Hacker News new | past | comments | ask | show | jobs | submit login
Who is DDOSing GitHub and why?
86 points by pootch on Oct 20, 2012 | hide | past | web | favorite | 66 comments

My guess would be a hack of some kind (eg compromising a popular project's code or downloads) and then using the DDOS as a smokescreen. This is something bad guys are increasingly doing with banking hacks - steal the money and then divert everyone's attention with a DDOS. That makes it a lot harder for the victims to find out what happened and distracts the financial institution.

More info: http://krebsonsecurity.com/2011/11/ddos-attacks-spell-gameov...

Interestingly, I had a kind of DOS attack on my email account when someone gained access to a credit card account of mine and used it to send money to themselves - I got inundated with hundreds of random emails per second when they were sending money to themselves, so as to make it hard for me to get the notifications and do something about it.

Fortunately, the pattern of emails wasn't very sophisticated and I had made a rule to filter them out within a few minutes and had the account closed within 5 minutes, but I can see how this would be a pretty effective tactic against less computer literate targets.

Um, no. The reason they DDoS financial institutions is so they have a chance to cash out the stolen goods immediately. Stolen financial data has an expiration date and the DDoS extends that just long enough for it to be useful.

DDoS'ing github because you trojaned a source tree calls attention to the fact that you did it. Only the dumbest of all hackers would do such a thing and that is almost certainly NOT what is happening here. When you trojan a source tree, it only becomes useful after your intended victim downloads and installs it, which can take months or even years.

If you DDOS GitHub as a whole, how does that call attention to the one project a bad guy has trojaned?

If the project has mostly "commercial" developers then chances are they work on it during the week. DDOS GitHub during the week and let off for the weekend. That gives a few days worth for your trojan to be downloaded by the unsuspecting. People will also have tired hearing about the "github news" so new news about trojaning will take a little longer to disperse.

That's completely unnecessary and potentially risky for the attacker. Your theory is not based in reality. DOES NOT MAKE SENSE.

But... what commercial projects can possibly be on GitHub that worth this trouble? Facebook's C++ compiler? ....

If there is such commercial product, it would have been self-hosted. Not GitHub.

Here are some random ones off the top of my head. I'm happy to accept that you can't think of any value of these to bad guys, but the bad guys are not limited by your or my imagination.

MongoDB and all the drivers https://github.com/mongodb

Mixpanel analytics libraries https://github.com/mixpanel

Sencha Javascript libraries https://github.com/senchalabs

Yahoo YUI and various other JS related gunk https://github.com/yahoo

Shopify ecommerce libraries https://github.com/Shopify

Engine Yard tools & utils https://github.com/engineyard

That is fascinating - I have been meaning to revise my security processes and a livecd for banking is a very good idea.

So most dos attacks are

1. Put key logger on company x machines

2. Gather banking keys

3. Transfer money

4. Hit with dos and get key logger to do as much damage as poss

Only two weaknesses leap out:

1. Two factor authentication - I genuinely do not know at what level a bank stops requiring a separate token for each transaction but it seems silly to ever do that.

2. The money mule - I recently was amazed that directors in Hollywood sometimes accept a percentage of net. But allowing your bank account to be used by some guys on the Internet?

Really those two issues seem ... Well with those blockers I would not invest in the internet crime startup. Weird they have bootstrapped quite well

The typical botnet operator cycle:

1) Send email to <large_site_here>, asking for a large ransom, preferably in Bitcoins.

2) If <large_site_here> does not pay, fire your packet cannons at them.

3) Rinse and repeat.

Wait, seriously? Is this a common thing? I've not heard a lot of noise about ransom demands.

It's very common to target ecommerce stores like this. Specifically jewellery stores for some reason. Probably because it's a luxury good and somehow botnet owners link that to wealth of the owners. We host tens of thousands ecommerce stores and sometimes get these forwarded. We estimate that our customers receive at least one a month. DDOS attacks are a weekly to bi-weekly occurance for us.

The internet is a messy place.

I would love to hear more about how you mitigate them.. Or is this part of the "secret sauce" for hosting companies?

yes, if we describe it, people will start "unit testing" their botnets against us.

Fair enough! That makes sense...

It is very common; these scams were the bane of online casinos a few years ago, and hit major financial services companies more recently.

Sorry, did I say "scam"? I meant "digital equivalent of a sit-in".

I don't know if it's common but I can confirm it happened to us at least.

The company I work for owns a site which has a niche community of buyers and sellers. There is a particular guy on there who has a reputation of scaming other users. When the users complain and post negative feedback about him, he threatens our company and follows through with DDoS attacks until the negative feedback/comments about him are removed.

It sounds like you are giving in every time. Is that your best option?

Does anyone actually pay?

It was actually on Freenode when a botnet operator sent a message to me to pay up or suffer the consequences.

I can't remember, but he asked for an insane amount of Bitcoins (800 I think, ~$8400) which wasn't even remotely close to our operating costs.

No way I would pay, our site was down 2 days but we moved to Heroku afterwards. No problems since, it probably scared him away.

YMMV with bigger botnets.

Would it be reasonable to think of these expletive redacted botnets as a force of nature? As something useful to harden resources against, or just disasters that you hope don't hit? (I'm thinking of this in terms of sour grapes, not poor planning.)

Most hosts (Linode, SoftLayer) will null-route you in a heartbeat when you get a massive influx of traffic that affects their network.

DDoS protection is expensive. Unless it is economically feasible for you to pay for the protection, most sites don't have it until they're a high target.

Isn't this the situation that Cloudflare was designed to protect against? Their service is free as well.

CloudFlare will protect you from DDoS attacks to an extent.

There are 2 kinds of DDoS attacks I know of (there are more but they're similar): bandwidth exhaustion and computer resource exhaustion.

Bandwidth exhaustion DDoS mitigation is difficult, because it requires you to have a fat inbound pipe to let all the bogus traffic through. Fat pipes are _expensive_, there are few hosting providers that allow you to have a dedicated line more than 1 Gbps.

Supposedly their Business plan ($200/month) protects against this, and their free plans protect much smaller amounts of traffic.

You can prevent against some common resource exhaustion attacks (SYN floods) by having a proper firewall setup.

CloudFlare has been known to let the attack traffic route to your server if it's big enough.

with CloudFlare spreads the load over loads of sites you need more then 1000GB/s to bring them down under an pure DDoS bandwidth exhaustion, they have loads of sites spread all over the world

computer resource exhaustion is more likely to work then bandwidth exhaustion on CloudFlare

If nobody paid then the botnet operators wouldn't continue to try extorting.

Like spam, botnet operating costs may be so low that hardly anyone at all may need to succumb to make the operation pay off. Someone's likely to cheat and pay to make the pain go away eventually.

I believe that most people pay. It is perceived to be cheaper to pay off the extortionists than to mitigate the DoS attack.

I've been put into a similar situation before, but I couldn't find any convincing evidence that I wouldn't be extorted in the future, even if I did pay.

What's the logic behind this? After all, DDoSers probably aren't upstanding citizens.

Paying an extortionist is the one way in which you guarantee that you'll be extorted in the future.

Think of it as entering into a subscription arrangement.

Maybe the CVS users.

Nah, they wouldn't launch a distributed dos attack, would they now?

That's exactly what they want you to believe.

Never underestimate the frightening power of a large number of evildoers hitting F5.

Probably someone that wants to practice with their botnet. GitHub is a formidable target.

This was pretty interesting on launching a massive DDOS and how to stop one. http://hackerne.ws/item?id=4535226

They're not overly successful--I've had some slow page loads, but no serious interruption of service.

I noticed yesterday I can't install anything through https://, git:// urls work fine

You sure it was https? For a short time they blocked port 80 specifically so git:// and https:// would be able to work.

Yeah, I had one https:// clone stop in mid-download. I repeated it immediately and it stopped midway again, I tried again after half an hour or so and it went through.

This was before they disabled port 80, so I expect this was resource exhaustion, the smart-https git service wasn't completely isolated from the DDOS target.

Could it have something to do with their $100MM sitting in the bank?


  Pages is currently being hit with a DoS attack.[0]
I suspect the target maybe a site that is hosted on Github Pages, maybe a blog. The attackers may not be targeting Github directly.

[0]: https://status.github.com

I know GitHub is down, but how do you know someone is ddosing it?


Yes, because a respectable company like Atlassian would risk their entire business to give a small boost to just one of their many products by dealing with black market botnets.

I can't believe is needs to be said, but that was a joke. It had to be.

Hardly believe that (Atlassian owned) Bitbucket is doing such attack. Bitbucket offers free private repos, not just git but mercurial hosting. Although way less popular, I think Bitbucket has features to gain ground in the long run without the need of tactics like DDOSes.

It was a lame joke, but the amount of "whoosh" in this thread is a bit mind boggling.

I'm guessing that that was probably a joke?

I believe he was making a joke.

Github is being DDOS'd? I hadn't noticed. And I use Github. Every day.

You must not have used it yesterday then ;)

Probably to watch all of Hacker News squirm.

What? You guys don't think that HN is enough troll bait for someone to spend $100 to DDoS a web property you care about?

Who has grudge on us?

No grudge necessary. This comment thread is lulzy enough by itself. Watching an entire user community freak out over not being able to access their source code in real time over HTTP is a good enough payoff.

If you aren't being DDOSed, you aren't an interesting service.

Why is it so hard to guess? Obviously GitHub is popular. Most popular sites have been DDOSing. People perform DDOS either they hate that site, they want to gain something out of it, or they just want to turn it down for fun. Stop speculating. It's really simple...

OK yes, but who hates GitHub and how could you possibly hate Github enough to bother with going to the trouble? Maybe its just kids who knows but, I guess I never understand why people waste their time doing things that have zero possible positive benefit to themselves.

Zero possible positives? Ideally, hackers, not crackers, are supposed to HELP companies and organisations to discover their loopholes before it was too late for them. So many attacks are friendly. Many hacker groups (not crackers) would steal stuff and post the irrelevant stuff online just to remind the infrastructure team that they did a bad job.

But on the other hands, Github is a popular site, and it attracts many users so people can spawn lots of PC to create mass attack. Why not? It's a popular site so they want to test how well their tools can keep up with GitHub. People would assume that as of today, 2012, operation engineers have learned enough to protect and recover from DDOS.

GitHub team did a very good job recovering. Not bad. But certainly the infrastructure is still not able to handle such DDoS. GitHub needs to invest more money on that to secure service.

Whatever the reason might be, it's not necessary to speculate. In some movies, we even had banks / investors hired others to crack their own banks or stores next to the bank to destroy critical evidence (financial loss). That's a scam. Maybe we should speculate if it was GitHub's own DDOs? God knows. Everyone will call me crazy if I believe in such thing. No I don't think it was GitHub, but let me remind everyone these strange things happened before in both fiction an real life. But the point I want to make is no one knows and it shouldn't matter.

Whoever attacks it is not important at all. GitHub will learn from this and make the service more reliable.

Why does anybody ddos anything? Pretty much the same reason you carve your name in a tree or drive super slow with the bass up so high it sets off everyone's car alarms.

Only a very well orchestrated DDOS using a botnet has the endurance and strength of this attack. One can think that they are distributing some malware through github or that an anti USA hostile government agency is reaping code. Only Github knows.

How does one spread malware through github when the website (and all it's services) are down?

I'm dying from laughter

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact