Slashdot Mirror
GitHub Survived the Biggest DDoS Attack Ever Recorded (wired.com)
A 1.35 terabit-per-second DDoS attack hit GitHub all at once last Wednesday. "It was the most powerful distributed denial of service attack recorded to date -- and it used an increasingly popular DDoS method, no botnet required," reports Wired. From the report: GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off. "We modeled our capacity based on fives times the biggest attack that the internet has ever seen," Josh Shaul, vice president of web security at Akamai told WIRED hours after the GitHub attack ended. "So I would have been certain that we could handle 1.3 Tbps, but at the same time we never had a terabit and a half come in all at once. It's one thing to have the confidence. It's another thing to see it actually play out how you'd hope."
Akamai defended against the attack in a number of ways. In addition to Prolexic's general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers. These database caching systems work to speed networks and websites, but they aren't meant to be exposed on the public internet; anyone can query them, and they'll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them, and send them a special command packet that the server will respond to with a much larger reply.
Akamai defended against the attack in a number of ways. In addition to Prolexic's general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers. These database caching systems work to speed networks and websites, but they aren't meant to be exposed on the public internet; anyone can query them, and they'll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them, and send them a special command packet that the server will respond to with a much larger reply.
TFA doesn't give any detail around this. How does one generate that much traffic without the need of a botnet?
He's getting rather old, but he's a good mouse.
why would someone go through the trouble of attacking github? For giggles? Do they like closed source or mercurial that much?
The memcache servers ARE a ready made botnet.
Imagine if they had made a beowolf cluster of mem.... oh, wait.....
On the one hand you take life too seriously, and on the other, you do not take playful existence seriously enough. Seth
Such a shame there are nefarious people who do these DDOS. What a huge waste of time and resources by their target entities to defeat the attacks.
What problem?
Unicode support is just a troll. Nobody would use it for anything except trolling.
What's next? You kids want emojis on /.? Should we just go full 4chan and have images?
These kids of attacks are often used to mask another attack against the systems. I would want to be extra vigilant on the integrity of accounts and the projects if I were involved with this. Although, the fact that nerd rage is the best and worst kind of rage continues to hold, so it might just be a single retaliatory personality at large.
Was checking out another blog post on, really love this resource. Keep up the awesome work
(...) as a digital system assessed the situation (...)
Who knew those analog steam powered ddos protection engines would go of fashion this fast.
0x or or snor perron?!
for new and updated software, i never noticed any outage, i guess the admin that keep github percolating has got some good skillz, kudos to github admin...
Politics is Treachery, Religion is Brainwashing
Sounds like an OSX problem. Why can't they send the appropriate code? It's not like it's some strange and wonderful new character.
Please explain why it's not OSX's fault it's not able to speak ASCII?
We're hear to listen.
Never happened. True story.
Because macOS / OS X sends a proper apostrophe character, not a prime character. It's an informal standard that's evolved since the 70's that a Prime character is used as an ppostrophe, but the prime character (which is a vertical or near vertical tick) is not an apostrophe, not is it a single quotation mark (ask smart quotes, or unicode characters) - although from a typographical perspective, using a single quotation mark as an apostrophe is a lot closer (or even identical, depending on the font) than using a prime symbol.
https://en.wikipedia.org/wiki/...
https://en.wikipedia.org/wiki/...
https://en.wikipedia.org/wiki/...
I know Unicode only dates back as far as the late 80's or early 90's...
Specialist Mac support for creative pros, Melbourne
There are many websights that don't support ASCII...
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
Oh, the old we're going to be pedantic wankers because we can.
Who gives a flying rats right ring if it is not "technically the correct character", that's the most pedantic stupid shit I've ever heard.
This would be valid if using "a prime character" was confusing in a typical context.
You know what? It's not. Never have I been reading something and had that: "What the fuck is a prime character doing in that word, I'm confused, I'm not sure I can read and understand this."
Never, happened. True story.
[Akamai] sent the data through its scrubbing centers to weed out and block malicious packets.
There was the challenge to handle the load, but identifying packets to drop was quite easy this time: they all came from same UDP port for memcached.
It is widely believe that Telugu character is an ageing past his prime actor name Nakarjuna.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
You can configure osx and ios to send regular ascii quotes and not "smart quotes".
(Sent from a mac)
Can't I? I've posted from iPads and Macs, never seem to have this problem. Maybe it's something that I changed early on, but I don't remember doing it on either platform. I don't use Safari, though.
Posted from an iMac running High Sierra.
The rest of the world will get along just fine without OSX apostrophes.
Time is what keeps everything from happening all at once.
What's wrong with using a regular unicode apostrophe?
https://www.fileformat.info/in...
What unicode char is OS X using? If it was using apostrophe, it would be perfectly fine.
Here it is again: '
What's wrong with using a regular unicode apostrophe?
https://www.fileformat.info/in...
What unicode char is OS X using? If it was using apostrophe, it would be perfectly fine.
Here it is again: '
That's a prime character you've used (and that I've used in this sentence too)
The apostrophe character is when you have text substitutions turned on, or something like that. It uses the key on the keyboard which has the single and double quotes on it. The curly apostrophe (smart quotes or typographical quotes) is Opt + ] for the opening single quote and Shift + Opt + ] for the closing single quote, or curly apostrophe: ’
“Here’s the curly apostrophe used in a sentence enclosed in typographical quotes and an ellipsis at the end”
Specialist Mac support for creative pros, Melbourne
Well, I’ll be fucked - that seems to work. I haven’t tested typographical quotes on /. for years as “everyone” knows that they don’t work. Quite clearly they do.
Specialist Mac support for creative pros, Melbourne
It happened for the same reason it happened in 2015:
https://www.theverge.com/2015/...
In short, activists inside and outside of China are using GitHub to write and share code for software to circumvent the government's "Great Firewall" in one way or another...they did not succeed in taking GitHub offline, so they decided to show their technical prowess and their sheer (if amplified) bandwidth abuse potential by conducting a second attack. They're still trying to take GitHub offline, badly, people need to be made more aware this is happening...the last time was only three years ago and it was a shocking attempt at China to try and impose censorship of the Internet, as they see fit, inside the firewall AND out. This isn't a conspiracy theory or conjecture, China are very definitely waging an online "war" of sorts and this is more or less a demonstration of their capabilities.
Dang I wish I could mod you up.
How am I going to post in Klingon w/o Unicode support?
Back in the day UDP was considered unreliable because it could be dropped by the network at any time for any reason.
It should be noted that UDP is apparently just as reliable as TCP at the network level, in that equipment in general does -not- drop UDP at all. Behaviorally speaking the network attempts to guarantee delivery of everything, which is interesting and possibly unnecessary.
It happened for the same reason it happened in 2015:
https://www.theverge.com/2015/...
In short, activists inside and outside of China are using GitHub to write and share code for software to circumvent the government's "Great Firewall" in one way or another...they did not succeed in taking GitHub offline, so they decided to show their technical prowess and their sheer (if amplified) bandwidth abuse potential by conducting a second attack. They're still trying to take GitHub offline, badly, people need to be made more aware this is happening...the last time was only three years ago and it was a shocking attempt at China to try and impose censorship of the Internet, as they see fit, inside the firewall AND out. This isn't a conspiracy theory or conjecture, China are very definitely waging an online "war" of sorts and this is more or less a demonstration of their capabilities.
This doesn't shock me in the least because 90% of brute force attempts on my tiny VPS that hosts my blog come from Chinese IP addresses. It's gotten so bad that I just block the whole country. I download the zone file from http://www.ipdeny.com/
No, that character I used is the unicode apostrophe character.
Unicode prime is 0x2032
I was going to paste in a unicode prime char alongside an apostrophe, but when I preview the post slashdot strips out the prime char.
What you've used in "Here’s" is the unicode right-single-quotation-mark char. https://www.fileformat.info/in...
Code x2019
I'm sorry but you're completely wrong.
Whatever - the fact is that typographical quotes do work on /. so how come some posts are rendered as per the parent post of this long and useless thread - “Now itâ(TM)s just causes”?
Specialist Mac support for creative pros, Melbourne
Because they're posted by people like that on purpose? aka: trolling
Whaddya have against âoesmart quotesâ?
They're stupid.
Some other site (cough fark cough) is claiming a DDOS attack. True dat?
I feel one kind of pain for someone who buys old hardware/software and does their best. I have a whole nuther level of pain for anyone targeted by salivating short-cortexed idiots who for whatever twisted reason decide to target people doing their best (or sitting around in lounge chairs drinking Coronas, long as they aren't hurting anyone).
This doesn't shock me in the least because 90% of brute force attempts on my tiny VPS that hosts my blog come from Chinese IP addresses.
That doesn't mean much. Back in the early 2000's ... someone I know used to have a botnet of tens of thousands of computers, 90% of which were in China. I'm not sure what the situation is these days, but back then Chinese boxes were by far the easiest to "hack", so they were a popular choice. Any scans or attacks being done by this individual would have appeared to be coming from his Chinese botnet, despite the fact that he himself resided in a western nation.
tl;dr the fact that you're seeing attacks from one specific country doesn't mean they're being carried out by citizens of that country.
Nope this is seriously the only site on the entire internet with the problem.
Only the State obtains its revenue by coercion. - Murray Rothbard
What's even funnier is how completely false it is. I love a good pedanticism, but this one falls on its face.
The term "prime symbol" or "prime character" only even dates to the 1960s or so. And typewriters already existed, and often had apostrophe and quotation symbols. Any other symbols are typographical or related to accounting. The idea that they would have a special key on a typewriter for writing distances, which is the work ' is doing when it is denoting "prime" (meaning only first, " being being second) but that they would omit an apostrophe, which is a basic symbol necessary for grammatically correct English, it is just completely absurd.
Once you're inside the distortion field, you can just invent your own history on a whim, no problem.
Even funnier, there is a standard convention in computers that when you need a prime symbol but the character set doesn't include it, you use a italicized apostrophe!
With a bat'leth.
Should be a daily thing.
--
Sometimes I look up, sometimes I look down.
"dumbass websites that don't just use plain ASCII characters."
Every other website except Slashdot.
"dumbass people who don't edit what they post and fix the characters that don't copy/paste properly."
So I copy and paste
âoetrade wars are good, and easy to winâ
or forget that Slashdot can't cope with this Android key £ and of course there's no preview on my phone because Slashdot is 'special'.
dumbass
So what kind of costs does Github have from Akamai Prolexic? Do they charge on a per problem basis or an annual subscription?
Here is some info on the firm:
https://en.wikipedia.org/wiki/...
>/dev/null
--
"And then there was one" - The Voice
Forgive me for sounding naive, since I've also been told to deploy memcached in this fashion, knowing that this is insecure, while asking why is memcached deployed without requiring authenticated BY DEFAULT?
I feel naive because this is a so-simple-it's-obvious solution.
What am I missing?
Kriston
My memory was that it was a Netscape problem, not a Slashdot problem. Netscape showed quotes weirdly for a while.
"First they came for the slanderers and i said nothing."
You are without honor.
The proper character for an apostrophe is the ASCII U+0027 APOSTROPHE, not U+02BC MODIFIER LETTER APOSTROPHE, U+0315 COMBINING COMMA ABOVE RIGHT, U+2019 RIGHT SINGLE QUOTATION MARK or whatever it is that Apple has redefined it to in OSX.
Prime is a Unicode character anyway (U+2032 which will not display on slashdot), the ASCII character 0x27 is officially called APOSTROPHE in Unicode, and the usual representation is as what is known as a TYPEWRITER APOSTROPHE. Unicode now recommends to use RIGHT SINGLE QUOTATION MARK as an apostrophe, but I gave up listening to their advice when they started adding emoji to Unicode after around a decade of refusing to add the widely used IEC Power Symbol (which they finally added in Unicode 9.0, emoji having been added in Unicode 6.0).
That's a prime character you've used
If you're going to be a pedant on the internet, best do your homework first.
The character that ASCII (and therefore Unicode) has called an Apostrophe is rarely, if ever, drawn correctly as an apostrophe in fonts.
When an apostrophe has been typeset correctly, it looks like the top image on the Wikipedia page:
https://en.wikipedia.org/wiki/...
With the invention of the typewriter, a "neutral" quotation mark form ( ' ) was created to economize on the keyboard, by using a single key to represent: the apostrophe, both opening and closing single quotation marks, single primes, and on some typewriters the exclamation point by overprinting with a period. This is known as the typewriter apostrophe or vertical apostrophe. The same convention was adopted for quotation marks.
Both simplifications carried over to computer keyboards and the ASCII character set. However, although these are widely used due to their ubiquity and convenience, they are deprecated in contexts where proper typography is important.
Specialist Mac support for creative pros, Melbourne
The apostrophe has been around a lot longer than computer and typewriter keyboards. The character called an apostrophe by ASCII is named that for (recent) historical reasons and it is not a typographically correct apostrophe. The Unicode consortium recommend using U+2019 - the Right Single Quotation Mark as an apostrophe however U+0027 is the character that exists on most keyboards.
From: http://www.unicode.org/version...
Apostrophes
U+0027 apostrophe is the most commonly used character for apostrophe. For historical reasons, U+0027 is a particularly overloaded character. In ASCII, it is used to represent a punctuation mark (such as right single quotation mark, left single quotation mark, apos- trophe punctuation, vertical line, or prime) or a modifier letter (such as apostrophe modi- fier or acute accent). Punctuation marks generally break words; modifier letters generally are considered part of a word.
When text is set, U+2019 right single quotation mark is preferred as apostrophe, but only U+0027 is present on most keyboards. Software commonly offers a facility for auto- matically converting the U+0027 apostrophe to a contextually selected curly quotation glyph. In these systems, a U+0027 in the data stream is always represented as a straight ver- tical line and can never represent a curly apostrophe or a right quotation mark.
Specialist Mac support for creative pros, Melbourne
out of principle
It's "on principle."
This is language dependent. As long as you fit into latin-1 you are OK. You can argue, that this is an English language site, but I, as a Hungarian writing English faced this issue sometimes when I tried to write names/places...
If you send an aposthrophe for a particular character set you better damn well conform to the right character set. The problem is with assuming that a field is UTF-8 when it clearly is unspecified. Yet I am quite able to make use of these characters in a non-broken browser.
' prime
' apostrophe
" plain quotes
“ ” proper left/right double quotes.
“Common sense is not so common.” — Voltaire
I'll bet you're a fan of imperial weights and measures too.
Because some OS X users are insisting that sending a "smart quotes" apostrophe in unicode is the "real apostrophe", yet sending ASCII character 0x39 or whatever is not the "real" one, it's everyone else who is wrong. I'm not sure why you are modded 0, you're fucking right, it's horse shit.
The thing that grammar and typography nazis always overlook is that the definition of what is correct with respect to English language usage is constantly evolving. I think typewriters and computers have been around for long enough by now that a non directional sans-serif apostrophe is considered by 99% of English language readers to be correct.
"Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets."
So, they probably just filtered all UDP packets with a source port of 11211. Looks like it was not only the biggest DDOS but also the easiest to defeat...
It does support ASCII, but Slashdot includes a meta tag indicating UTF-8 support. As a result, Safari submits web forms as UFT-8. Slashcode then interprets these as ASCII (actually, some random 8-bit code page) and gets confused by the multi-byte UTF-8 characters.
I am TheRaven on Soylent News
Memcached uses UDP, so you put the target's IP in the source IP field of the datagram and it responds (with a much larger packet). It's intended to be used on a local network (or even loopback), but it's often misconfigured. As you say, in an ideal world, ISPs shouldn't allow packages off their network with a source address that isn't from their network, but it's also not always trivial to identify the correct set of IPs to permit (traffic transiting your network has to be handled as well as traffic originating on your network, and if you've got a bunch of customers who all own their own /24s, plus a bunch of downstream networks that may or may not be routing over your network, depending on dynamic configuration, and may only be routing outbound traffic over your network and having a different path for the return then this gets complicated quickly).
I am TheRaven on Soylent News
You can't possibly SHOUT at us CONFIDENTLY like you KNOW, and ask for an explanation simultaneously.
Every end has half a stick.
Because for some completely unknown reason, IP spoofing is still a thing, and most routers still pass packets that claim to come from an IP that couldn't possibly be on the interface it connected from.
I can't even fathom why this is still a thing (or even why it was a thing in the first place) but unfortunately it is, and there doesn't seem to be any way to get these things actually fixed.
This is honestly one of the absolute biggest threats on the internet. Not because it enables this particular attack, but because it is the main thing that enables almost every attack. (It also happens to be one of the things that enables spam)
The problem isn't that the server sent a response, it's that it sent a response to the wrong person. This was accomplished by spoofing an IP. If the spoofing couldn't happen, then the attacker would only be able to DOS themselves.
So that is where those damn things are coming from!
I will always consider Unicode broken until all the other single and double quote characters are removed from the standard and replaced with the real quotes (0x27 / 0x22)
The vertical tick used as an apostrophe was a temporary measure put in place to simplify keyboards and to simplify the character set when every bit and byte was counted. Even the Unicode consortium recommend that a curly apostrophe be used for printed materials.
http://www.unicode.org/version...
Encoding Characters with Multiple Semantic Values. Some of the punctuation characters in the ASCII range (U+0020..U+007F) have multiple uses, either through ambiguity in the original standards or through accumulated reinterpretations of a limited code set. For example, 2716 is defined in ANSI X3.4 as apostrophe (closing single quotation mark; acute accent), and 2D16 is defined as hyphen-minus. In general, the Unicode Standard provides the same interpretation for the equivalent code points, without adding to or subtracting from their semantics. The Unicode Standard supplies unambiguous codes elsewhere for the most useful particular interpretations of these ASCII values; the corresponding unambigu- ous characters are cross-referenced in the character names list for this block.
Apostrophes
U+0027 apostrophe is the most commonly used character for apostrophe. For historical reasons, U+0027 is a particularly overloaded character. In ASCII, it is used to represent a punctuation mark (such as right single quotation mark, left single quotation mark, apostrophe punctuation, vertical line, or prime) or a modifier letter (such as apostrophe modifier or acute accent). Punctuation marks generally break words; modifier letters generally are considered part of a word.
When text is set, U+2019 right single quotation mark is preferred as apostrophe, but only U+0027 is present on most keyboards. Software commonly offers a facility for automatically converting the U+0027 apostrophe to a contextually selected curly quotation glyph. In these systems, a U+0027 in the data stream is always represented as a straight vertical line and can never represent a curly apostrophe or a right quotation mark.
Punctuation Apostrophe. U+2019 right single quotation mark is preferred where the character is to represent a punctuation mark, as for contractions: “We’ve been here before.” In this latter case, U+2019 is also referred to as a punctuation apostrophe.
As you said, language evolves and we've reached the stage where the systems we use have evolved beyond their original constraints that dictated a single character be used for apostrophe, single right quotation marks, prime and an acute accent and now we have the ability to use the correct character without resorting to overloading a single ASCII code point.
Most people, in the software they use on a daily basis, will end up using the correct unicode character without even knowing it as commonly used software will automatically and by default substitute curly quotes in place of straight quotes. Of course text editors used for programming where semantics are critical will not perform substitutions like this but they're not the most common use case - general purpose word processing is far more common.
Specialist Mac support for creative pros, Melbourne
Thanks for the details!
Makes sense.
Never happened. True story.