More info: http://krebsonsecurity.com/2011/11/ddos-attacks-spell-gameov...
Fortunately, the pattern of emails wasn't very sophisticated and I had made a rule to filter them out within a few minutes and had the account closed within 5 minutes, but I can see how this would be a pretty effective tactic against less computer literate targets.
DDoS'ing github because you trojaned a source tree calls attention to the fact that you did it. Only the dumbest of all hackers would do such a thing and that is almost certainly NOT what is happening here. When you trojan a source tree, it only becomes useful after your intended victim downloads and installs it, which can take months or even years.
If the project has mostly "commercial" developers then chances are they work on it during the week. DDOS GitHub during the week and let off for the weekend. That gives a few days worth for your trojan to be downloaded by the unsuspecting. People will also have tired hearing about the "github news" so new news about trojaning will take a little longer to disperse.
If there is such commercial product, it would have been self-hosted. Not GitHub.
MongoDB and all the drivers https://github.com/mongodb
Mixpanel analytics libraries https://github.com/mixpanel
Yahoo YUI and various other JS related gunk https://github.com/yahoo
Shopify ecommerce libraries https://github.com/Shopify
Engine Yard tools & utils https://github.com/engineyard
So most dos attacks are
1. Put key logger on company x machines
2. Gather banking keys
3. Transfer money
4. Hit with dos and get key logger to do as much damage as poss
Only two weaknesses leap out:
1. Two factor authentication - I genuinely do not know at what level a bank stops requiring a separate token for each transaction but it seems silly to ever do that.
2. The money mule - I recently was amazed that directors in Hollywood sometimes accept a percentage of net. But allowing your bank account to be used by some guys on the Internet?
Really those two issues seem ... Well with those blockers I would not invest in the internet crime startup. Weird they have bootstrapped quite well
1) Send email to <large_site_here>, asking for a large ransom, preferably in Bitcoins.
2) If <large_site_here> does not pay, fire your packet cannons at them.
3) Rinse and repeat.
The internet is a messy place.
Sorry, did I say "scam"? I meant "digital equivalent of a sit-in".
I can't remember, but he asked for an insane amount of Bitcoins (800 I think, ~$8400) which wasn't even remotely close to our operating costs.
No way I would pay, our site was down 2 days but we moved to Heroku afterwards. No problems since, it probably scared him away.
YMMV with bigger botnets.
DDoS protection is expensive. Unless it is economically feasible for you to pay for the protection, most sites don't have it until they're a high target.
There are 2 kinds of DDoS attacks I know of (there are more but they're similar): bandwidth exhaustion and computer resource exhaustion.
Bandwidth exhaustion DDoS mitigation is difficult, because it requires you to have a fat inbound pipe to let all the bogus traffic through. Fat pipes are _expensive_, there are few hosting providers that allow you to have a dedicated line more than 1 Gbps.
Supposedly their Business plan ($200/month) protects against this, and their free plans protect much smaller amounts of traffic.
You can prevent against some common resource exhaustion attacks (SYN floods) by having a proper firewall setup.
CloudFlare has been known to let the attack traffic route to your server if it's big enough.
computer resource exhaustion is more likely to work then bandwidth exhaustion on CloudFlare
What's the logic behind this? After all, DDoSers probably aren't upstanding citizens.
Think of it as entering into a subscription arrangement.
Never underestimate the frightening power of a large number of evildoers hitting F5.
This was before they disabled port 80, so I expect this was resource exhaustion, the smart-https git service wasn't completely isolated from the DDOS target.
Pages is currently being hit with a DoS attack.
But on the other hands, Github is a popular site, and it attracts many users so people can spawn lots of PC to create mass attack. Why not? It's a popular site so they want to test how well their tools can keep up with GitHub. People would assume that as of today, 2012, operation engineers have learned enough to protect and recover from DDOS.
GitHub team did a very good job recovering. Not bad. But certainly the infrastructure is still not able to handle such DDoS. GitHub needs to invest more money on that to secure service.
Whatever the reason might be, it's not necessary to speculate. In some movies, we even had banks / investors hired others to crack their own banks or stores next to the bank to destroy critical evidence (financial loss). That's a scam. Maybe we should speculate if it was GitHub's own DDOs? God knows. Everyone will call me crazy if I believe in such thing. No I don't think it was GitHub, but let me remind everyone these strange things happened before in both fiction an real life. But the point I want to make is no one knows and it shouldn't matter.
Whoever attacks it is not important at all. GitHub will learn from this and make the service more reliable.