Security researchers' warning over Linux feature used in biggest ever DDoS attack on Github
GitHub targeted by 1.3 Tbps DDoS attack using Linux feature never intended to be exposed to the internet
The distributed denial of service (DDoS) attack targeting Github last week, which at its peak involved 1.3 terabits per second (Tbps) of traffic, has been attributed to the exploitation of a feature that was never intended to be exposed to the internet
The eight-minute attack last Wednesday was more than twice the next-largest ever recorded DDoS attack. It took advantage of the Memcached feature of Linux in an attack described as "memcached amplification".
In these attacks, hackers inundate servers with small UDP-based packets. These are designed in a way so that they look like they were created by the target of the attack.
Akamai helped GitHub fend off the attack. The company explained that Memcached techniques "can have an amplification factor of over 50,000, meaning a 203 byte request results in a 100 megabyte response.
According to the company's security alerts team, this record will probably be beaten in the forseeable future. It said: "Because of memcached reflection capabilities, it is highly likely that this record attack will not be the biggest for long."
A day before the hack happened, the company noted a rise in the amount of cyber criminals tapping into this DDoS technique.
The firm explained: "On February 27th, Akamai and other companies announced the discovery of a newly observed reflection and amplification vector, memcached.
"This service is meant to cache data and reduce the strain caused by memory-intensive services. Memcached can have both UDP and TCP listeners and requires no authentication.
"Since UDP is easily spoofable, it makes this service vulnerable to use as a reflector. Worse, memcached can have an amplification factor of over 50,000, meaning a 203 byte request results in a 100 megabyte response."
In the past, DDoS attacks have disrupted companies such as Twitter, PayPal and Spotify, but it is believed that GitHub sustained minimal damage in this particular incident.
On Thursday, GitHub confirmed that its systems had been compromised by an attack. A spokesperson for the firm said: "Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack.
"The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35 Tbps via 126.9 million packets per second."