Denial of Service Attacks

To GitHub and everyone: <i>please</i> use UTC timestamps when there are potential readers outside of your timezone. Since every technical person should know their current UTC difference, calculating the local time is easy.

You ever sit there and wonder who the person is on the other end of the attack? Someone sitting there, I guess with not much on that day, decides to command their army of infected bots to attack github.<p>Why github I wonder? Perhaps it provides a challenging target. Perhaps github is used as a testing ground for a more profitable future attack.<p>We often get technical writeups after a DDoS attack, however we very rarely get a writeup sumising the motive behind the attack. I can&#x27;t believe <i>every</i> attack is simply driven by &#x27;because they can&#x27;.

It just shows that we need some kind of distributed version control system.

Call me naive but I fail at imagining why would someone want to DOS Github.<p>I mean, if you&#x27;re into this, it&#x27;s certainly fun to launch DOS attacks against large &quot;evil&quot; things such as government services, large corps and Micro$oft becoz w1ndoz sux0rz, but... Github? Why?

If the attacks against Github are mostly proving grounds for fledgling DDoSaaS, I would assume write-ups like these only serve to elevate their status as a good proving ground.<p>Did this article contain anything particularly useful for anyone thinking about DDoS hardening? I didn&#x27;t find anything. I guess it&#x27;s not really supposed to be a technical article, just a smattering of buzzwords to let you know how hard they try.<p>The postmortem-half-apology has become quite an art form; as getting it right can actually draw a lot of positive publicity, and getting it wrong can be brutal. But I can definitely see how this post would feel like a pat on the back to whoever launched the attack.

I honestly feel bad for the engineers at GitHub for having to deal with stuff like this. GitHub is large, so they are a target, and the specifics of what they do means that caching is not a straightforward task. I imagine there are a lot more vectors of attack that have not been used yet and guarding against them is always going to be on a case-by-case basis. In the meantime, when GitHub is having downtime or even badtime it impacts its users pretty significantly. The private repo&#x27;s I work on are a source of income for GitHub, but if this gets common enough the people in charge might just move away from it to a smaller competitor that doesn&#x27;t have these problems just so that my time is not wasted on waiting on GitHub to come back up.

Kudos to the folks at Github for such summary of the attack! Clear, with a decent amount of info and honest.

I&#x27;m not sure why someone would attack GitHub. Extortion? But aren&#x27;t there more valuable targets? Showing off their botnet, perhaps? These attacks seem frequent.

GitHub has been targeted by the Chinese government hackers before, with a man-in-the-middle attack, and blocking GitHub with the Great Firewall. Maybe they are at it again?<p><a href="http://www.theregister.co.uk/2013/01/31/github_ssl_man_in_the_middle_attack/" rel="nofollow">http:&#x2F;&#x2F;www.theregister.co.uk&#x2F;2013&#x2F;01&#x2F;31&#x2F;github_ssl_man_in_th...</a><p><a href="https://en.greatfire.org/blog/2013/jan/github-blocked-china-how-it-happened-how-get-around-it-and-where-it-will-take-us" rel="nofollow">https:&#x2F;&#x2F;en.greatfire.org&#x2F;blog&#x2F;2013&#x2F;jan&#x2F;github-blocked-china-...</a>

I&#x27;d be interested to know who their &quot;DDoS mitigation service provider&quot; is.

What motive does the attacker have?<p>There are lots of articles on HN about DDoS attacks on various websites or online services. Most of the discussion is about the bandwidth used and the technical mechanics of the attack and defense.<p>This is interesting, but there&#x27;s little discussion of the economic motivation.<p>I assume the kind of infrastructure used to launch this attack is not free. I understand people or groups might be using this as a way to further various political agendas or simply for bragging rights. I also understand DDoS attacks might be an extortion tool.<p>In the former case, wouldn&#x27;t the attacker try to loudly and publicly claim responsibility? In the latter case, wouldn&#x27;t the defenders take pride in their &quot;we don&#x27;t negotiate with extortionists&quot; stance while they&#x27;re in disclosure mode?<p>Or maybe this is just some rich guy&#x27;s private hobby, and he does it for the amusement he gets out of reading about people&#x27;s reactions when they can&#x27;t figure out who&#x27;s responsible?<p>It seems like the set of rich guys who have the technical skills to do this kind of thing without getting caught would be kinda small. And if they hire people, the bigger their organization gets, the likelier they&#x27;ll hire a law enforcement plant -- or simply someone with a conscience -- and the game will be up.<p>Organized crime might be a possibility, but I assume those guys are interested in making money, not just committing crimes and wreaking havoc. So what&#x27;s the business model that motivates these attacks? If it&#x27;s extortion, why do the targets feel comfortable revealing the attack, but uncomfortable revealing they&#x27;re being squeezed for money?

&gt; In addition to managing the capacity of our own network, we&#x27;ve contracted with a leading DDoS mitigation service provider. A simple Hubot command can reroute our traffic to their network which can handle terabits per second. They&#x27;re able to absorb the attack, filter out the malicious traffic, and forward the legitimate traffic on to us for normal processing.<p>That&#x27;s kind of awesome

It is too bad ICMP Source Quench couldn&#x27;t have been repurposed to help deal with these kinds of attacks. It would be extremely nice to be able to simply send a packet to each host involved in an attack and have them (and optimally routers in between) slow their rate to the target host.

The smaller a service is the easier it is to mitigate such attacks. All kinds of tools that smaller services can use (whitelists, software based filters such as iptables, location based filters and so on) are not available once you cross a certain level of scale. So any simplistic solutions that you might think of for a smaller service will likely simply not be applicable.

Wondering if, for a service like github, it would be possible to setup a whitelist of allowable ip addresses.<p>If an attack was launched only that whitelist would be allowed until the attack was mitigated.<p>So while certain legitimate traffic would be blocked for sure, people who connect through fixed ip addresses that were whitelisted would get through and be able to do what they needed to do.<p>Thoughts?

Is there any way to mitigate DDOS attacks systematically without sacrificing network neutrality?

I&#x27;m quite surprised this happened to github...Sometimes I&#x27;m trying to look at some repos, but I apparently click too fast and have to wait before I can do other things. I thought they had ddos attacks under control.

I find it odd that github can even be subjected to DOS attacks, but it seems its only HTTP traffic. I also wonder why or if it is even possible to DOS the raw tcp layer of the git protocol.

&quot;A simple Hubot command can reroute our traffic to their network which can handle terabits per second.&quot;<p>Really? You have to round-trip through Campfire to control your network?

WTF is wrong with people attacking github and meetup.<p>DDoSing a government site I can understand, sure. (Aaaand now I&#x27;m on a list.)

tl;dr We&#x27;re bad at detecting and handling layer 7 attacks. We&#x27;re better now.<p>Dear github dudes, netflow is your friend.

Am I the only person that gets slightly annoyed whenever I read &quot;an order of magnitude&quot; and the article doesn&#x27;t mention whether it&#x27;s binary or decimal. What do you people think they&#x27;re talking about, I&#x27;m guessing decimal order of magnitude?