DDoS attack on GitHub could have been a demonstration of capability

In this Q&A, Matt Watkins and Nick LeMesurier explain the possible motives and methodologies behind the latest DDoS attack on GitHub.

This week Github, the popular code-sharing portal, came under a distributed-denial-of-service attack, temporarily restricting access to it’s services.


This wasn’t the first time the website had been targeted this way, with a serious DDoS hitting them as recently as March. Speculation in the security community was rife back then, with many fingers pointed towards China.

So with this latest attempt to take Github down, many were starting to draw similar conclusions about attribution. But when it comes to motivations for DDoS attacks, things aren’t always as they seem, explains Matt Watkins and Nick Le Mesurier.

Why would GitHub be a target for a DDoS attack?

Nick: Purely speculative but this could be a demonstration of capability. GitHub is a large platform that supports high volumes of traffic, attacks against it could be used to gauge how effective an attacker’s DDoS capability actually is.

Matt: Relating to Nick’s point: the Arbor Networks Worldwide Security Infrastructure Report 2014found that in one of their surveys a target was more likely to be attacked by an attacker demonstrating capability than for extortion. Nihilism/Vandalism however remained the highest motive, with no direct financial benefit.

How easy it is for an attacker to perform a DDoS attack of this nature?

Nick: The difficulty depends on the size of an attack. For example, online DDoS services that can be bought by anyone have been used in the past to take small ISPs offline.

Matt: This kind of attack is fairly easy to perform, in terms of sophistication. There are a huge number of resources online that allow an attacker to buy booter or stresser services which could be used to perform this kind of attack.

The issue is that these services are marketed as network stress testers and so do not take responsibility for how their services are used – i.e. for both legitimate and malicious purposes. Alternatively, with a strategic NTP amplification attack for example, the initial bandwidth requirements of a botnet are only minimal to have huge adverse effects on a target.

Ultimately, this would depend entirely by how much bandwidth Github have, and what mitigation they have in place.

Who might be responsible for the attack? Can the finger be pointed at China again?

Matt: It’s important to not just jump to conclusions. Last time Github saw a DDoS attack of a similar scale, it was attributed back to China and there was a clear motive behind it. This time however, things could be completely different.

If we look at the user base of Github, a large proportion consists of US based IPs, any of whom could have a potential motive to perform an attack. Github is also ranked as the 86th most visited website as per Alexa in the globe. There’s therefore plenty of potential for this to be completely unrelated.

Can we speculate how the attack was carried out?

Matt: This kind of attack is likely to be some form a volumetric attack, however with so many types of attacks existing it’s impossible to speculate. This could be one of the more commonDNS/NTP amplification attacks, or possibly one of the new and upcoming amplification protocol attacks.

How do we defend against such attacks?

Matt: There are lots of different techniques, but essentially with volumetric attacks it’s all down to bandwidth. The problem is it only takes a single point of failure to result in a Denial of Service situation occurring. Many specialist providers offer cloud based mitigation services whereby traffic can be redirected to specialist scrubbing centres which are specifically designed to deal with these attacks.

The important thing is to not rely on traditional network defences such as firewalls or IPS/IDS as these systems can easily be overwhelmed.

Nick: Defending against DDoS attacks require a combination of actions;

  • Use third party providers that specialise in DDoS prevention
  • Ensure your infrastructure has high bandwidth inbound links
  • Use a mutli-layered architecture of DDoS prevention hardware devices to manage inbound traffic
  • Have a plan in place of how to respond to an attack and what actions to take in the event services are disrupted
  • Have secondary systems in place in the event primary services are taken offline

What can organisations do to mitigate the effects of a DDoS attack?

Matt: Having a plan in place to deal with attacks is very important. The last thing a company wants to be doing is running around endlessly during a DDoS attack trying to work both what is happening and what actions to take.

Many DDoS mitigation providers offer specialist response services that can quickly perform traffic redirection, but ensuring procedures are in place is key.

Further Reading: 
Denial of Service
With a growing number of DDoS attacks being observed across the internet, it is important to understand the risk they pose and the ways to defend against them.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.