By Akshay Asija
Modern software development is impossible without collaboration. The use of various development tools, frameworks and languages mean that most software development projects have to be undertaken by teams of developers, rather than by a couple of individuals. In this scenario, GitHub has proven to an immensely useful tool for tracking changes in large software projects and ensuring that all team members are aware of the latest developments in their projects. GitHub is built on Git, a version control system that is used for coordinating work on files shared by multiple editors and users. GitHub is primarily used for version control in software projects; millions of code repositories are stored in its databases. Programmers working together on such repositories clone these on their machines, commit changes to these clones and synchronise these to maintain consistency across all such clones.
Software giants like Google, SAP, IBM and others rely on GitHub for conveniently maintaining their code for open-source projects (i.e. projects that are freely available for access and modification to all) as well as closed-source projects. GitHub’s importance has, thus, increased significantly in the ten years of its existence. As such, an attack on the company’s data stores would pose a severe threat to integrity and confidentiality of the code it stores. Many websites, apps and other services that we use every day could be severely affected by such an attack.
DDoS attacks: What are they?
A Distributed Denial-of-Service (DDoS) attack is used by hackers to prevent users from accessing a particular machine or a network resource, such as a website. Denial-of-Service (DoS) attacks are usually carried out by sending a flood of unnecessary requests to a target, which could be a machine on a network or a website being hosted on such a machine. The number of incoming requests exceeds the number of requests that the system can handle, resulting in an overload. Consequently, genuine inward requests and queries can no longer be attended to and fulfilled by the system, making the resource inaccessible to the users making these requests. A DDoS attack is a more effective version of a DoS attack. In a DDoS attack, the redundant requests to the target are made from multiple sources, which makes it nearly impossible to stop the attack by merely blocking incoming requests from a single source, as can be done in the case of DoS attack. Distributed DoS attacks, owing to the distributed nature of the perpetrators, can be orchestrated by different entities spread around the globe. A real-world analogy of Denial-of-Service attacks are the people blocking the entrance of a bank, which prevents customers from entering the bank and transacting business. The implications of DDoS attacks can be adverse, depending on what kind of resource these attacks target. For example, a denial of service attack on an e-commerce website is bound to disrupt business, leaving many transactions in an unfinished state, besides making fresh transactions impossible. Besides monetary losses, businesses can suffer from a reduction in customer goodwill and trust as a result of such attacks.
The DDoS attack on GitHub
GitHub has, fortunately, not yet been attacked by malicious hackers wanting to steal or compromise the information stored in its repositories. However, on 28th February, the company came under a DDoS attack, which led to a GitHub outage everywhere for about ten minutes. While DDoS attacks are not uncommon today, the scale and intensity of the attack on GitHub is something that has not been observed ever before. The traffic of incoming requests that hit GitHub’s servers had a rate of 1.35 terabits per second, which is massive compared to the kind of DDoS attacks we are used to seeing. The only known DDoS attack that comes close to the one on GitHub took place in late 2016, in which Dyn, an American internet company, was targeted by malicious requests at a rate of 1.2 terabits per second.
The hackers who targeted GitHub used a new and popular method of using ‘Memcached servers’ that does not require a network of infected computers (called a botnet) to execute the attack. As soon as the attack started, intermittent GitHub outages began to take place around the world. GitHub’s backend systems then analysed the attack using an automated process and contacted Prolexic Technologies, a subsidiary of Akamai Technologies that provides DDoS mitigation services to GitHub. All the network requests directed towards GitHub and the responses generated by its systems were then routed through Prolexic’s network infrastructure. In this way, Prolexic was able to analyse GitHub’s request details to identify the malicious sources responsible for the attack. Packets of data coming from these sources were subsequently blocked, causing the attackers to stop the attack. Normal operations resumed soon after. Thanks to the efficiency of Prolexic’s scanners, the entire process of the discovery and obstruction of the malicious packets took approximately eight minutes.
A Memcached DDoS attack
There were many techniques employed by Prolexic to alleviate the attack on GitHub, including special filters against the traffic suspected to be originating from Memcached servers. These servers typically store network and website data that is sent as a response to a request if the actual website or network takes too long to respond. These server systems, many of which are not protected, can receive queries from any internet user and send the required responses. Malicious hackers have learnt to use this situation to their advantage by sending individual command packets to such Memcached servers. These requests are responded to with significantly bigger data packets as replies. Memcached DDoS attacks involve attackers spoofing the victim’s IP address to send queries to various Memcached servers, resulting in massive responses back to the victim, clogging its servers. This type of a DDoS attack is also called an amplification attack.
The motivation behind attacking GitHub
GitHub has been a victim of DDoS attacks before; Chinese state-sponsored hackers had taken the website down for six days in March 2015. While the reasons for both attacks on the service are not clear, it appears that the attackers only wanted to create mischief and prove what they were capable of.
As end-users of resources that can be targeted in DDoS attacks, there is little we can do to mitigate such attacks. However, while choosing among different internet services, such as picking the right instant messaging service for oneself, one must ensure that the service prioritises the security of its (and by extension, its users’) data over everything else. Organisations that have any presence on the internet must ensure that safeguards against all kinds of attacks are in place.
Featured Image Source: Visual Hunt
Stay updated with all the insights.
Navigate news, 1 email day.
Subscribe to Qrius