Some distributed denial-of-service (DDoS) attacks are longer than others. Case in point is the ongoing attack against GitHub, which is now entering its fifth day. GitHub’s status page first reported that it was being impacted by a DDoS attack on March 26, and it is still ongoing as of March 30.
GitHub has emerged in recent years as the world’s most popular code development and hosting site. Its popularity in part is responsible for the recent announcement from Google that it is closing its Google Code site.
GitHub’s status page provides a full play-by-play of the ongoing attack as it evolves and persists. On March 27, the second day of the attack, GitHub reported that the DDoS attack was amplifying and warned users that there could be some intermittent connectivity issues. The same day, GitHub reported that it was deploying its volumetric attack defenses against what it called “an extremely large volume of traffic.”
On March 29, GitHub reported that while the attack was ongoing, its mitigation was working and the service remained stable; the same basic message was repeated by GitHub on March 30.
“All systems reporting at 100 percent,” GitHub’s status page reported. “Attack traffic continues, so we remain on high alert.”
The actual techniques used in the GitHub DDoS attack vary, according to GitHub Systems Engineer Jesse Newland. Newland blogged that the attack involved Web browsers of unsuspecting people who are flooding GitHub with traffic.
“Based on reports we’ve received, we believe the intent of this attack is to convince us to remove a specific class of content,” Newland said.
A report by Insight-Labs Security alleges that the attack is based in China and is making use of Chinese search engine Baidu.
Security experts contacted by eWEEK applauded GitHub’s actions in the face of the continued DDoS attack. Tom Patterson, vice president of Global Security Solutions at Unisys, commented that good planning makes for a good response, and plans, practice and people are the three keys in any incident response.
“While we’re not directly involved in this response, we’ve seen GitHub communicate early and often with its stakeholders, which is a key to recovery,” Patterson told eWEEK. “I suspect their planning and experience dealing with smaller DDoS attacks in the past have positioned them to better manage this more massive attack.”
Shawn Marck, chief security officer and co-founder of Black Lotus, said GitHub has put safeguards in place to ensure its pages load normally and visitors can view desired pages. GitHub should ensure future malicious traffic does not negatively impact its site or visitors by making sure its security measures accurately identify and service legitimate traffic, since blocking all high-volume impact can have the unfortunate side effect of bumping real users off the site, he added.
“Many enterprises make the mistake of relying on extra bandwidth or their Internet service providers [ISPs] to handle high volumes of traffic,” Marck told eWEEK. “With cyber-attackers blending different DDoS methods together, mitigating these attacks is outside ISP and cloud or hosting providers’ expertise, so enterprises need to ensure they use methods or partners that focus on availability security.”
Patterson offered similar advice, commenting that enterprises should have a well-thought-out, well-practiced and well-peopled incident response plan for attack. He added that using highly resilient distributed architectures can deal with many “normal” DDoS-level attacks, and additional software and threat intelligence can help make up the difference.
“Having an incident response plan with a pre-established hotline to your communications, cloud and content partners is key to rolling out a successful defense against these advanced attacks,” Patterson said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.