

Ask HN: Why can GitHub get DDoS'd, but Google can't? - shockzzz

To clarify, I&#x27;m not saying someone _should_ DDoS Google (or Facebook). I&#x27;m just curious about how Google (or Facebook) sets up their infrastructure to protect themselves, as opposed to Github.<p>Or maybe everyone&#x27;s at risk! How come the anti-information people haven&#x27;t targeted Google?
======
ethanbond
DDOS attacks are interesting because, as of now, it's basically the only
classification of cyberattack that there's no provably correct method to
prevent.

Say you get a letter every few weeks from a penpal from years back. You get a
few other pieces of mail each day as well, so you quickly sort through them to
see if your penpal wrote to you and if so, you pull that message out and throw
away the rest.

Imagine you get to your mailbox one day and there are thousands of letters in
it. The mail truck comes by for a second run and puts thousands more. Before
you've even gotten back to your front door, a third truck comes and does the
same.

It's no longer feasible for you to find out if your penpal wrote to you.
That's a DDOS.

However, the post office was clearly receiving and processing all of those
pieces of mail. They have the capability because they do it every day. Sure,
the attacker put some extra load on them, but it wasn't a 100,000% increase
like you sustained.

Your mailbox is Github, the post office is Google. Google's infrastructure is
set up in a way that there's a lot of it.

~~~
shockzzz
So in theory, Google could DDoS anyone who has a smaller post office?

Also, wouldn't a DNS provider or hosting service be able to "beef up" to
handle the traffic from a DDoS? Especially if it's a nice one, it seems like
something you'd expect from them.

~~~
ethanbond
Correct. Which is actually how this attack is happening. It's using Baidu's
servers, which are ostensibly very robust. If you were to hijack
Google/Amazon/Facebook/Netflix servers, you'd probably be able to DDOS nearly
anyone on the planet.

And yes, there are ways to essentially start throwing servers online and yes
companies do it. The problem is it becomes obscenely expensive — if you do
this and go bankrupt, again, the DDOS has succeeded. It's actually somewhat
problematic to do it automatically for exactly that reason. What if you
preferred to just take your service offline until you could investigate enough
to stop the attack instead of pay hundreds of thousands per day in server
costs?

This is why DDOSs are a bitch!

Edit: Also worth noting, it's probably for this reason that Github is still
accessible: throwing servers online and eating the cost.

~~~
shockzzz
There should be like, DDoS insurance.

~~~
shockzzz
Startup idea? No it's miiiiiiiinneeee

------
facorreia
For the same reason an ant can be squished by stomping on it and an elephant
can't: because they're bigger.

~~~
uneekname
To be fair, GitHub has been handling the attack VERY well.

~~~
shockzzz
Yes, they're kickin ass!

I wish there was a way to send that team a beer or something, they're heroes
at this point.

~~~
jeron
I was just using Github an hour ago and literally felt no difference in
accessibility. Insanely good job Github.

------
tbrownaw
The thing about a DDoS attack, is that it's a significantly higher traffic
volume that the target normally sees.

So, a "sufficiently large" site might well _not even notice_ if you tried to
DDoS them.

I would assume Google and Facebook (and Twitter) to be examples of such
"sufficiently large" sites.

~~~
shockzzz
so it really is just handling traffic volume?

~~~
bikamonki
Technically yes. I am no expert but I understand the best approach is to
divert attack traffic to a sinkhole, i.e. handle attack traffic, not block it.

~~~
ethanbond
Except there's no provable way to distinguish between "attack traffic" and
normal traffic. You're also diverting your normal users anyhow, so the DDOS is
still working as intended.

~~~
Perdition
>Except there's no provable way to distinguish between "attack traffic" and
normal traffic.

Depends on the DDOS method used. Stuff like the NTP abuse of a few years ago
could be sinkholed without effecting any real users. HTTP DDOS has pretty low
impact per node so most attackers use some form of amplification attack with
other protocols.

~~~
ethanbond
Oh there are totally heuristics you can use. For example, limiting traffic
from geolocations in which it shouldn't be showing high traffic usage (8
million hits per minute from China at 3am Beijing time?).

The key word is "provable."

------
DaveK23
I'm making up figures here, but the answer is going to be something along the
lines of:- Because Google has somewhere between one and ten thousand times as
many servers as Github, distributed across somewhere between twenty and sixty
times as many distinct geographic locations.

------
krosaen
Having staff who research the topic, e.g

[https://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=Flow-C...](https://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=Flow-
Cookies%3A+Using+Bandwidth+Amplification+to+Defend+Against+DDoS+Flooding+Attacks+Casado+cao+Akella+Provos)

