![](\"https:\/\/media.wired.com\/photos\/5a9825b9b2b92b689be91373\/master\/pass\/GettyImages-844027182.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Lily Hay Newman| Date: Thu, 01 Mar 2018 16:01:43 +0000<\/strong><\/p>\n On Wednesday, at <\/span>about 12:15 pm EST, 1.35 terabits per second of traffic hit the developer platform GitHub all at once. It was the most powerful distributed denial of service attack recorded to date\u2014and it used an increasingly popular DDoS method, no botnet required.<\/p>\n GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes<\/a> it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over<\/a> as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off.<\/p>\n The scale of the attack has few parallels, but a massive DDoS that struck the internet infrastructure company Dyn<\/a> in late 2016 comes close. That barrage peaked at 1.2 terabits per second and caused connectivity issues across the US as Dyn fought to get the situation under control.<\/p>\n \u201cWe modeled our capacity based on fives times the biggest attack that the internet has ever seen,\u201d Josh Shaul, vice president of web security at Akamai told WIRED hours after the GitHub attack ended. \u201cSo I would have been certain that we could handle 1.3 Tbps, but at the same time we never had a terabit and a half come in all at once. It\u2019s one thing to have the confidence. It\u2019s another thing to see it actually play out how you\u2019d hope."<\/p>\n Akamai defended against the attack in a number of ways. In addition to Prolexic's general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers<\/a>. These database caching systems work to speed networks and websites, but they aren't meant to be exposed on the public internet; anyone can query them, and they'll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them and send them a special command packet that the server will respond to with a much larger reply.<\/p>\n Unlike the formal botnet attacks used in large DDoS efforts, like against Dyn and the French telecom OVH, memcached DDoS attacks don't require a malware-driven botnet. Attackers simply spoof the IP address of their victim and send small queries to multiple memcached servers\u2014about 10 per second per server\u2014that are designed to elicit a much larger response. The memcached systems then return 50 times the data of the requests back to the victim.<\/p>\n Known as an amplification attack, this type of DDoS has shown up<\/a> before. But as internet service and infrastructure providers have seen memcached DDoS attacks ramp up over the last week or so, they've moved swiftly to implement defenses to block traffic coming from memcached servers.<\/p>\n "Large DDoS attacks such as those made possible by abusing memcached are of concern to network operators," says Roland Dobbins, a principal engineer at the DDoS and network-security firm Arbor Networks who has been tracking<\/a> the memcached attack trend. "Their sheer volume can have a negative impact on the ability of networks to handle customer internet traffic."<\/p>\n The infrastructure community has also started attempting to address the underlying problem, by asking the owners of exposed memcached servers to take them off the internet, keeping them safely behind firewalls on internal networks. Groups like Prolexic that defend against active DDoS attacks have already added or are scrambling to add filters that immediately start blocking memcached traffic if they detect a suspicious amount of it. And if internet backbone companies can ascertain the attack command used in a memcached DDoS, they can get ahead of malicious traffic by blocking any memcached packets of that length.<\/p>\n "We are going to filter that actual command out so no one can even launch the attack," says Dale Drew, chief security strategist at the internet service provider CenturyLink. And companies need to work quickly to establish these defenses. "We\u2019ve seen about 300 individual scanners that are searching for memcached boxes, so there are at least 300 bad guys looking for exposed servers," Drew adds.<\/p>\n "It\u2019s one thing to have the confidence. It\u2019s another thing to see it actually play out how you\u2019d hope."<\/p>\n Josh Shaul, Akamai<\/p>\n Most of the memcached DDoS attacks CenturyLink has seen top out at about 40 to 50 gigabits per second, but the industry had been increasingly noticing bigger attacks up to 500 gbps and beyond. On Monday, Prolexic defended against a 200 gbps memcached DDoS attack launched against a target in Munich.<\/p>\n Wednesday's onslaught wasn't the first time a major DDoS attack targeted GitHub. The platform faced a six-day barrage in March 2015, possibly perpetrated by Chinese state-sponsored hackers. The attack was impressive for 2015, but DDoS techniques and platforms\u2014particularly Internet of Things\u2013powered botnets\u2014have evolved and grown increasingly powerful when they\u2019re at their peak. To attackers, though, the beauty of memcached DDoS attacks is there's no malware to distribute, and no botnet to maintain.<\/p>\n