February 28th DDoS Incident Report





DDoS Protection Powered by  DDos-GuarD
On Wednesday, February 28, 2018 GitHub.com was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a distributed denial-of-service (DDoS) attack. We understand how much you rely on GitHub and we know the availability of our service is of critical importance to our users. To note, at no point was the confidentiality or integrity of your data at risk. We are sorry for the impact of this incident and would like to describe the event, the efforts we’ve taken to drive availability, and how we aim to improve response and mitigation moving forward.

Background
Cloudflare described an amplification vector using memcached over UDP in their blog post this week, “Memcrashed – Major amplification attacks from UDP port 11211”. The attack works by abusing memcached instances that are inadvertently accessible on the public internet with UDP support enabled. Spoofing of IP addresses allows memcached’s responses to be targeted against another address, like ones used to serve GitHub.com, and send more data toward the target than needs to be sent by the unspoofed source. The vulnerability via misconfiguration described in the post is somewhat unique amongst that class of attacks because the amplification factor is up to 51,000, meaning that for each byte sent by the attacker, up to 51KB is sent toward the target.

Over the past year we have deployed additional transit to our facilities. We’ve more than doubled our transit capacity during that time, which has allowed us to withstand certain volumetric attacks without impact to users. We’re continuing to deploy additional transit capacity and develop robust peering relationships across a diverse set of exchanges. Even still, attacks like this sometimes require the help of partners with larger transit networks to provide blocking and filtering.


DDoS Protection Powered by  DDos-GuarD

The incident
Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack. The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second.

Given the increase in inbound transit bandwidth to over 100Gbps in one of our facilities, the decision was made to move traffic to Akamai, who could help provide additional edge network capacity. At 17:26 UTC the command was initiated via our ChatOps tooling to withdraw BGP announcements over transit providers and announce AS36459 exclusively over our links to Akamai. Routes reconverged in the next few minutes and access control lists mitigated the attack at their border. Monitoring of transit bandwidth levels and load balancer response codes indicated a full recovery at 17:30 UTC. At 17:34 UTC routes to internet exchanges were withdrawn as a follow-up to shift an additional 40Gbps away from our edge.

Next steps
Making GitHub’s edge infrastructure more resilient to current and future conditions of the internet and less dependent upon human involvement requires better automated intervention. We’re investigating the use of our monitoring infrastructure to automate enabling DDoS mitigation providers and will continue to measure our response times to incidents like this with a goal of reducing mean time to recovery (MTTR).



We’re going to continue to expand our edge network and strive to identify and mitigate new attack vectors before they affect your workflow on GitHub.com.

We know how much you rely on GitHub for your projects and businesses to succeed. We will continue to analyze this and other events that impact our availability, build better detection systems, and streamline response.


DDoS Protection Powered by  DDos-GuarD



A Frightening New Kind Of DDoS Attack Is Breaking Records





DDoS Protection Powered by  DDos-GuarD

Back in October of 2016, a denial-of-service attack against a service provider called Dyn crippled Americans’ Internet access on the east coast. Its servers were bombarded with a jaw-dropping amount of traffic. Some estimates believed the data rate of the attack peaked at around 1.2Tbps, which was unheard of at the time.

Last week hackers unleashed a new breed of DDoS attack. Security researchers tracked one that was nearly 50% more powerful than the one against Dyn.

At its peak, this next-gen DDoS attack was blasting a record-breaking 1.7 Tbps at its target. To put that into perspective, that’s roughly the same amount of bandwidth that flows through 13,600 gigabit high-speed Internet connections. With the average American’s high-speed link sitting at more like 18 or 19Mbps, that would translate to around 680,000 Americans using the full capabilities of their connection to flood the same website at the same time.

How did these new attacks become so powerful? Hackers have figured out how to exploit a bit of software called Memcached. It’s designed to speed up web page load times by caching big chunks of the data they need to access — which is often served up from remote database servers.


DDoS Protection Powered by  DDos-GuarD

As ZDNet’s Liam Tung notes, servers that run Memcached should never be exposed to the Internet. In reality, however, there can be more than 100,000 left vulnerable at any given time.

Hacker use those exposed Memcached servers to amplify their attacks. A small amount of garbage data sent to the Memcached server results in a massive flood of data being directed at the hackers’ targets. It’s much more dangerous than, say, forcing an army of connected security cameras to bombard a website directly. Bouncing traffic off a Memcached can amplify an attack by more than 51,000 times.

The good guys are already on the case, fortunately. The Department of Homeland Security has been searching for ways to protect Americans against DDoS attacks and private companies like Alphabet and Akamai are doing everything they can, too.



Significant progress has already been made. GitHub recently faced a Memcached attack against its servers, which were only downed for around five minutes. Service was spotty for another 5 before normal functionality was restored.

Not everyone is as prepared to deal with an attack as GitHub, however. The next victim of these DDoS attacks could see significant downtime — and financial losses — as a result of hacker’s new firepower.

DDoS Protection Powered by  DDos-GuarD



Cops Take Down World’s Biggest ‘DDoS-For-Hire’ Site They Claim Launched 6 Million Attacks





DDoS Protection Powered by  DDos-GuarD

European law enforcement are today celebrating the dismantling of a website police claim sold Distributed Denial of Service (DDoS) attacks and helped launch up to 6 million of them for as many as 136,000 registered users. Four alleged administrators of the webstresser.org service were arrested on Tuesday in the U.K., Canada, Croatia and Serbia, whilst the site was shut down and its infrastructure seized in Germany and the U.S., Europol announced Wednesday.

DDoS attacks typically flood web servers with traffic to take them down. So-called stressers sell those attacks as a service, offering to take down customers’ selected targets for a small fee or providing direct access to a simple DDoS tool. According to investigators working on Operation Power Off, webstresser.org appeared to be the biggest of all such services.


DDoS Protection Powered by  DDos-GuarD



DDoS hits emanating from webstresser.org targeted banks, government institutions, police forces, schools and the gaming industry, investigators said. And Americans made up the majority of both targets and customers on webstresser.org, according to Europol’s lead case coordinator, who asked to remain anonymous in speaking with Forbes exclusively ahead of today’s announcement. “It’s become one of the most important [DDoS stressers] on the market,” he said.

“It is significant,” added Gert Ras, head of the Netherlands National High Tech Crime Unit, speaking of the takedown. “It is a really big one.”

Boastful DDoSers

A Google cache of the webstresser.org site reveals a boastful set of admins, but they appeared to be advertising their DDoS stresser as a testing service to see how well websites could stand up to attacks rather than anything illegal. They claimed to provide “the strongest and most reliable server stress testing” and promised “24/7 customer support spread on over three different continents.” They sold in packages, ranging from $18.99 per month for the “bronze” membership to $49.99 for the “platinum” service.


DDoS Protection Powered by  DDos-GuarD



The team members all went by pseudonyms, including Admin the CEO, backend developer m1rk, head of support Mixerioza and “support agent” Tyrone. They ran a Facebook page too, where they encouraged customer engagement, recently asking for help with YouTube marketing. Whoever managed the Facebook page also reported some problems with the site on April 9. “Deutscher Commercial Internet Exchange is currently experiencing outages so we remain offline until their network is fixed,” one message read. Investigators said they didn’t believe that downtime was related to the law enforcement action, however.

How the investigation went down

Led by the Dutch National High Tech Crime Unit and the UK National Crime Agency (NCA), and assisted by Europol, the investigation into webstresser.org started in October last year, according to the lead case coordinator at Europol.

That month, following a DDoS on an unnamed UK bank, a tip from the NCA landed at the Dutch agency, informing them the web infrastructure for webstresser.org was hosted in the Netherlands. Forbes reviewed domain registration information for the site and found it was registered in October 2015 by someone with a Hotmail email address and who claimed to be based in the small Netherlands village of Gulpen. Forbes emailed the user but had not received a response at the time of publication.


DDoS Protection Powered by  DDos-GuarD



In November, the Dutch police were able to take “snapshots” of the site’s server, from which they recreated their own version of webstresser.org, according to Ras. That allowed them to determine how it worked and eventually led them to the identities of the alleged administrators, though Ras couldn’t say just how as the investigation continues. Even an attempt by the site’s owners to move infrastructure to Germany didn’t stymie the cops, Ras added, as American authorities took down the site today.

Investigators were also able to gather some remarkable statistics from the site, which made apparent the unprecedented scale of the DDoS market. Europol said the total time of persistent DDoS attacks launched via webstresser.org reached 15.5 years. The longest single attack reached around 10 hours, with the average around 20 minutes per target. And the admins made hundreds of thousands of dollars in the process, Ras added, as they accepted payments over PayPal and Bitcoin. Paying via Bitcoin got users a 15% discount too.”The service was professional, the most professional I’ve seen,” said Europol’s investigator. He noted the controllers of the service were using techniques to “amplify” their attacks. One involved the use of the Domain Name Service (DNS), the telephone book of the internet that connects people searching up a web address like Google.com to the relevant server. The attack relies on the fact that the computers used to deal with such requests – open DNS servers – respond to a small question with a large response. With this so-called DNS amplification, it’s possible to make a large number of small requests to the DNS server and pass on the significant returned traffic to a target website. Webstresser.org offered attacks up to 350Gbps, a sizeable hit.


DDoS Protection Powered by  DDos-GuarD

A warning

Not only were alleged administrators arrested (their names have not yet been released and so Forbes has not been able to contact their legal representation) but police across the world have also paid visits to users of webstresser.org, either arresting them or warning about their continued use of such DDoS products. The NCA said an arrest in Netherlands and another in Hong Kong had taken place today. “The message here is that people who use these services will not stay anonymous,” Ras said. “We will bring them to court.”



Whilst webstresser.org was the biggest fish in the DDoS stresser pond to fall to date, others have been dismantled in recent months. In August, the vDOS service that launched more than two million DDoS attacks over four years was closed and the alleged owners arrested in Israel. Their lawyers said the vDOS operators were simply running a legitimate tool to help businesses test the cybersecurity of their website.

It would appear cops across the world aren’t buying such claims.



Over 15,000 Memcached DDoS Attacks Hit 7,100 Sites in Last 10 Days





DDoS Protection Powered by  DDos-GuarD

Memcached reflections that recently fueled two most largest amplification DDoS attacks in the history have also helped other cybercriminals launch nearly 15,000 cyber attacks against 7,131 unique targets in last ten days, a new report revealed.

Chinese Qihoo 360’s Netlab, whose global DDoS monitoring service ‘DDosMon’ initially spotted the Memcached-based DDoS attacks, has published a blog post detailing some new statistics about the victims and sources of these attacks.



The list of famous online services and websites which were hit by massive DDoS attacks since 24th February includes Google, Amazon, QQ.com, 360.com, PlayStation, OVH Hosting, VirusTotal, Comodo, GitHub (1.35 Tbps attack), Royal Bank, Minecraft and RockStar games, Avast, Kaspersky, PornHub, Epoch Times newspaper, and Pinterest.


DDoS Protection Powered by  DDos-GuarD

Overall, the victims are mainly based in the United States, China, Hong Kong, South Korea, Brazil, France, Germany, the United Kingdom, Canada, and the Netherlands.

According to Netlab researchers, the frequency of attacks since 24th February has increased dramatically, as listed below:

Before 24th February, the day when Memcached-based DDoS attacks were first spotted, the daily average was less than 50 attacks.



Between 24th and 28th February, when Memcached as a new amplification attack vector was not publicly disclosed and known to a small group of people, the attacks raised to an average of 372 attacks per day.
Soon after the first public report came on 27th February, between 1st and 8th March, the total number of attacks jumped to 13,027, with an average of 1,628 DDoS attack events per day.

Netlab’s 360 0kee team initially discovered the Memcached vulnerability in June 2017 and disclosed (presentation) it in November 2017 at a conference, but its researchers have hardly seen any Memcache DDoS attacks since then.


DDoS Protection Powered by  DDos-GuarD



Expect More Record-Breaking DDoS Attacks





DDoS Protection Powered by  DDos-GuarD

“This attack was the largest attack seen to date by Akamai, more than twice the size of the September 2016 attacks that announced the Mirai botnet and possibly the largest DDoS attack publicly disclosed,” said Akamai, a cloud computing company that helped Github to survive the attack.

In a post on its engineering blog, Github said, “The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second.”

Dubbed Memcrashed, the amplification DDoS attack works by sending a forged request to the targeted Memcrashed server on port 11211 using a spoofed IP address that matches the victim’s IP.



A few bytes of the request sent to the vulnerable server trigger tens of thousands of times bigger response against the targeted IP address.


DDoS Protection Powered by  DDos-GuarD

Expect More Record-Breaking DDoS Attacks

Though amplification attacks are not new, this attack vector evolves thousands of misconfigured Memcached servers, many of which are still exposed on the Internet and could be exploited to launch potentially more massive attacks soon against other targets.

To prevent Memcached servers from being abused as reflectors, administrators should consider firewalling, blocking or rate-limiting UDP on source port 11211 or completely disable UDP support if not in use.

DDoS Protection Powered by  DDos-GuarD