GitHub has been hit with the largest-ever DDoS attack, and it was only down for a few minutes:
On Wednesday, February 28, 2018 GitHub.com was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a distributed denial-of-service (DDoS) attack.
[...] Cloudflare described an amplification vector using memcached over UDP in their blog post this week, "Memcrashed - Major amplification attacks from UDP port 11211". The attack works by abusing memcached instances that are inadvertently accessible on the public internet with UDP support enabled. Spoofing of IP addresses allows memcached's responses to be targeted against another address, like ones used to serve GitHub.com, and send more data toward the target than needs to be sent by the unspoofed source. The vulnerability via misconfiguration described in the post is somewhat unique amongst that class of attacks because the amplification factor is up to 51,000, meaning that for each byte sent by the attacker, up to 51KB is sent toward the target.
[...] Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack. The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second.
Also at Wired and The Register.
(Score: 2, Interesting) by Anonymous Coward on Friday March 02 2018, @01:05PM (16 children)
I wonder if this has anything to do with the fact that Slashdot has been "in offline mode" for days, and from time to time unavailable. Someone mentioned SourceForge yesterday as well.
GitHub seems like an unusual target for a DDOS. Trying to imagine a motivation for the usual run of scum who do this sort of thing. Coming up blank.
(Score: 5, Interesting) by VLM on Friday March 02 2018, @01:19PM (5 children)
https://readwrite.com/2015/03/30/github-biggest-ddos-attack/ [readwrite.com]
There's been some crazy news about internet censorship out of China over the last week or so "China's Censors Ban Winnie the Pooh and the Letter 'N' After Xi's Power Grab" and so forth. Basically the current leader of China is setting up as dictator and theres modest unrest leading to, so far, modest censorship and DDOS type stuff from the Chinese government. And Trump's trade renegotiation is not cheering them up, unclear if thats related or not. Probably related, why wait so long to talk about infinitely exciting steel tariffs until the day after the new Chinese emperor coronates himself...
(Score: 1, Insightful) by Anonymous Coward on Friday March 02 2018, @01:22PM
Seems their Great Firewall actually isn't that Great if they have to resort to DRDoS to make a site unavailable to their citizens.
(Score: 2) by zocalo on Friday March 02 2018, @01:33PM
UNIX? They're not even circumcised! Savages!
(Score: 1, Interesting) by Anonymous Coward on Friday March 02 2018, @02:18PM (1 child)
Yeah... but unless such a DDOS can be maintained (it can't), it does the government of China very little good. Perhaps none at all.
Plus, GIT is a distributed system where the repos can be trivially cloned and in the case of such ware, no doubt have been. GitHub may be down, but the repositories that were seeded from there most certainly are not.
Yet people involved in DDOS attacks are generally really, really stupid, that's why they do such things, so perhaps you're right and someone in China's government thought (for very low levels of qualification as "thought") this would be meaningful.
(Score: 2) by VLM on Friday March 02 2018, @03:03PM
I can't help but notice here we are talking about Chinese military activity and this is basically the American propaganda response when the Chinese encircled the Chosin Reservoir in the (First, so far) Korean War. Its weird to mentally search and replace parts of your comment to read like a newsreel from 1950. Possibly you were doing this on purpose because it is kinda cool.
Chosin Reservoir was kinda the LOTR scene for the Chinese where Gandalf says "You shall not pass". Chinese human wave attacks meant the extremely rapid march north to the NK/China border ended with a march right back to the old NK/SK border (more or less) and just sit there and do attrition for a couple more years and then a couple decades of the DMZ thing. Obviously that's what the Chinese are hoping for their DDOS against github, eventually they'll do something big enough to knock github out and start progressing.
People get confused about github. Its not a cloudy filestore, all the money goes into social engineering to include codes of conduct for later censorship of the "wrong" opinions or enforcing diversity, which is supposedly good, although no one can explain why, via pretty explicit sexism and racism against white/asian males, which is supposedly good although no one can explain why hate is so doubleplus good if its against the correct victims. So, if you still think they're a filestore, then dumping firewall avoidance tools (proxies, I suppose) is a huge fail, but if you think the purpose of github is two minutes hate of fucking white males, then why not dump some code that isn't anti-asian enough anyway? So the Chinese have good reason to think they will win, its not really crazy from their position.
(Score: 2) by DeathMonkey on Friday March 02 2018, @07:10PM
Yeah, they banned Animal Farm too. [independent.co.uk]
I'm surprised we didn't cover it here.
(Actually, I'm gonna go submit it.)
(Score: 4, Insightful) by epitaxial on Friday March 02 2018, @02:03PM (6 children)
The people who run Slashdot don't have a clue what they are doing. They still can't figure out that unicode bug that only affects them. Show me another website right now with that same problem. According to an admin they are fixing a problem on the "backend" and it will take a few days.
(Score: -1, Troll) by Anonymous Coward on Friday March 02 2018, @02:49PM
The worst part is all the Slashdolts need do is look at GitHub to see how The Bigly Fucktard and his nigger buddies at ShitstainNews did to fix the Unicode problem.
(Score: 2) by VLM on Friday March 02 2018, @03:08PM (3 children)
There's still people left? After a zillion mergers and sales and downsizing I thought the whole site was one small shell script. ALL the old timers are long gone, correct?
I know from professional experience how "fun" it is to maintain something where the last original team member quit three years ago.
(Score: 5, Interesting) by zocalo on Friday March 02 2018, @03:49PM
UNIX? They're not even circumcised! Savages!
(Score: 1) by DECbot on Friday March 02 2018, @09:31PM (1 child)
I imagine it is done more in Linux fashion, where there is one small shell script linking to hundreds of small scripts, utilities, and perl-one-liners dynamically calling thousands of more small scripts, utilities, and perl-one-liners stored in a MySQL database that has not been updated since 2006 when the database crashed after achieving 2²⁴ − 1 comments.
cats~$ sudo chown -R us /home/base
(Score: 2) by VLM on Sunday March 04 2018, @04:24PM
I remember that although I remember it as being some autoincrementing primary key exceeded 32 bit integer. A somewhat common problem. Fixing it can be hard.
(Score: 1) by angelosphere on Friday March 02 2018, @10:33PM
/. is written in Perl ... why do you wonder that they have troubles to fix simple bugs is beyond me.
Well soylent news is Perl, too ... but they fixed stuff at a time where perl was still a trenending language :D
(Score: 2) by takyon on Friday March 02 2018, @04:44PM (2 children)
I can think of at least one Anonymous Coward that had the motive, if not the means.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0, Troll) by Anonymous Coward on Saturday March 03 2018, @01:09AM (1 child)
Stop talking about me, you little bitch. You're lucky I'm a nice guy.
(Score: 2) by takyon on Saturday March 03 2018, @01:11AM
yawn
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1, Offtopic) by VLM on Friday March 02 2018, @01:24PM (4 children)
How is it possible the site went down?
I was told if they just stop hiring asians, whites, and males, that rainbows will spurt from the sky and unicorns will fly around?
Its hard to imagine racism and sexism could have a cost in terms of operational quality and performance and results.
To quote a sexist racist piece of trash who happens to be one of github's vice presidents: "Some of the biggest barriers to progress are white women."
http://www.businessinsider.com/github-the-full-inside-story-2016-2 [businessinsider.com]
The sooner github goes out of business the better the tech world will be.
(Score: 0) by Anonymous Coward on Friday March 02 2018, @02:46PM (1 child)
please get trump to stop the IT outsourcing and I'll ride your rainbow.
(Score: 0) by Anonymous Coward on Friday March 02 2018, @03:02PM
Outsourcing makes American corporate profits great!
(Score: 0) by Anonymous Coward on Friday March 02 2018, @08:46PM
Your "oppression" might have more to do with your shitty personality and conspiracy-as-truth beliefs.
(Score: 2) by ants_in_pants on Saturday March 03 2018, @04:51AM
I don't get how this is at all relevant.
It's kind of like neo-nazi primates scream "DA JOOS" at everything.
-Love, ants_in_pants
(Score: 2) by BsAtHome on Friday March 02 2018, @01:55PM (22 children)
I still do not understand why the edges have such a hard time implementing reverse path filtering. That would make spoofing IP a lot harder to abuse. There is generally no good reason for a packet to leave your interface that has a reverse path other than your own local network(s). Most L2/3 switches have this functionality readily available and does not cost very much when performed at the edge.
(Score: 2) by c0lo on Friday March 02 2018, @02:17PM (19 children)
How would the internet route around damage if all devices implement reverse path filtering?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Interesting) by BsAtHome on Friday March 02 2018, @02:29PM (9 children)
You do not do RPF in the backbone because you have multiple routes for transit to consider. The (outer-) edge is entirely different and is not involved in generic routing transit traffic. Your tiny little server or home PC is not part of the transit-network and there is generally no need for it to send with a different source-address than its own.
(Score: 2) by c0lo on Friday March 02 2018, @02:40PM (8 children)
Who exactly are you speaking of?
The guys who left their memcached accessible? If true, how RPF would have helped?
The hackers running the reflection/amplification attack? They do know enough to disable it even if enabled.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by BsAtHome on Friday March 02 2018, @03:28PM (7 children)
The memcached servers accepted packets with a forged source-address and replied to that address. They only amplified the problem (and were badly configured to allow access in the first place). The originator (original and actual source) packets to the memcached servers should have been filtered at the *source-network* because they are *easily*detectable* forged packets.
This is no rocket science and has been best practice network 101 for a very long time. There are only /very/ rare occasions and server-setups where RPF can be problematic. Your standard "we host a website" junk-machine or your home-PC has no business sending out packets that have the wrong source-address. If your machine sends packets with foreign source-addresses, then it is most likely compromised in one or another way.
(Score: 2) by c0lo on Friday March 02 2018, @03:40PM (5 children)
Since at the origin there be haxors, possibly state-sponsored haxors, why would they filter out those packets they so carefully nurtured?
Is this some sort of a RFC 3514 joke?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by BsAtHome on Friday March 02 2018, @03:50PM (4 children)
The situation is so problematic not because of the state-sponsored attacks. Those state-sponsored attacks use *other* badly configured networks to cover their tracks!
So, lets get rid of those other badly configured networks first. Then we can _see_ where the original attack came from and point a finger at them!
(Score: 2) by vux984 on Friday March 02 2018, @06:13PM (3 children)
I think I follow your argument. I think you are right.
The final leg of the attack is packets arrive at vulnerable memcached, spoofed to appear to come from github. The vulnerable memcached then hits gitshub with a bunch of garbage.
If the packet with the spoofed origin came directly from china, there's probably nothing that can be done to stop it. (at least not with RPF) given China is going out of its way to allow the spoofed packets to exit their networks, and once they're out onto the backbone there's no easy way to know they didn't come from where they claim to have come from.
However, more often than not, the packet with spoofed github origin will not be coming from China, but rather from a compromised security camera at Jane Q Public's house in Montana or Jorge's Corner store in Mexico, etc. These are not hostile state actors, and the ISPs in these locations there can should be filtering packets originating at their customer endpoints to prevent them from participating in such amplification attacks. It doesn't solve the problem, but it would dramatically dilute the scale.
(Score: 1, Interesting) by Anonymous Coward on Saturday March 03 2018, @05:52AM
I asked a friend of my brother's who is a network admin at my ISP about that once at a family function. Our exchange went roughly as so:
Me: I was reading that an good way to help prevent web attacks is if ISPs filter packets with a source address that didn't originate in their network.
Him: I suppose it would but we don't have the resources to analyze every packet that goes across our network.
Me: But don't you already analyze every packet? I mean, you already do to filter all the incoming packets directed at certain ports (80, 443, 137-139, and some others), all outgoing packets based on what their destination is, and every packet in both directions for size in order to charge them against my data cap.
Him: Yeah, but this is different because... uh... common carrier? If we messed with traffic? ... and... uh... Say is that your mother? (walks away)
(Score: 2) by maxwell demon on Saturday March 03 2018, @02:03PM (1 child)
But wouldn't Jane's security camera send the packet through Jane's home router, whose NAT would replace the origin IP with the IP given to her by her ISP anyway?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by vux984 on Saturday March 03 2018, @07:50PM
The short answer to your question is yes. the NAT router would replace the spoofed source ip address with the nat's public ip.
But what happens when the router gets its response? It sounds like, in some cases the nat box will drop the packet because the sourceip isn't a network it routes for, but apparently quite a lot will actually attempt to deliver it to the original spoofed address (ie now send it out to the default gateway addressed to the the spoofed ip.)
At least if this is to be beleived:
https://security.stackexchange.com/questions/66231/what-happens-when-a-spoofed-source-ip-packet-is-dispatched-out-of-a-private-netw [stackexchange.com]
(Score: 2) by FatPhil on Saturday March 03 2018, @09:26AM
Yes, but *not* doing it is absolutely zero cost, unless you're the victim of one, in which case someone else is to blame. If you don't benefit from doing things the right way, then why would you bother?
It should be a default, to be honest. Every device that knows that it bridges between a small subnet (because it serves DHCP to them, for example, and has a routing table to match) and the wider internet should just do the obvious.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Insightful) by FatPhil on Friday March 02 2018, @02:30PM (8 children)
Reverse path filtering is about deciding whether a packet you've recieved is sporged.
They're unrelated concepts apart from the aspect that they happen on the internet.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by c0lo on Friday March 02 2018, @02:45PM (7 children)
You receive an IP packet which passed to 15 routers before reaching you, with the source IP (reply address) being sporged - how would you know it was sporged?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by VLM on Friday March 02 2018, @03:15PM (3 children)
As the g-g-great-grandpost specified, why don't the edges work properly, and the answer as always is its cheap and lazy.
If your cablemodem doesn't sniff DHCP traffic and try to dynamically insert firewall rules to only forward legit src addrs, then it can not have bugs related to that code nor can it be late to market due to dev and testing time nor will it get blamed for being in a DDOS attack because every other piece of edge gear is trash so its not any worse and its all the big bad hacker's fault anyway plus or minus some victim shaming.
So to circularize the argument and answer g-g-grand OPs post, the edge sux (doesn't block bad traffic) because the edge sux (its gotta be cheap and no one cares if it works "right" as long as the customers pay their bills).
(Score: 2) by c0lo on Friday March 02 2018, @03:25PM
Hang on! You or the OP imply that the haxors would be stopped by their cablemodem?
Especially the gov-sponsored chinese haxors?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Interesting) by BsAtHome on Friday March 02 2018, @03:40PM (1 child)
The cable-modem is normally not involved in RPF because of dynamic IPs. Therefore, the first convenient place to enable RPF is the router (often L2/3 switch) at the ISP side (the one the cable-modem connects to). There you simply filter the local network segment as valid source.
As a network provider you know where your IP segments are and it is a matter of standard procedure to do proper setup at the right place. Yes, there are a lot who don't care, but that does not mean that we cannot reduce the problem quite easily. This can additionally be solved by ingress/egress verification at the BGP border. Any egress out of the first AS hop is always determinate (which equals the ingress of the second AS).
(Score: 2) by VLM on Friday March 02 2018, @08:58PM
Yes thats the longer more professional answer. With a side dish that adding filtering creates a possible failure mode where you move an IP segment from here to there and forget to update the filtering leading to mysterious phone call complaints from end users.
IPv6 will fix everything when you can allocate such giant chunks of space you'll never wiggle /25 from here to there to make things fit.
(Score: 2) by FatPhil on Friday March 02 2018, @03:37PM
If you're an edge router, that's a very easy question to answer, and if the answer's "no", you don't let it out.
If you're backbone, it's also very easy to answer, the answer's very unlikely to be "no".
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by bob_super on Friday March 02 2018, @05:56PM
You could imagine a protocol where the first packets you receive from a brand-new return IP range get challenged before being forwarded. If the sender pretending to be at that address doesn't respond to a challenge, you discard. The challenge has to be a small packet, on the edge of the network (a tiny ping), to avoid adding congestion.
That wouldn't stop state-sponsored attacks, but script kiddies playing with Memcached would be limited to bugging their neighbors.
(Score: 2) by sjames on Friday March 02 2018, @06:52PM
The idea is for the ISP that owns the edge routers to do the egress filtering. And if they don't, de-peer them.
The closer you get to the core, the harder it is to get right. Right in the core, the list of plausible addresses is nearly the entire address space, so it's not feasible there.
(Score: 3, Interesting) by zocalo on Friday March 02 2018, @03:11PM (1 child)
UNIX? They're not even circumcised! Savages!
(Score: 3, Insightful) by VLM on Friday March 02 2018, @03:20PM
I worked in that cutthroat line of business a long time ago and if you do the right thing, that'll cost time and money, and you'll get replaced in the market by people who save time and money by not bothering.
(Score: 2) by canopic jug on Friday March 02 2018, @02:17PM
Some how I missed this one from takyon and wrote about it too: https://soylentnews.org/submit.pl?op=viewsub&subid=25136 [soylentnews.org]
I checked and the URL is also there in takyon's post so it would be a good idea to delete mine from the queue. Sorry. I do check the queue but just plain missed the pre-existing post this time.
Money is not free speech. Elections should not be auctions.
(Score: 0) by Anonymous Coward on Friday March 02 2018, @02:38PM
So I shouldn't put my git commits in a while loop then...
(Score: 0) by Anonymous Coward on Friday March 02 2018, @04:24PM
s/t
(Score: 2, Funny) by Anonymous Coward on Friday March 02 2018, @05:03PM
If only there was some sort of distributed revision control system we could use. A centralized service seems somewhat vulnerable to DDoS attacks.
(Score: 1) by nitehawk214 on Friday March 02 2018, @06:01PM
I wonder if they moved onto easier targets. Atlassian's bitbucket has been mostly unreachable all morning.
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh