February 28th DDoS Incident Report

Very cool that they are able to change BGP advertisements from ChatOps, achieve convergence and mitigate the attack in all of 4 minutes, that is some insane engineering.

Am I old-fashioned to raise an eyebrow when I discover that Memcached servers are running visible to the public Internet? This strikes me as approximately as bizarre as having a database server that accepts connections from the public Internet.<p>In my day, such back-end services were either simply not connected to the Internet (connected via a private network to the application services), firewalled, or at the very least, configured to listen for and respond exclusively to connections from known front-end or application services.<p>Is this sort of deployment architecture falling out of favor? My casual observation is that cloud architectures—at least the ones I&#x27;ve seen employed by small organizations—are more comfortable than I am with services running with public IPs. What is going on? Am I misunderstanding this in some way?

This is a great example of why it&#x27;s important to pick secure defaults when writing software, especially software that is often deployed on high bandwidth servers or cloud instances. If no listening interfaces are specified then the default should be to exit with an error, not listen on everything!<p>I also wonder if you can store something in a memcached cache that looks like a valid request, then reflect that with the source IP of another memcached server and let them burn each other out...

Is there any legitimate reason to spoof a source IP? I don&#x27;t think there is, why don&#x27;t ISPs block any traffic with a source IP that isn&#x27;t in their network. And then the rest of us block any ISPs that don&#x27;t do that.

DDoS is a reminder of how broken the internet is.<p>How many times are we going to see the HN comment that says &quot;lol why do so many people use Cloudflare? I don&#x27;t need it for my blog!&quot;<p>Naive decentralization (naive trust) doesn&#x27;t work.

Wow, 1.35Tbps? That&#x27;s a lot for a DoS attack, right?

BGP Sim during the changes <a href="https:&#x2F;&#x2F;stat.ripe.net&#x2F;widget&#x2F;bgplay#w.ignoreReannouncements=false&amp;w.resource=AS36459&amp;w.starttime=1519838365&amp;w.endtime=1519839625&amp;w.rrcs=0%2C13%2C16&amp;w.instant=null&amp;w.type=bgp" rel="nofollow">https:&#x2F;&#x2F;stat.ripe.net&#x2F;widget&#x2F;bgplay#w.ignoreReannouncements=...</a>

Side observation: kudos to Sam Kottler for level-headed acknowledgement of the business impact of an incident like this to Github’s clientele, and appearing to own it. Well done, sir

What’s the point of a DDoS on GitHub anyway? Extortion or pure malice? I don’t see them paying a ransom to stop it so why bother?

Here is the commit to disable UDP by default <a href="https:&#x2F;&#x2F;github.com&#x2F;memcached&#x2F;memcached&#x2F;commit&#x2F;dbb7a8af90054bf4ef51f5814ef7ceb17d83d974" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;memcached&#x2F;memcached&#x2F;commit&#x2F;dbb7a8af90054b...</a> The default should also be changed to only listen on the loopback device.

These attacks are often described as denial of service attacks, but I wonder if many of them aren&#x27;t employed as cover for an intrusion attempt. Is it possible that intrusive traffic could be mixed in with such an attack?

What does an incident like this cost to Github in terms of the extra capacity added? I guess the potential loss of business is way higher, but still very curious about the magnitude.

Awesome engineering work (y)