It may be time for GitHub to build out multiple availability data centers and use BGP as an anycast tool. We do this. I have public facing IPv4 space that is announced from multiple facilities. Having an IP address hosted from multiple facilities is a powerful tool. This allows providers to hit our datacenter through the least amount of ASN routes. We original did this to minimize latency and create faster regional transaction processing. As an added benefit - DDoS traffic also gets routed to the nearest facility "load balancing" a DDoS so that it only affects a single facility or it splits up the 10gbps of traffic among many facilities if it is coming from many sources. O'Reilly's BGP book has a great chapter on "Anycast."
From the sounds of it their architecture may not support this. If they had a SAN solution capable of replication to multiple data centers like HP LeftHand's product or a multiple master DRBD configuration they may be able to host github from multiple active datacenters and announce the block equally so that providers route traffic to them because their ASN is closest.
Thanks for the book recommendation. Is that the one by Iljitsch van Beijnum?
Other than the added complexity, can you share any details about the cost? It seems like theoretically some managed hosting providers could offer this assuming they were in multiple datacenters, but I haven't seen any that do.
This happened back in October a couple of days in a row. Who the heck is targeting Github and why? I wonder if these attacks are related to the Chinese hacking attacks that have been publicised lately?
I often have to wonder if the DDoS gods roll a dice and pick someone to screw each day. We have had many DDoS attacks and never once had any indication as to why.
A few days ago we had a 30 Gbit DDoS. Our server host just blackholed any IP that was touched by it. They kept moving it around to target different bits of our infrastructure (unlike previous attacks that just targeted our website).
We lost 6 servers, but thankfully not enough to take us fully offline though some customers would have experienced problems during that time.
If they had just been a bit more persistent we might have been in serious trouble.
At that level of DDoS your server host doesn't care about keeping you online. They want the traffic off their network.
If your nickname here can somehow be linked to the company you're working for (e.g. by checking previous messages you posted to HN or on another board) I think it's not very smart to write what you just wrote.
Now the bad guys knows that they should just have tried a bit longer.
Now maybe that because you were DROP'ing / blacklisting IPs maybe they just ran out of zombies but still...
If I was the attacker and read your message and wanted to be bad, I'd just hammer you a bit more to put you in trouble.
Besides that there are some ISPs who do care about both keeping you online and fighting the low-life scums: the ISP XS4ALL from the Netherlands is (was at least) notoriously famous for that.
They know that anyway. The longer and more severe an attack is, the more damage it's likely to do. A host may be able to sustain 30Gbps for a minute or two, but not for 5 minutes. If 5 out of 10 servers are being attacked, you can probably handle traffic at 50% capacity for a while, but not forever.
> wonder if these attacks are related to the Chinese hacking attacks that have been publicised lately?
Might be just me, but I don't like this trend. I'm seeing "the chinese" & "hacking" used too much together without proof more often than not. Almost as if they are being made into the next boogeyman to be afraid of.
Well, it kind of is a lot of the time, just not in the way the other commenter was thinking. The majority of DDoS traffic I have seen is from Russian, Turkish, Ukraine and Chinese IP address spaces. Basically I think a lot of 'eastern' countries have a lot of people on the internet but not a lot of security. I imagine high rates of pirated windows (and thus lesser counts of security updates) contributes in some of the places.
Sovereign nations do employ significant signal intelligence resources to defend their government. The Chinese are heavily invested and have been responsible for the majority of attacks on US IT infrastructure for years. It wasn't discussed openly before because the trade relations weren't degraded/ing like they are today.
In case you've missed the memo, they're threatening all of their neighbors outright with kinetic military force. Japan is no trivial country to threaten force against, so the diplomatic climate has changed and more information is being shared publicly in anticipation of an outright military conflict.
There are conflicting interests between individuals that lead to physical fights and the same applies to sovereign nations whose interests run contrary.
Nowadays it's so easy to execute a large scale ddos that it's just as likely to be an attention starved teenager as it is a group with an agenda. Github is big enough that it's on peoples radars as "that popular website lots of people rely on", the company I work for has websites smaller than Github and we're indiscriminately ddosed every couple of days.
DDoS attempts are just as often business related as not. Maybe not in this case, but it's "surprising" how often these coincide with a business deal in the works. Also, potential partners (usually international) sometimes run DDoS tests against a network to see how resilient it is to attack.
Hm, I don't think it fits the pattern. The most reported Chinese hacking was about espionage, not bringing down websites. Most of the time, DDOS is either related to politics (newspapers, federal agencies etc.) or related to blackmailing (most likely in the case of GitHub.
This of course, does not mean that the hacker is NOT sitting in China. But she could be placed everywhere else just as likely.
Typically large services are targeted by some some form of cyber-criminal. As an example only, if the Russian Business Network* were attempting to extort money from github they could use a DDOS and go away when paid (for a while).
This happens to some larger media sites during large events such as the Olympics.
I had a single IP on a customers 10M-bit fiber line get DDoSed for what seemed like no apparent reason. We had the ISP blackhole just that IP and the issue went away, but it was a real WTF on why it happened, and no it wasn't some ones accidental DNS mistake.
There are people who suggest that a DDoS is just a 'digital sit in', a legitimate way for someone to air a grievance, if they think the targets (or world) haven't paid them enough attention.
This view makes DDoS seem more normal or even romantic/heroic, and spreads the tools/know-how more widely. So, pulling off a DDoS becomes a more plausible and attractive aspiration, for a larger set of surly people with marginal reasoning skills and destructive impulses.
The DDoS tactic should be rejected as dishonorable censorship and vandalism, no matter the cause under which it is launched.
The primary association most Americans have with sit ins is the civil rights movement, but it seems likely that almost all cases where someone refuses to leave an establishment after being asked to leave by the manager the person is being an asshole, exactly like the average DDoS'er.
The default assumption when you see someone unwilling to leave a bar is not that they are noble, and neither should it be the default assumption for a DDoS. That said, I don't think it is reasonable to say no DDoS could ever be noble, just that the vast majority of the time it is just someone being an asshole.
Should anyone care? Once someone launches a DDoS, their argument is invalid. And reporting the grievance might just encourage them.
I don't know anything about any of Github's attackers, but from other incidents I know of at other services, it could be anything. A billing dispute. Anger that something was taken down... or not taken down in response to an unreasonable request. Anger that an account was suspended... or that some feud-rival's account wasn't suspended. People throwing "do it my way or I'll take your site down" tantrums may not make sense to anyone other them themselves.
Reading status.github.com over the last few weeks, I found it interesting how often little things were broken at Github. It's like every few days, a small part of the site is unavailable or the sysadmins are investigating this or that connectivity issue. I guess when you're as big as Github, keeping your site live and operational is completely nontrivial.
Is it just me or has github been down a lot in the later months (moreso than a year ago)? DDoS or otherwise, it doesn't inspire confidence, especially for paid accounts (which I considered but ultimately decided to go with another solution)
Hm, just a couple of days later after another potential security exploit is published... maybe they did not plug all the holes, and someone is trying to clone all private repositories as soon as possible... hogging the servers in the process.
The tree is built up automatically but you can weight the paths and also which is the start node of the tree. There are also a lot of settings that may or may not completely fuck you over or fix a problem.
Also you really want to disable STP on ports going to servers as this will 1) speed up recovery 2) prevent any malicious packets going out from them.
If several countries, distribute across various continents, have managed to put in place three-strikes and six-strikes (not that I think it's good), it means that the one and foremost knee-jerking argument saying "You can't do anything about DDoS because: [X] It's technically not realist" is gone.
Technically now ISPs could throttle the bandwith (or even disallow net access) to zombies boxen used in DDoS attacks in all the countries applying "x-strikes" rules.
So there may be light at the end of the tunnel.
It's not exactly as if DDoS was a fatality and nothing could be done about it.
Who's the ISP gonna throttle? It's next to impossible to tell the difference between a legitimate request and a zombie. Also not all zombies are knowing contributing to a ddos. Are you gonna kick grandpa off the net cause he doesn't think before he clicks? Make no mistake this is a very technically hard problem to solve. DDoS attacks aren't going anywhere anytime soon.
I think GitHub should add hardcore anti-scraping functionality. Even though I enjoy Opensource repositories, I wouldn't like some bot/govermnent or other evil to mess with all of our contributions to humanity in a way to defeat us.