Score: 1
  
  Because they're posted by people like that on purpose? aka: trolling
29. Re: Too bad slashdot used to cause these by c6gunner · 2018-03-04 14:41 · Score: 1
  
  Whaddya have against âoesmart quotesâ?
  They're stupid.
30. Re: Too bad slashdot used to cause these by ArchieBunker · 2018-03-04 15:16 · Score: 1
  
  Nope this is seriously the only site on the entire internet with the problem.
  
  --
  Only the State obtains its revenue by coercion. - Murray Rothbard
31. Re: Too bad slashdot used to cause these by Anonymous Coward · 2018-03-04 15:18 · Score: 0
  
  Can't I? Why not?
32. Re: Too bad slashdot used to cause these by Aighearach · 2018-03-04 15:18 · Score: 2
  
  What's even funnier is how completely false it is. I love a good pedanticism, but this one falls on its face.
  The term "prime symbol" or "prime character" only even dates to the 1960s or so. And typewriters already existed, and often had apostrophe and quotation symbols. Any other symbols are typographical or related to accounting. The idea that they would have a special key on a typewriter for writing distances, which is the work ' is doing when it is denoting "prime" (meaning only first, " being being second) but that they would omit an apostrophe, which is a basic symbol necessary for grammatically correct English, it is just completely absurd.
  Once you're inside the distortion field, you can just invent your own history on a whim, no problem.
  Even funnier, there is a standard convention in computers that when you need a prime symbol but the character set doesn't include it, you use a italicized apostrophe!
33. Re:Too bad slashdot used to cause these by Aighearach · 2018-03-04 15:21 · Score: 1
  
  With a bat'leth.
34. Re: Too bad slashdot used to cause these by Anonymous Coward · 2018-03-04 15:42 · Score: 0
  
  Seems to have worked just fine.
35. Re: Too bad slashdot used to cause these by Anonymous Coward · 2018-03-04 16:10 · Score: 1
  
  "dumbass websites that don't just use plain ASCII characters."
  Every other website except Slashdot.
  "dumbass people who don't edit what they post and fix the characters that don't copy/paste properly."
  So I copy and paste
  âoetrade wars are good, and easy to winâ
  or forget that Slashdot can't cope with this Android key Â£ and of course there's no preview on my phone because Slashdot is 'special'.
  dumbass
36. Re: Too bad slashdot used to cause these by phantomfive · 2018-03-04 17:09 · Score: 1
  
  My memory was that it was a Netscape problem, not a Slashdot problem. Netscape showed quotes weirdly for a while.
  
  --
  "First they came for the slanderers and i said nothing."
37. Re: Too bad slashdot used to cause these by Anonymous Coward · 2018-03-04 17:31 · Score: 0
  
  At the very least, if Slashdot doesn't want to change any of the back end. *All* they have to do is modify the post submission script to map some unicode values to sensible alternatives, like mapping smart quotes to normal quotes.
  I find the comments on Unicode on Slashdot to be deeply illuminating. The way it becomes polarizing when really a measured approach (expand the whitelist a little bit to accommodate accents used commonly in the Latin alphabet such as the thorn, umlaut, etc... and perform some sensible transpositions) would satisfy most of those clamoring for Unicode.
38. Re:Too bad slashdot used to cause these by h33t+l4x0r · 2018-03-04 17:49 · Score: 1
  
  You are without honor.
39. Re: Too bad slashdot used to cause these by jrumney · 2018-03-04 17:55 · Score: 1
  
  The proper character for an apostrophe is the ASCII U+0027 APOSTROPHE, not U+02BC MODIFIER LETTER APOSTROPHE, U+0315 COMBINING COMMA ABOVE RIGHT, U+2019 RIGHT SINGLE QUOTATION MARK or whatever it is that Apple has redefined it to in OSX.
40. Re: Too bad slashdot used to cause these by jrumney · 2018-03-04 18:05 · Score: 1
  
  Prime is a Unicode character anyway (U+2032 which will not display on slashdot), the ASCII character 0x27 is officially called APOSTROPHE in Unicode, and the usual representation is as what is known as a TYPEWRITER APOSTROPHE. Unicode now recommends to use RIGHT SINGLE QUOTATION MARK as an apostrophe, but I gave up listening to their advice when they started adding emoji to Unicode after around a decade of refusing to add the widely used IEC Power Symbol (which they finally added in Unicode 9.0, emoji having been added in Unicode 6.0).
41. Re: Too bad slashdot used to cause these by jrumney · 2018-03-04 18:09 · Score: 2
  
  That's a prime character you've used
  
  If you're going to be a pedant on the internet, best do your homework first.
42. Re: Too bad slashdot used to cause these by PhunkySchtuff · 2018-03-04 18:16 · Score: 1
  
  The character that ASCII (and therefore Unicode) has called an Apostrophe is rarely, if ever, drawn correctly as an apostrophe in fonts.
  When an apostrophe has been typeset correctly, it looks like the top image on the Wikipedia page:
  https://en.wikipedia.org/wiki/...
  
  With the invention of the typewriter, a "neutral" quotation mark form ( ' ) was created to economize on the keyboard, by using a single key to represent: the apostrophe, both opening and closing single quotation marks, single primes, and on some typewriters the exclamation point by overprinting with a period. This is known as the typewriter apostrophe or vertical apostrophe. The same convention was adopted for quotation marks.
  Both simplifications carried over to computer keyboards and the ASCII character set. However, although these are widely used due to their ubiquity and convenience, they are deprecated in contexts where proper typography is important.
  
  --
  Specialist Mac support for creative pros, Melbourne
43. Re: Too bad slashdot used to cause these by PhunkySchtuff · 2018-03-04 18:24 · Score: 1
  
  The apostrophe has been around a lot longer than computer and typewriter keyboards. The character called an apostrophe by ASCII is named that for (recent) historical reasons and it is not a typographically correct apostrophe. The Unicode consortium recommend using U+2019 - the Right Single Quotation Mark as an apostrophe however U+0027 is the character that exists on most keyboards.
  From: http://www.unicode.org/version...
  
  Apostrophes
  U+0027 apostrophe is the most commonly used character for apostrophe. For historical reasons, U+0027 is a particularly overloaded character. In ASCII, it is used to represent a punctuation mark (such as right single quotation mark, left single quotation mark, apos- trophe punctuation, vertical line, or prime) or a modifier letter (such as apostrophe modi- fier or acute accent). Punctuation marks generally break words; modifier letters generally are considered part of a word.
  When text is set, U+2019 right single quotation mark is preferred as apostrophe, but only U+0027 is present on most keyboards. Software commonly offers a facility for auto- matically converting the U+0027 apostrophe to a contextually selected curly quotation glyph. In these systems, a U+0027 in the data stream is always represented as a straight ver- tical line and can never represent a curly apostrophe or a right quotation mark.
  
  --
  Specialist Mac support for creative pros, Melbourne
44. Re: Too bad slashdot used to cause these by Type44Q · 2018-03-04 18:29 · Score: 1
  
  out of principle
  It's "on principle."
45. Re: Too bad slashdot used to cause these by szabo.m.peter · 2018-03-04 19:57 · Score: 1
  
  This is language dependent. As long as you fit into latin-1 you are OK. You can argue, that this is an English language site, but I, as a Hungarian writing English faced this issue sometimes when I tried to write names/places...
46. Re: Too bad slashdot used to cause these by OrangeTide · 2018-03-04 20:53 · Score: 1
  
  If you send an aposthrophe for a particular character set you better damn well conform to the right character set. The problem is with assuming that a field is UTF-8 when it clearly is unspecified. Yet I am quite able to make use of these characters in a non-broken browser.
  ' prime
  ' apostrophe
  " plain quotes
  “ ” proper left/right double quotes.
  
  --
  “Common sense is not so common.” — Voltaire
47. Re: Too bad slashdot used to cause these by OrangeTide · 2018-03-04 20:56 · Score: 0
  
  "dumbass websites that don't just use plain ASCII characters."
  Every other website except Slashdot.
  Just because everyone is doing something doesn't mean they are right. They could all be dumbasses. And sometimes that is the simpler explaination.
  
  --
  “Common sense is not so common.” — Voltaire
48. Re: Too bad slashdot used to cause these by Paradise+Pete · 2018-03-04 21:39 · Score: 1
  
  Please explain why it's not OSX's fault it's not able to speak ASCII?
  I'll bet you're a fan of imperial weights and measures too.
49. Re: Too bad slashdot used to cause these by helpfulcorn · 2018-03-04 22:16 · Score: 1
  
  Because some OS X users are insisting that sending a "smart quotes" apostrophe in unicode is the "real apostrophe", yet sending ASCII character 0x39 or whatever is not the "real" one, it's everyone else who is wrong. I'm not sure why you are modded 0, you're fucking right, it's horse shit.
50. Re: Too bad slashdot used to cause these by jrumney · 2018-03-04 23:29 · Score: 1
  
  The thing that grammar and typography nazis always overlook is that the definition of what is correct with respect to English language usage is constantly evolving. I think typewriters and computers have been around for long enough by now that a non directional sans-serif apostrophe is considered by 99% of English language readers to be correct.
51. Re: Too bad slashdot used to cause these by TheRaven64 · 2018-03-05 05:08 · Score: 1
  
  It does support ASCII, but Slashdot includes a meta tag indicating UTF-8 support. As a result, Safari submits web forms as UFT-8. Slashcode then interprets these as ASCII (actually, some random 8-bit code page) and gets confused by the multi-byte UTF-8 characters.
  
  --
  I am TheRaven on Soylent News
52. Re: Too bad slashdot used to cause these by jmccue · 2018-03-05 06:45 · Score: 1
  
  So that is where those damn things are coming from!
  I will always consider Unicode broken until all the other single and double quote characters are removed from the standard and replaced with the real quotes (0x27 / 0x22)
53. Re: Too bad slashdot used to cause these by Anonymous Coward · 2018-03-05 08:18 · Score: 0
  
  Out of principle is a saying as well.
54. Re: Too bad slashdot used to cause these by PhunkySchtuff · 2018-03-05 09:06 · Score: 1
  
  The vertical tick used as an apostrophe was a temporary measure put in place to simplify keyboards and to simplify the character set when every bit and byte was counted. Even the Unicode consortium recommend that a curly apostrophe be used for printed materials.
  http://www.unicode.org/version...
  
  Encoding Characters with Multiple Semantic Values. Some of the punctuation characters in the ASCII range (U+0020..U+007F) have multiple uses, either through ambiguity in the original standards or through accumulated reinterpretations of a limited code set. For example, 2716 is defined in ANSI X3.4 as apostrophe (closing single quotation mark; acute accent), and 2D16 is defined as hyphen-minus. In general, the Unicode Standard provides the same interpretation for the equivalent code points, without adding to or subtracting from their semantics. The Unicode Standard supplies unambiguous codes elsewhere for the most useful particular interpretations of these ASCII values; the corresponding unambigu- ous characters are cross-referenced in the character names list for this block.
  Apostrophes
  U+0027 apostrophe is the most commonly used character for apostrophe. For historical reasons, U+0027 is a particularly overloaded character. In ASCII, it is used to represent a punctuation mark (such as right single quotation mark, left single quotation mark, apostrophe punctuation, vertical line, or prime) or a modifier letter (such as apostrophe modifier or acute accent). Punctuation marks generally break words; modifier letters generally are considered part of a word.
  When text is set, U+2019 right single quotation mark is preferred as apostrophe, but only U+0027 is present on most keyboards. Software commonly offers a facility for automatically converting the U+0027 apostrophe to a contextually selected curly quotation glyph. In these systems, a U+0027 in the data stream is always represented as a straight vertical line and can never represent a curly apostrophe or a right quotation mark.
  Punctuation Apostrophe. U+2019 right single quotation mark is preferred where the character is to represent a punctuation mark, as for contractions: “We’ve been here before.” In this latter case, U+2019 is also referred to as a punctuation apostrophe.
  As you said, language evolves and we've reached the stage where the systems we use have evolved beyond their original constraints that dictated a single character be used for apostrophe, single right quotation marks, prime and an acute accent and now we have the ability to use the correct character without resorting to overloading a single ASCII code point.
  Most people, in the software they use on a daily basis, will end up using the correct unicode character without even knowing it as commonly used software will automatically and by default substitute curly quotes in place of straight quotes. Of course text editors used for programming where semantics are critical will not perform substitutions like this but they're not the most common use case - general purpose word processing is far more common.
  
  --
  Specialist Mac support for creative pros, Melbourne
55. Re: Too bad slashdot used to cause these by Mr0bvious · 2018-03-05 13:10 · Score: 1
  
  Thanks for the details!
  Makes sense.
  
  --
  Never happened. True story.
56. Re: Too bad slashdot used to cause these by Anonymous Coward · 2018-03-05 13:39 · Score: 0
  
  That's all cool, but are you typing Unicode or having some text editor decide what you mean? When you're talking "printed materials", then you are involved in typesetting and make all kids of decisions about kerning or if you want a hyphen an en-dash or an em-dash.
  I'm usually in the position of needing to go and turn off all the "smart" features of modern word processors because they break the utility of being able to cut and paste from document to terminal.
  Would you make the same asinine argument for "correctness" if this were Stack Overflow instead of Slashdot? The "smart quotes" are no more correct than using what you actually type on the keyboard unless, and only unless, you're typesetting for publication.
57. Re:Too bad slashdot used to cause these by Anonymous Coward · 2018-03-06 01:28 · Score: 0
  
  The world has survived millions of years without Slashdot. Slashdot had not yet survived millions of years without Unicode.
58. Re: Too bad slashdot used to cause these by Anonymous Coward · 2018-03-06 09:45 · Score: 0
  
  Not as stupid as the people who can't type them on Slashdot...
  Don't be a slob!
No botnet? by gnick · 2018-03-04 11:27 · Score: 1

TFA doesn't give any detail around this. How does one generate that much traffic without the need of a botnet?

--
He's getting rather old, but he's a good mouse.
1. Re:No botnet? by Anonymous Coward · 2018-03-04 11:30 · Score: 3, Informative
  
  TFS does give this link: https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
  So the answer is, vulnerable memcached servers amplify the packets for anyone who can IP spoof. The attacker doesn't need a botnet, because one accidentally exists already.
2. Re:No botnet? by Anonymous Coward · 2018-03-04 11:31 · Score: 0
  
  Or what the 1.3Tb amounted too. Was that outgoing / ingoing / both?
3. Re:No botnet? by PolygamousRanchKid+ · 2018-03-04 11:42 · Score: 1
  
  How does one generate that much traffic without the need of a botnet?
  Maybe it's one of those "unstoppable" weapons that Putin has been bragging about . . . ?
  If so, you won't be able to find any information about it . . . unless you hire Russian Hackers to dig it up . . .
  
  --
  Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
4. Re:No botnet? by ShanghaiBill · 2018-03-04 11:53 · Score: 2
  
  TFA doesn't give any detail around this. How does one generate that much traffic without the need of a botnet?
  It depends on what you mean by "botnet". The attacker sent spoofed memcached requests to UDP servers, which were then replicated and forwarded to the victim. I some sense, these UDP servers are acting as a "botnet" even though they are not running any malware controlled by the hacker. More info here.
  A bigger question is: Cui bono? Why is someone attacking Github?
5. Re:No botnet? by Anonymous Coward · 2018-03-04 12:00 · Score: 1
  
  " An IP-spoofing capable attacker sends forged requests to a vulnerable UDP server. The UDP server, not knowing the request is forged, politely prepares the response. "
  why these memcache servers aren't blocking udp from external networks is a question
  why the network allows spoofed ip source addresses to be routed to the memcache server is also a question
  I think they are saying that the attacker knows there are a lot of open memcache servers around the net. They also know the address of github's network or external load balancer. Then they send a small request of a few bytes that returns a megabyte or more of traffic in response, all routed to the github address.
  all in all, they are using exposed/misconfigured memcache services instead of a botnet to create the traffic
6. Re:No botnet? by EvilSS · 2018-03-04 12:00 · Score: 1
  
  It is an amplification attack. The attacker sends a few bites in the request, with a spoofed IP. The server responds to the spoofed IP address with a flood of data the attacker requested. It's like calling pizza hut and having 100,000,000 pizzas delivered to your enemy's house.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
7. Re:No botnet? by Todd+Knarr · 2018-03-04 12:13 · Score: 2
  
  Because too many network admins don't bother to read and implement BCP 38 on top of too many network admins leaving memcached servers publicly accessible.
8. Re:No botnet? by 93+Escort+Wagon · 2018-03-04 12:32 · Score: 1
  
  I some sense, these UDP servers are acting as a "botnet" even though they are not running any malware controlled by the hacker.
  Well, if an external actor can force these machines to do their bidding at a time of their choosing - in what sense are they NOT part of a botnet?
  
  --
  #DeleteChrome
9. Re:No botnet? by rtb61 · 2018-03-04 12:35 · Score: 2
  
  So clearly a penalty should be applied. Whilst they were tricked into the attack, they were committing the attack. So time for the courts to step in, those who committed the actual attack, should be hauled before the courts to prove they did not do the attack willingly and if they can not, pay the criminal penalty for the attack. Ignorance is not excuse, that is their chosen profession, that is their source of income, they have professional liability and should be held to account.
  Should not countries supplying said attack be held liable for the attack, a criminal export for which they are responsible. So hauled before the WTO https://en.wikipedia.org/wiki/..., so that they country attacked by bad digital exports can seek fiscal remediation for the cost of bad digital exports. The source country of the attack can seek to recover that cost from those who committed the attack, their problem.
  
  --
  Chaos - everything, everywhere, everywhen
10. Re:No botnet? by squiggleslash · 2018-03-04 12:55 · Score: 5, Funny
  
  It was fairly simple really. What they did was take down Slashdot, which at the time was running on an old 80386 running an old, vulnerability ridden, version of Slackware Linux.
  The end result was that thousand, literally thousands, of software developers had nothing to do, and ended up committing long delayed work to Github. Boom. Server down.
  
  --
  You are not alone. This is not normal. None of this is normal.
11. Re:No botnet? by Anonymous Coward · 2018-03-04 13:00 · Score: 0
  
  I some sense, these UDP servers are acting as a "botnet" even though they are not running any malware controlled by the hacker.
  Well, if an external actor can force these machines to do their bidding at a time of their choosing - in what sense are they NOT part of a botnet?
  I think the "not a botnet" comes from the fact that there is no malware involved and the servers are not under the control of the attacker.
12. Re:No botnet? by Burdell · 2018-03-04 13:23 · Score: 1
  
  The memcached traffic amplification factor is around 15000x, so to get 1.3Tbps of attack traffic requires fewer than 90 hosts with gigabit Internet access.
13. Re:No botnet? by Anonymous Coward · 2018-03-04 13:55 · Score: 0
  
  So....... a botnet after all
14. Re:No botnet? by Anonymous Coward · 2018-03-04 14:03 · Score: 0
  
  UDP servers?!?! do you even know anything about TCP/IP?
15. Re:No botnet? by 93+Escort+Wagon · 2018-03-04 14:21 · Score: 1
  
  I think the "not a botnet" comes from the fact that there is no malware involved and the servers are not under the control of the attacker.
  Well, see, I am basically arguing that the second part of your statement is incorrect. The attacker can get these machines to do exactly what he wants, exactly when he wants it to happen.
  
  --
  #DeleteChrome
16. Re:No botnet? by Gojira+Shipi-Taro · 2018-03-04 14:41 · Score: 1
  
  And your argument is flawed. By definition, a botnet requires malware to be running on the systems involved. This is a reflection/amplification attack where a vulnerability in the unsecured target causes it to respond with many times the amount of data sent, and due to the spoofed packet, it responds to the intended target.
  Just because a node is tricked into responding, does not mean there's a botnet involved.
  
  --
  "Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
17. Re: No botnet? by c6gunner · 2018-03-04 14:52 · Score: 1
  
  The attacker can get these machines to do exactly what he wants, exactly when he wants it to happen.
  No, the attacker can get these machines to do one specific thing he wants, exactly when he wants it to happen. If that's your definition of a botnet then every HTTP server is part of a botnet, since I can get any of them to send me a webpage whenever I want one.
18. Re:No botnet? by Aighearach · 2018-03-04 15:23 · Score: 1
  
  By my thinking, a botnet holding a fig leaf is still a botnet.
19. Re:No botnet? by pots · 2018-03-04 19:31 · Score: 1
  
  It would take more than that, I assume. The whole point of using a DDoS attack, instead of DoS, is that you're making your attack from many vectors. If there's only a small number of misbehaving servers than those can just be blocked.
20. Re:No botnet? by Anonymous Coward · 2018-03-04 20:04 · Score: 0
  
  You get a connection from a provider that does not use ingress filtering, allowing you to spoof packets with any source IP. Then you find a UDP based protocol that sends a large response for a small packet. Typical options are NTP or chargen, but here an attack on memcached is shown. It allows converting a ~20byte packet into almost 1MB(!). This amount of amplification is unseen, and can turn even a single slow home internet connecting into a powerful DDoS.
21. Re:No botnet? by Anonymous Coward · 2018-03-04 22:26 · Score: 0
  
  Look up: reflected distributed denial of service attacks.
Why? by DaMattster · 2018-03-04 11:29 · Score: 0

Why do people do stupid shit like this? Github is neither a bad actor nor deserving of this. Why don't they go after the fucking Trump Organization or Oracle or something like this.
1. Re:Why? by Anonymous Coward · 2018-03-04 11:47 · Score: 1
  
  These kids of attacks are often used to mask another attack against the systems. I would want to be extra vigilant on the integrity of accounts and the projects if I were involved with this. Although, the fact that nerd rage is the best and worst kind of rage continues to hold, so it might just be a single retaliatory personality at large.
2. Re: Why? by Anonymous Coward · 2018-03-04 11:49 · Score: 0
  
  Maybe we in the geek community should take this as a call to secure all the open servers we can.
3. Re:Why? by Anonymous Coward · 2018-03-04 12:34 · Score: 0
  
  DDoS operators have their own reasons completely unrelated to your pet peeves.
  Must mean that they are russians or something.
4. Re:Why? by Anonymous Coward · 2018-03-04 13:50 · Score: 3, Interesting
  
  It happened for the same reason it happened in 2015:
  https://www.theverge.com/2015/...
  In short, activists inside and outside of China are using GitHub to write and share code for software to circumvent the government's "Great Firewall" in one way or another...they did not succeed in taking GitHub offline, so they decided to show their technical prowess and their sheer (if amplified) bandwidth abuse potential by conducting a second attack. They're still trying to take GitHub offline, badly, people need to be made more aware this is happening...the last time was only three years ago and it was a shocking attempt at China to try and impose censorship of the Internet, as they see fit, inside the firewall AND out. This isn't a conspiracy theory or conjecture, China are very definitely waging an online "war" of sorts and this is more or less a demonstration of their capabilities.
5. Re:Why? by DaMattster · 2018-03-04 13:56 · Score: 1
  
  It happened for the same reason it happened in 2015:
  https://www.theverge.com/2015/...
  In short, activists inside and outside of China are using GitHub to write and share code for software to circumvent the government's "Great Firewall" in one way or another...they did not succeed in taking GitHub offline, so they decided to show their technical prowess and their sheer (if amplified) bandwidth abuse potential by conducting a second attack. They're still trying to take GitHub offline, badly, people need to be made more aware this is happening...the last time was only three years ago and it was a shocking attempt at China to try and impose censorship of the Internet, as they see fit, inside the firewall AND out. This isn't a conspiracy theory or conjecture, China are very definitely waging an online "war" of sorts and this is more or less a demonstration of their capabilities.
  This doesn't shock me in the least because 90% of brute force attempts on my tiny VPS that hosts my blog come from Chinese IP addresses. It's gotten so bad that I just block the whole country. I download the zone file from http://www.ipdeny.com/
6. Re:Why? by Anonymous Coward · 2018-03-04 14:51 · Score: 0
  
  Because they aren't a moron like you.
7. Re:Why? by Anonymous Coward · 2018-03-04 14:53 · Score: 0
  
  That's honestly not an unreasonable response and good advice, thanks. I imagine that if it weren't for international commerce a lot of administrators on our side of the world would like to firewall them off at this point, it's getting ridiculous.
  I do understand why my comment was modded down, for one thing I pointed out the truth, which _really_ bothers the so called "troll farms" in Beijing...not at all dissimilar to the tactics used by Russia, seed social media and online communities with people that aim to either 1) cause a rift in the community by dividing its members or 2) creating memes and other media that support a political position that's favourable to the state.
  What's different and needs to be addressed about China is exactly what you're referring to... They're not just playing politics, they're literally trying to eliminate from the Internet their biggest source of opposition, free software and volunteer programmers on the Internet dedicated to circumventing their censorship, any way possible. They're constantly and deliberately probing likely every public-facing network on the Internet, like in your sense when you logged them making automated attempts to break in (in all likelihood, I get a few of them bouncing off ufw a day so I know what you mean).
  It's kind of startling that they'd go through this much effort just to take GitHub offline for a few hours, but that is how badly they want GitHub offline... Badly enough to leverage a 0-day vulnerability to pull off the biggest amplified DDoS that anyone's ever publically reported.
8. Re: Why? by c6gunner · 2018-03-04 15:02 · Score: 1
  
  This doesn't shock me in the least because 90% of brute force attempts on my tiny VPS that hosts my blog come from Chinese IP addresses.
  That doesn't mean much. Back in the early 2000's ... someone I know used to have a botnet of tens of thousands of computers, 90% of which were in China. I'm not sure what the situation is these days, but back then Chinese boxes were by far the easiest to "hack", so they were a popular choice. Any scans or attacks being done by this individual would have appeared to be coming from his Chinese botnet, despite the fact that he himself resided in a western nation.
  tl;dr the fact that you're seeing attacks from one specific country doesn't mean they're being carried out by citizens of that country.
9. Re: Why? by Arzaboa · 2018-03-04 16:08 · Score: 1
  
  Should be a daily thing.
  --
  Sometimes I look up, sometimes I look down.
why would someone attack Github? by Jarwulf · 2018-03-04 11:30 · Score: 1

why would someone go through the trouble of attacking github? For giggles? Do they like closed source or mercurial that much?
1. Re:why would someone attack Github? by 0100010001010011 · 2018-03-04 11:39 · Score: 1
  
  A test.
  They went after the largest of the large. Github learned they can handle that much traffic. The bot net operators learned their capacity.
  What happens when the bot net turns itself towards an entire small country, government site, or any small company that doesn't pay the ransom.
2. Re:why would someone attack Github? by Anonymous Coward · 2018-03-04 11:53 · Score: 0
  
  While this is going on, they secretly replace some code in a well known git repository. Lets see if anybody notices because they rewrote git history, because you can do that.
3. Re:why would someone attack Github? by mrbester · 2018-03-04 12:00 · Score: 1
  
  Attacks don't have to be successful in order to be informative. Now, thanks to the VP of Akamai, it is better known what Prolexic can ostensibly handle. This doesn't mean that GitHub is about to get hit by a 6Tb/s DDoS to check as there's no need, plus if it was successful Akamai would just up the capacity to some greater unknown number.
  What it does mean is that a likely amount to DDoS anyone, even when they are protected by Prolexic, can be used as a baseline. As most won't have that high level of protection, the odds of success are much higher.
  
  --
  "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
4. Re:why would someone attack Github? by ls671 · 2018-03-04 14:41 · Score: 1
  
  Well they better hurry because those memcached servers are going to get patched one way or another.
  
  --
  Everything I write is lies, read between the lines.
5. Re:why would someone attack Github? by Anonymous Coward · 2018-03-04 15:13 · Score: 1
  
  I've pointed this out elsewhere, but to give you an answer that's probably closer to the truth than people would like to admit, it's almost certainly a repeat of an attack from 2015:
  https://www.theverge.com/2015/...
  GitHub has apparently hosted at times (it may still, I don't know) projects and software, plus the source obviously, to circumvent the "Great Firewall" that's used to censor the Internet in China...and they aren't happy about it, as you can probably guess by the whole terabit of bandwidth directed at them bit.
  They really want GitHub offline because it's a very effective tool for activists inside and outside the country to share code to circumvent the government's censorship message, actually let the truth get in about some uncomfortable things they've done past and present... This is basically just China reminding the rest of the world that if they really want to take something off the Internet, inside the firewall or out, they can at least accomplish it in the short term.
6. Re:why would someone attack Github? by TheRaven64 · 2018-03-05 05:14 · Score: 1
  
  Maybe it's the FSF: Richard Stallman is one of the most vocal critics of GitHub...
  
  --
  I am TheRaven on Soylent News
BotNet? by spaceman375 · 2018-03-04 11:30 · Score: 1

The memcache servers ARE a ready made botnet.
Imagine if they had made a beowolf cluster of mem.... oh, wait.....

--
On the one hand you take life too seriously, and on the other, you do not take playful existence seriously enough. Seth
Sad waste of resources by blahbooboo · 2018-03-04 11:32 · Score: 2

Such a shame there are nefarious people who do these DDOS. What a huge waste of time and resources by their target entities to defeat the attacks.
1. Re:Sad waste of resources by Kjella · 2018-03-04 13:11 · Score: 1
  
  Such a shame there are nefarious people who do these DDOS. What a huge waste of time and resources by their target entities to defeat the attacks.
  On the bright side, what survives is strong. Around the turn of the century /. was infamous for having its own DDoS effect, these days it takes huge malicious effort to bring down a site. There's a war on but it's rare that the bad guys win...
  
  --
  Live today, because you never know what tomorrow brings
2. Re:Sad waste of resources by Arzaboa · 2018-03-04 16:13 · Score: 1
  
  There are always people that have been left out, can't get in, or are disenfranchised in some way or another. Or more simply, these folks can make money, wreak havoc and feel powerful, and have lots of time on their hands. Most importantly, they're k-rad now in their circle. These tools are at their disposal, the internet being open, allows it, until the free market does something, ie: DDos protection.
  This is why security isn't and has never been free.
  --
  'I aint coming down' - Eddie Vedder, cover
I also love this resource by thewebsiteboy · 2018-03-04 11:49 · Score: 1

Was checking out another blog post on, really love this resource. Keep up the awesome work
Digital! by zmooc · 2018-03-04 12:02 · Score: 3, Funny

(...) as a digital system assessed the situation (...)
Who knew those analog steam powered ddos protection engines would go of fashion this fast.

--
0x or or snor perron?!
1. Re:Digital! by ls671 · 2018-03-04 15:01 · Score: 1
  
  Those system are the steam powered version! Newer systems are obviously AI based.
  View pictures of such digital systems here:
  http://asiaprint.kz/index.php?...
  
  --
  Everything I write is lies, read between the lines.
2. Re:Digital! by Anonymous Coward · 2018-03-05 01:05 · Score: 0
  
  They have gone all-digital steam: http://www.tut.fi/en/research/research-fields/automation-and-hydraulic-engineering/digital-hydraulic-technology/index.htm
I check github several times a day by FudRucker · 2018-03-04 12:03 · Score: 1

for new and updated software, i never noticed any outage, i guess the admin that keep github percolating has got some good skillz, kudos to github admin...

--
Politics is Treachery, Religion is Brainwashing
1. Re:I check github several times a day by 110010001000 · 2018-03-04 12:33 · Score: 1
  
  It sounds like it was an AI program that realized it was under attack and implemented a mitigation strategy using Akamai AI technology. No human admins needed.
2. Re:I check github several times a day by war4peace · 2018-03-04 12:42 · Score: 1
  
  Slashdot, on the other hand...
  
  --
  ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
3. Re:I check github several times a day by DogDude · 2018-03-04 12:54 · Score: 1
  
  You're nuts. Github was unusable for a couple of weeks.
  
  https://twitter.com/githubstat...
  
  --
  I don't respond to AC's.
4. Re:I check github several times a day by Anonymous Coward · 2018-03-04 16:46 · Score: 0
  
  It probably depended on where you are located or possibly where your repos are located (I don't have any idea how GitHub shards their system). My team in Los Angeles never noticed any problems with github and they use the SSH based repo access and the website interface for issue trackers quite heavily during business hours.
5. Re:I check github several times a day by TheRaven64 · 2018-03-05 05:18 · Score: 1
  
  Your link doesn't support your assertion. We use GitHub for a load of stuff at work and I didn't have any problems pushing or pulling, or reviewing pull requests, and our CI system didn't report any failures to pull, so I'm not sure where you get that from.
  
  --
  I am TheRaven on Soylent News
Not the worst scenario by manu0601 · 2018-03-04 12:55 · Score: 1

[Akamai] sent the data through its scrubbing centers to weed out and block malicious packets.
There was the challenge to handle the load, but identifying packets to drop was quite easy this time: they all came from same UDP port for memcached.
1. Re:Not the worst scenario by ls671 · 2018-03-04 15:13 · Score: 1
  
  Exactly, it shouldn't be too hard to patch this even if this isn't done at the server level.
  Given the size of the hole, I like to think that sysadmins and network admins should get sufficient pressure to patch this relatively quickly.
  
  --
  Everything I write is lies, read between the lines.
Can someone explain how this can possibly happen. by Anonymous Coward · 2018-03-04 13:37 · Score: 0

Every IP packet has a source IP. ISPs should NEVER let ANYTHING go out that doesn't have
a source IP address in their subnets. Doesn't memcached use the source IP of the datagram to send the
reply? Or does it use an ip address in the body -- which is stupid, it's already in the IP header, why
have redundant information? As I tell my co-workers, never have the same information in two places,
one of them will be wrong. And if you use the source ip in the ip header even udp works through firewalls
and you don't have to go through the idiocy VOIP does wth TURN and STUN and ICE and all that
crap. Am I missing something?
Wow, creimer got his NAS to work by Anonymous Coward · 2018-03-04 13:50 · Score: 0

and it promptly logged in all his cashews accounts and tried looking for food?
1. Re: Wow, creimer got his NAS to work by Anonymous Coward · 2018-03-04 16:19 · Score: 0
  
  "all his cashews accounts"
  You're nuts.
Infrastructure note: UDP doesn't get dropped by mveloso · 2018-03-04 13:54 · Score: 1

Back in the day UDP was considered unreliable because it could be dropped by the network at any time for any reason.
It should be noted that UDP is apparently just as reliable as TCP at the network level, in that equipment in general does -not- drop UDP at all. Behaviorally speaking the network attempts to guarantee delivery of everything, which is interesting and possibly unnecessary.
1. Re:Infrastructure note: UDP doesn't get dropped by petermgreen · 2018-03-04 14:49 · Score: 1
  
  The network doesn't normally care if the packet is TCP or UDP, it just tries it's best to deliver it. Sometimes it cannot be delivered, usually because of congestion but sometimes because of corruption.
  The difference between TCP and UDP is that when your UDP packet does get dropped the network stack on the client/server doesn't care, the application data is simply lost. With TCP the network stack will re-send your data and reduce the transmission rate to try to prevent further packet loss (the assumption being that congestion is the most likely cause of packet loss).
  Of course this leads to the annoying scenario that protocols that don't play nice can take a disproportionate share of the total bandwidth.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
2. Re:Infrastructure note: UDP doesn't get dropped by tlhIngan · 2018-03-04 20:38 · Score: 1
  
  Back in the day UDP was considered unreliable because it could be dropped by the network at any time for any reason.
  It should be noted that UDP is apparently just as reliable as TCP at the network level, in that equipment in general does -not- drop UDP at all. Behaviorally speaking the network attempts to guarantee delivery of everything, which is interesting and possibly unnecessary.
  Wrong. UDP is considered unreliable because UDP does not guarantee delivery. If you get a UDP packet, the only thing you know is the checksum is correct. If you send packages A, B, C, D, you can get D, A, B in that order and UDP is perfectly happy.
  TCP is considered reliable because TCP providers guaranteed ordering and delivery. So if you send, A, B, C, and D, you will be guaranteed to get A, B, C and D in that order or a connection failure somewhere in the middle. You will not get A, B, D, or D, A, B, because TCP guarantees it.
  Both protocols run over IP, which only offers best-effort delivery. For UDP, if IP drops a packet, UDP doesn't care. For TCP, if IP drops a packet, TCP backs off and retransmits.
  With modern networks, IP packet delivery can be surprisingly reliable - packets are typically dropped either because the packet gets corrupted mid-flight (extremely rare these days), or router or other network gear memory gets full of packets waiting for transmission that there's nothing you can do but drop packets. This is extremely rare since most links are more than fast enough for their data flows. The only real time you start getting data packets drop is when a link gets close to full utilization. Like when some ISP routes all traffic through a single line card while all other links remain idle.
3. Re:Infrastructure note: UDP doesn't get dropped by Anonymous Coward · 2018-03-05 06:26 · Score: 0
  
  Feature request: The ability to flag users as complete morons.
  The friend/foe thing serves its purpose fine, but I need something that puts a flair icon on the posts of people I flag as idiots. They don't merit the emotional investment to become foes; I'd just like to skip some ignorant babble.
  The post above is an excellent example of what would earn a moron flag.
The internet may have been a bad idea by Anonymous Coward · 2018-03-04 14:24 · Score: 0

We wanted freedom, openness, equality. What we got was freedom for psychopaths to openly brutalize everyone equally, without any kind of repercussions or negative feedback. The eternal september has given us an incompetent tyrant for a leader, enabled mass deception by even worse tyrants, fake revolutions in the Arab world, brutal warfare and refugee crisis, and I wouldn't be surprised if it's linked to school shootings since in the old days, news people understood that mass media coverage created copycat killers. O very.
DDOS? by Snotnose · 2018-03-04 14:43 · Score: 1

Some other site (cough fark cough) is claiming a DDOS attack. True dat?

I feel one kind of pain for someone who buys old hardware/software and does their best. I have a whole nuther level of pain for anyone targeted by salivating short-cortexed idiots who for whatever twisted reason decide to target people doing their best (or sitting around in lounge chairs drinking Coronas, long as they aren't hurting anyone).
1. Re:DDOS? by Anonymous Coward · 2018-03-04 17:19 · Score: 0
  
  It was all 15 /. readers hitting F5.
2. Re:DDOS? by Anonymous Coward · 2018-03-04 17:26 · Score: 0
  
  And those RCA 12AH7GT vacuum tubes for their servers memory bank are getting hard to find.
Costs of subscribing to Akamai Prolexic? by PastTense · 2018-03-04 16:12 · Score: 1

So what kind of costs does Github have from Akamai Prolexic? Do they charge on a per problem basis or an annual subscription?
Here is some info on the firm:
https://en.wikipedia.org/wiki/...
Re:Can someone explain how this can possibly happe by Arzaboa · 2018-03-04 16:14 · Score: 1

>/dev/null
--
"And then there was one" - The Voice
Re:Can someone explain how this can possibly happe by Anonymous Coward · 2018-03-04 16:17 · Score: 0

Read TFA.
"...so-called memcached servers. These database caching systems work to speed networks and websites, but they aren't meant to be exposed on the public internet; anyone can query them, and they'll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them, and send them a special command packet that the server will respond to with a much larger reply."
Someone sends a magic packet, the server sends a bigger packet, multiply and/or daisy-chain it and you have large scale DDOS.
Why does memcached not require authentication? by kriston · 2018-03-04 16:30 · Score: 1

Forgive me for sounding naive, since I've also been told to deploy memcached in this fashion, knowing that this is insecure, while asking why is memcached deployed without requiring authenticated BY DEFAULT?
I feel naive because this is a so-simple-it's-obvious solution.
What am I missing?

--
Kriston
1. Re:Why does memcached not require authentication? by Anonymous Coward · 2018-03-04 17:02 · Score: 1
  
  Forgive me for sounding naive, since I've also been told to deploy memcached in this fashion, knowing that this is insecure, while asking why is memcached deployed without requiring authenticated BY DEFAULT?
  It's the same reason that your homes bedroom door and frame isn't by default built to withstand failing after one good strong kick.
  Unlike the exterior doors that are, an internal door does not typically require defenses against attacks that won't be made on them.
  Most of us also would not be interested in paying the higher cost of using exterior doors everywhere inside our homes. I know for myself this is true, despite the fact some idiot out there is likely to use an internal door in place of their front door and once it is kicked open effortlessly said idiot will likely complain loudly about the results of his idiocy.
  Of course the above doesn't always apply, some people out there may very well want their bedroom door to withstand a battering ram, and for those there are options to do so that they can pay more for. And that's just fine.
  Likewise, you can add all the additional layers of protection to your memcached setup as you'd like, including enabling authentication, firewalling it off, and/or running it on a machine that isn't reachable from the Internet in the first place. You can certainly spend your time doing so, and it's just fine, none of us are going to make fun of you for it or anything.
2. Re:Why does memcached not require authentication? by Anonymous Coward · 2018-03-05 04:02 · Score: 0
  
  It's bitztream the autism-hating, custom EpiPen-hating, Musk-hating, Qualcomm-hating, Firefox tabs-hating, Slashdot editors-hating Slashdot troll!
3. Re:Why does memcached not require authentication? by EndlessNameless · 2018-03-05 06:40 · Score: 1
  
  It depends on where it's exposed.
  If memcached is running somewhere on your backend, that's fine. E.g., a user hits a web page, so your web frontend talks to database and application servers over your intranet to generate a page for that user. Those servers are perfectly fine with unauthenticated memcached on a private LAN. It's not ideal from a security standpoint, but it's enough to prevent this type of attack.
  Something is terribly wrong if memcached is responding directly to requests from internet clients. People can use it for reflected DDoS attacks or exfiltrate/contaminate your data. Anything exposed to the internet should have layered security---firewall, encryption, and authentication.
  If your memcache infrastructure must be shared with a third party, configure appropriate cypto between your servers and theirs. And setup firewall rules to ensure that your servers are only talking to theirs. Depending on how much of the circuit you control, you can secure outside communications with VPLS, VPN, or IPsec. Those are all widely supported and well-understood standards, and ignorance is no exuse for a system administrator.
  
  --
  
  ---
  According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
web standards forgotten by web 2.0+ browsers by Anonymous Coward · 2018-03-04 20:47 · Score: 0

OSX doesn't honor the charset headers in HTTP because it's a piece of fucking shite.
Apple superiority is about having your head so far up their own ass that you can see sunlight.
Piece-a-cake? by Xenna · 2018-03-05 01:16 · Score: 1

"Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets."
So, they probably just filtered all UDP packets with a source port of 11211. Looks like it was not only the biggest DDOS but also the easiest to defeat...
Re:Can someone explain how this can possibly happe by TheRaven64 · 2018-03-05 05:25 · Score: 1

Memcached uses UDP, so you put the target's IP in the source IP field of the datagram and it responds (with a much larger packet). It's intended to be used on a local network (or even loopback), but it's often misconfigured. As you say, in an ideal world, ISPs shouldn't allow packages off their network with a source address that isn't from their network, but it's also not always trivial to identify the correct set of IPs to permit (traffic transiting your network has to be handled as well as traffic originating on your network, and if you've got a bunch of customers who all own their own /24s, plus a bunch of downstream networks that may or may not be routing over your network, depending on dynamic configuration, and may only be routing outbound traffic over your network and having a different path for the return then this gets complicated quickly).

--
I am TheRaven on Soylent News
Re:Can someone explain how this can possibly happe by CSMoran · 2018-03-05 06:19 · Score: 1

You can't possibly SHOUT at us CONFIDENTLY like you KNOW, and ask for an explanation simultaneously.

--
Every end has half a stick.
Re:Can someone explain how this can possibly happe by green1 · 2018-03-05 06:33 · Score: 1

Because for some completely unknown reason, IP spoofing is still a thing, and most routers still pass packets that claim to come from an IP that couldn't possibly be on the interface it connected from.
I can't even fathom why this is still a thing (or even why it was a thing in the first place) but unfortunately it is, and there doesn't seem to be any way to get these things actually fixed.
This is honestly one of the absolute biggest threats on the internet. Not because it enables this particular attack, but because it is the main thing that enables almost every attack. (It also happens to be one of the things that enables spam)
Re:Can someone explain how this can possibly happe by green1 · 2018-03-05 06:34 · Score: 1

The problem isn't that the server sent a response, it's that it sent a response to the wrong person. This was accomplished by spoofing an IP. If the spoofing couldn't happen, then the attacker would only be able to DOS themselves.
Expect 6x Tomorrow by Anonymous Coward · 2018-03-05 07:36 · Score: 0

> We modeled our capacity based on fives times the biggest attack
> that the internet has ever seen," Josh Shaul, vice president of web security at Akamai
Uhhhh, guess we'll see a 6x attack on github tomorrow.