The biggest DDoS attack ever
Github just saw the biggest DDoS attack the internet has ever seen, while in the background new technical approaches spell trouble for the future...
It’s been a busy week in DDoS - not due to the hundreds of tiny attacks that make up today’s business internet, but due to two watershed moments.
The first official IPv6 denial-of-service attack has been spotted in the wild, a moment that security researchers knew was only a matter of time, but now the time has come. Meanwhile, the outright largest DDoS ever on IPV4 hit Github over the weekend, although impressively the popular code repository was prepared enough to withstand the attack.
Reaching an incredible 1.35Tbps of traffic through 126.9 million packets per second, the attack successfully took Github offline - unsurprisingly - but the tech team responded within minutes and mitigated the attack.
This particular type of attack requires no botnet - unlike the now-second placed Mirai botnet’s attack on Dyn, which topped out at 1.2Tbps, and involved an estimated 100,000 malicious endpoints. Github was attacked via an amplification attack using memcache, which abuses memcached instances that are inadvertently accessible on the public internet with UDP support enabled. By spoofing an IP, the attacker can direct the memcached responses against another address, with an additional amplification factor.
“Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack. Given the increase in inbound transit bandwidth to over 100 Gbps in one of our facilities, the decision was made to move traffic to Akamai, who could help provide additional edge network capacity. At 17:26 UTC the command was initiated via our ChatOps tooling to withdraw BGP announcements over transit providers and announce AS36459 exclusively over our links to Akamai. Routes reconverged in the next few minutes and access control lists mitigated the attack at their border”, said Sam Kottler Manager, Site Reliability Engineering, Github, in a blogpost.
Unfortunately for the internet as a whole, the other watershed attack - over IPV6 - is not so easily mitigated in the longer term. Although many existing DDoS attacks can be ported over from IPV4, there are several that are unique to IPV6, and the growing deployment levels of the latter mean that securing it will become increasingly important.
This first attack, reported by Neustar, wasn’t using a IPV6-unique technique, and wasn’t particularly huge - 1,900 IPv6 addresses were attacking a DNS server - but the future is likely to hold much more of these attacks, and many enterprises are not as prepared. Often enterprises deploy IPv4 and IPv6 networks in parallel, and in many cases businesses focus on securing IPv4. Indeed, a number of modern security appliances are not fully IPv6 compatible, creating the possibility of blind spots in otherwise well-secured networks.
"The risk is that if you don't have IPv6 as part of your threat model, you could get blindsided," Neustar's head of research and development Barrett Lyon told The Register.
Luckily around 28% of the internet has IPv6 enabled at present, but that traffic is only going one way, as is the rise in DDoS attacks overall, with a 7% increase in botnet command-and-control (C&C) listings in 2017, with the majority (68%) of them being hosted on servers run by threat actors, according to Spamhaus Botnet Threat Report 2017.
As Ilia Kolochenko, CEO, High-Tech Bridge, has previously noted, the asymmetric nature of DDoS is an ongoing concern: “Quite often DDoS attacks are used by professional Black Hats to distract IT security teams and cover massive data breaches. The DDoS attack in general is quite simple to organize, but very difficult and expensive to mitigate.
“As more and more insecure devices are connected to the Internet, from smart watches to coffee machines, cybercriminals won’t miss their chance to turn them into zombies to reinforce their DDoS botnets. In the next couple of years, we may arrive at a situation when several hacking groups will be able to “censure” and temporarily shut down even such companies as Google.”
This certainly won’t be the biggest DDoS attack for long, and IPv6 exploits are just at their starting point too - it’s set to be an interesting trajectory over the coming years...