GitHub Hit By Major DDoS Attack

Forum Moderators: open

Message Too Old, No Replies

GitHub Hit By Major DDoS Attack

engine

1:00 pm on Mar 2, 2018 (gmt 0)

Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack. The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second. GitHub Hit By Major DDoS Attack [githubengineering.com]

1.35Tbps is a lot!

brotherhood of LAN

10:53 pm on Mar 2, 2018 (gmt 0)

This'll be due to the "out of the box" configuration of memcached not having any protection from the public web, or at least it hadn't last time I tried to use it.

An amplification factor of 51,000 - makes DNS amplification sound trivial.

I'd suppose Wordpress (and cache plugin devs) being pro-active about this could mitigate this as surely a decent % of these vulnerable installations will be within a WP setup.

iamlost

3:34 am on Mar 3, 2018 (gmt 0)

Also of interest: Memcached-fueled 1.3 Tbps attacks [blogs.akamai.com] by Akamai SIRT Alerts, 01-March-2018.

Memcached can have both UDP and TCP listeners and requires no authentication. Since UDP is easily spoofable, it makes this service vulnerable to use as a reflector. Worse, memcached can have an amplification factor of over 50,000, meaning a 203 byte request results in a 100 megabyte response.

Akamai's Prolexic platform was able to mitigate the attack by filtering all traffic sourced from UDP port 11211, the default port used by memcached.

Frankly I was astounded that memcached servers would ever be open to the internet. However, a Shodan search [shodan.io] for [ 11211 ] returns over 90,000 publicly accessible memcached servers most likely due to misconfigured firewalls.

Note: memcached has now (27-February-2018) pushed a commit to disable UDP port by default [github.com].