GitHub Amplification Attack

According to, “On Wednesday, February 28, 2018 was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a distributed denial-of-service (DDoS) attack…. Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack. The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second.”

Amplification attacks are a specific type DDOS attack in which the attacker uses a botnet to leverage a vulnerability in the User Datagram Protocol (UDP) protocol to spoof the victims IP address and trick legitimate servers (called “reflectors” or “amplifiers”) into sending packets of data ‘back’ to the victims DNS servers flooding them.  The amplification happens when the response data to the victim is larger, up to 51,000 times greater for the UDP protocol, than the packet sent to the reflectors by the attacker.   The legitimate servers are simply responding to a UDP packet request received on port 11211 and have no idea they are part of a leveraged attack.

Why target the servers using the UDP protocol?

Companies use UDP to speed up data exchange between servers; it’s faster because the packets are not error checked. This means there is no process to verify if the packet has been sent or received.  Since there’s no packet checking, there literally is no way to check if the request is legitimate.  The server simply responds to each request making UDP servers perfect ‘reflectors’ for Amplification attacks.

How to Stop Amplification attacks?

Detecting an Amplified attack is trivial: GitHub had an alarm set when the ratio of ingress and egress traffic triggered a threshold.   That’s the easy part.  Once you realize there’s a problem, your response is limited.  In the case of the GitHub attack last week, the traffic was routed to Akamai who provided a service that scaled and distributed the huge packet volume using Akamai network capacity and software to create automated access control lists.  They blacklisted legitimate servers to stop the attack.

Stopping these types of attacks is difficult.  Generally, recommendations are focused on longer term best practices;

  1. Developers should stop using the UDP protocol and only use TCP instead so that packets can be verified and checked.
  2. Re-configure poorly configured UDP servers and do not use the default settings. Try to limit their responses to only trusted sources.
  3. Push to have all Internet Service Providers (ISPs) use Unicast Reverse Path Forwarding (URPF) that can detect spoofed IP addresses from senders and dump the packet when malicious activity is discovered; such as an out-of-range IP address for the sender.

Sources:, Scaling memcache at Facebook.


Leave a Reply

Your email address will not be published. Required fields are marked *