A new way to amplify distributed denial-of-service attacks ended up harassing Github on Wednesday. The ensuing DDoS attack generated a flood of internet traffic that peaked at 1.35 Terabits per second, making it the largest on record.
Fortunately, the software development site survived the disruption and was only down for few minutes, Github said on Thursday. Akamai, a DDoS protection provider, managed to fend off the assault.
The bad news? The Github attack may be an omen of things to come. The IT infrastructure that powered Wednesday’s assault is apparently ripe for abuse. “It is highly likely that this record attack will not be the biggest for long,” Akamai warned in a blog post.
Powering the attacks was how the Mirai botnet had infected tens of thousands of vulnerable IoT devices to generate the internet traffic. However, Wednesday’s attack on Github was different. It didn’t rely on any botnet. The assault actually leveraged what’s known as a “memcache server,” which is usually hooked up to a data center.
As the name suggests, these servers are designed to cache data and speed up web applications and internet sites. However, that same technology can be used to amplify certain internet traffic by up to 51,000 times, according to Cloudflare, another DDoS protection provider.
This can be done when a memcache server spoofs the IP address of an actual website, like Github. The servers can then mistakenly send a flood of data to the victim website, overwhelming it with traffic and taking it offline.
It doesn’t help that many of the memcached servers are running on the open internet. Akamai has noticed over 50,000 vulnerable systems across the globe —making them potential assets hackers can use in DDoS attack schemes.
Last November, Chinese security researchers warned about the potential threat, which is now real. In the past week, both Cloudflare and Akamai have been noticing a wave attacks powered by the memcached servers, but the GitHub assault appears to be the largest so far.
To stop the abuse, DDoS providers like Cloudflare are urging the owners of memcached servers to firewall them or disable part of their functionality.