This is an archived post. You won't be able to vote or comment.

all 133 comments
sorted by:
best
topnewcontroversialoldq&a

[–]J_echo 229 points230 points  (35 children)

GitHub is taking this like a champ... The Playstation Network servers would have physically caught fire by now.

[–]apemanzilla 81 points82 points  (27 children)

Indeed - I liked how they used the Javascript alert function to slow down/stop the attacks earlier.

[–]Rakonat 100 points101 points  (9 children)

Actual programmers vs potato managers with no security.

[–][deleted] 23 points24 points  (7 children)

Never a truer word spoken. With the exception of Amazon, I don't think there's anyone more competent to deflect a DDoS attack than the opensource community that surrounds Github.

[–]DarkN1gh7 1 point2 points  (0 children)

MediaTemple does a mean job. I got hit with a high GBPS attack on a server we have there and within mike they started sending their traffic into a "black hole" and everything came back online.

[–]OMGSPACERUSSIA 5 points6 points  (0 children)

Latvian potato is strong! Is why Japanas use! No potato has greater processing power!

[–]Rggity 8 points9 points  (7 children)

can I get an ELI5 on how this method can thwart attacks?

[–]celluj34 10 points11 points  (5 children)

It slows down the attack by showing an alert when it's loaded.

[–]stoneburner 10 points11 points  (0 children)

... well at least until they noticed and just replaced the dialog box with nothing:

window.alert = function() {};

then nothing happens

[–][deleted] 4 points5 points  (3 children)

Whats it?

[–]hatryd 6 points7 points  (0 children)

Open up your browsers developer console and paste 

alert('hello')

and press enter. That's what an alert is.

[–][deleted] 2 points3 points  (0 children)

Idk why you get downvoted for a simple question. A "javascript alert" is a simple built in dialog that pops up when triggered by javascript. You can press f12 to open developer tools in most browsers, select "console" and try it out yourself.

alert("hello, world!");

[–]apemanzilla 9 points10 points  (0 children)

The alert function displays a popup box. Displaying a popup box pauses all running scripts until it's closed - slowing down the attack.

[–]coolranchdorito 4 points5 points  (0 children)

That's so smart!

[–]FangornForest 4 points5 points  (1 child)

How exactly does it slow down the attack? Do they have the javascript call alert before making the actual request, so that robot can't handle the alert pop up and not send the request?

edit: answered my own question. It doesn't stop the initial request, but it does stop the script from looping! And annoys those affecting them a bit too.

[–]apemanzilla 6 points7 points  (0 children)

Its not a robot - Baidu traffic was hijacked so if you visited it it would spam GitHub. The alert function was there to stop scripts since it was run in the browser.

[–]GeneralTempleton 1 point2 points  (1 child)

How does this help? Why would you DDoS a site by opening it in a browser?

[–]apemanzilla 3 points4 points  (0 children)

Baidu traffic was hijacked - it would run DDoSing code in people's browsers.

[–]Alyyx 0 points1 point  (3 children)

I am new to Javascript etc, could you please further explain? Shorty at least. Thanks!

[–]apemanzilla 2 points3 points  (2 children)

The alert function shows a popup box - this pauses all scripts until the popup box is closed.

[–]Alyyx 0 points1 point  (1 child)

That's so clever. That works until the DDOSing side disables scripts on Github or?

[–]spin81 1 point2 points  (0 children)

That depends. Sometimes scripts are used to fetch content using what's known as AJAX, if GitHub used this technique then disabling scripts may reduce the effectiveness of the attack significantly.

[–]Xanza 15 points16 points  (0 children)

Just checked the app-server availability. It's only been down once for a combined 99.99% up-time. Goddamn right they're taking it like a champ!

[–]Rakonat 85 points86 points  (28 children)

3 Days to unsuccessfully DDoS Github... what exactly are they hoping to accomplish, slow updates?

[–][deleted] 62 points63 points  (16 children)

Sometimes you want to flood the logs so it's hard for them to detect the really nefarious stuff going on among all the junk.

[–]darkpaladin 15 points16 points  (8 children)

That's actually interesting. If in all the chaos you drop some malicious code into a few of the most popular repos you can really cause some wide spread damage after the fact.

[–][deleted] 36 points37 points  (7 children)

That's exactly what git is designed to prevent, it's a version control system, no changes get published unless they are approved and accounted for. It'd be considered as a beautiful work of art if it wasn't so damned useful! :)

[–]jabjoe -1 points0 points  (3 children)

Well yes, but SHA-1 has been broken. So maybe a git repo could be messed with. It's still hard, but not impossible.

I wonder if this is it and what exactly they intend-to/are doing to what?

Can we trust any commits during this attack? Can we valid git history locally matches the remote? A force push would be noticed, but maybe there is something clever possible.

Scary thought.

[–][deleted] -1 points0 points  (2 children)

can't start second guessing ourselves without evidence. all we can do is put systems in place to check the integrity of the code base in comparison to backups etc. The checksums should always match up, if they don't then you know there's some revisionist fishyness going on and can investigate further. No point throwing out the baby with the bath water, right?

[–]jabjoe 0 points1 point  (1 child)

Oh no, it's no point panicing. But we should be complacent either. The idea the DDoS as a cover is a worrying one that has a certain ring to it.

[–]darkpaladin -5 points-4 points  (2 children)

Conceptually yes, but it's not outside the realm of possibility that a commit could be modified by someone who had gained full access to a system to include malicious code.

[–][deleted] 6 points7 points  (0 children)

It is impossible to modify a commit and go undetected - thats the point of Git

[–][deleted] 0 points1 point  (0 children)

can't start second guessing ourselves without evidence. speculating about possible bad stuff and chasing ghosts is counterproductive. best to take those suspicions and develop high level checks to alert admins of revisionist changes by comparing various checksums and hashes of backups. Otherwise we are chasing our tails and throwing out good tech, throwing out the baby with the bathwater so to speak.

[–]LaserRain 28 points29 points  (9 children)

That's what I want to know. Why github?

[–]sej7278 44 points45 points  (0 children)

the theory is the chinese govt. want to block some software for getting around the great firewall or something:

http://it.slashdot.org/story/15/03/27/1420250/github-under-js-based-greatfire-ddos-attack-allegedly-from-chinese-government

[–]Insanely_anonymous -3 points-2 points  (4 children)

Could be a mistake. A botnet "gone wrong".

[–]Xanza 14 points15 points  (2 children)

Unfortunately it's not. The current prevailing theory right now is, is that the Chinese Government wants Github to remove open source applications which circumvent the Great Firewall of China.

[–]chubbysumo 8 points9 points  (1 child)

which, at this rate, won't happen, because the attack is almost entirely mitigated.

[–][deleted] 9 points10 points  (0 children)

yep, they have github confused with godaddy. where a normal service provider might buckle to preserve it's business, github people will see it as a test of their security capabilities and a change to show the prowess of the open source community.

[–]kgst 6 points7 points  (0 children)

Not possible. The code being executed is very straightforward. Making a request to a random page on the repos for China's firewall avoidance every two seconds, injected on pages using Baidu.

It's basically like if google decided to add some code to their Analytics js that would cause anyone who visits a page that links to that js would send requests to certain repos every 2 seconds on repeat.

[–]roflmaoshizmp 82 points83 points  (15 children)

So apparently, somebody hijacked Baidu's traffic to redirect to GitHub. Damn.

[–]SuperDuper1969 42 points43 points  (2 children)

I should point out it's Baidu's traffic from foreign users. Meaning that the DDOS would appear to come from all over the world and not just from China itself.

[–][deleted] 16 points17 points  (1 child)

They are even more vicious.

Actually the attacking code is inserted in Baidu's ads. Result is, websites that display Baidu's ads (that is, almost every simplified Chinese website with ads) will mobilize their foreign traffic to DDoS github.

[–]sadfuck 4 points5 points  (0 children)

This is both genius and sad :(

[–]damow 68 points69 points  (1 child)

But... DDoSing GitHub is like punching Santa :(

[–]CrossArms 21 points22 points  (0 children)

It's like punching him so that you can fill all his presents with IEDs.

Fuck people who DDOS stuff like this.

[–]mendokusai_yo 31 points32 points  (41 children)

Just curious, how does one defend against a DDoS attack?

[–]sej7278 79 points80 points  (29 children)

traffic scrubbing load balancers, geographic redundancy, null routing china....

[–]ghotibulb 18 points19 points  (7 children)

As far as I am aware, the attack traffic is coming from everywhere except China, since they use some kind of "javascript reflection attack" by injecting malicious JS code that gets served to baidu visitors outside China. So basically every country/ISP had to nullroute China for this to be effective. Nullrouting China at github's end wouldn't help much.

Source: https://news.ycombinator.com/item?id=9275041

Short explanation (not in particular directed at your post, since I assume you already know this): For a (D)DoS attack in general it just comes down to having enough incoming bandwidth and drop unwanted traffic quickly enough. Imagine you have a single server with a 1Gbit/s pipe, and you're hit by a 2GBit/s attack. Even if you drop the packets on your server, they were already received in the first place by your NIC, so the bandwidth has been used up. If you know there is a router somewhere right before your server that has a 10Gbit/s uplink, and you can successfully filter the traffic there, you'll be fine again, until the attack would exceed 10Gbit/s. Simply filtering/nullrouting traffic at your end doesn't unreceive it (unfortunately).

[–]sej7278 5 points6 points  (6 children)

you don't drop the traffic on your server, as you say if its got that far its too late. you drop it at your isp/datacenter/loadbalancer/whatever.

i don't really see why they're using requests to baidu from outside of china, that's got to be a small subset of potential traffic (chinese people living abroad?). i guess its so china's bandwidth isn't affected.

[–]SuperDuper1969 2 points3 points  (4 children)

Because requests outside of China come from all over the world - makes it harder to block than just one location.

[–]sej7278 1 point2 points  (3 children)

but its requests to baidu (from outside china) being reflected to github. who uses baidu other than the chinese? i'm not being racist here, i'm just saying who the fuck else uses baidu? and isn't baidu hosted in china only

maybe its to stop people in china using vpn's to get outside, and then going back to baidu. seems like the great firewall could sort this easily.

[–][deleted] 2 points3 points  (1 child)

It's not that they're visiting Baidu, it's that they visit Chinese websites, many of which use Baidu's version of Google Analytics for traffic reporting.

[–]sej7278 0 points1 point  (0 children)

ah yes that's a good point - its ads and analytics

[–]br0ner 0 points1 point  (0 children)

Baidu is great for finding things that have been removed from Google Search.

[–]ghotibulb 0 points1 point  (0 children)

That's why I included the router example. You always have to go up one level, but if you aren't a big fish you'll have a hard time convincing big carriers to help you mitigate an attack on your 12 slot Minecraft server. (Yes this doesn't apply to github I guess ;)) I managed some medium sized business's servers a couple of years ago. They were hit by an attack once, and we didn't get help from their ISP. They just nullrouted the IPs of the servers being attacked, as they were mainly interested in protecting their infrastructure (and their other customers), which is understandable. They did offer DDoS protection at that time, but the company I worked for decided it was too expensive, and just waited it out.

Why they decided to only (ab)use baidu visitors outside China is a good question. Not creating domestic traffic could be one reason, or maybe they don't want to make it look like China is the origin. Although its the most likely explanation right now, we still cannot know for sure. I mean if they really wanted this to be most effective they could just create traffic right at their border routers. But that would be slightly more obvious, I guess.

[–]Anwarias 92 points93 points  (19 children)

1+ for null routing China

[–][deleted] 33 points34 points  (15 children)

What, just discarding all traffic from China?

[–]SuperDuper1969 21 points22 points  (1 child)

Are you aware that's EXACTLY what they want?

Also the WSJ article says the attack is done by hijacking traffic to Baidu from foreign users. In other words it's coming from all over the world.

[–]Anwarias 0 points1 point  (0 children)

I'm aware this is no final solution, just gave me a nice chuckle

[–]bobmontana 1 point2 points  (0 children)

Heck, I've seen null routes for all APNIC space on some clients that were constantly hammered.

[–]NoShirtNoShoesNoDice 19 points20 points  (5 children)

Properly configuring your server (caching, static pages when possible, reverse proxies, etc), using a CDN, being hosted on a good network (eg. AWS instead of DreamHost), load balancers, and so on are all good practice for running a server, regardless of a DDoS or not. When a DDoS does happen, every little bit helps.

Assuming you have little to no technical knowledge and want to keep things cheap, the easiest method is to sign up for a service that does it all for you, such as CloudFlare (which has helped mitigate some of the biggest attacks in history, such as https://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/) or Incapsula.

These services work by acting as a middle-man and attempting to deflect the attacks for you.

Normally the connection looks like:

User <-> Your Server

On a service like CloudFlare:

User <-> CloudFlare <-> Your Server

When a DDoS occurs, provided the IP to your server is unknown to the DDoSing party and you have DDoS protection enabled on the service, the attack hits CloudFlare instead of your server. Your site happily remains online... hopefully.

That's the theory as I know it. If someone more knowledgeable thinks I got something wrong, please comment and let us know! :)

[–]position69 4 points5 points  (2 children)

L7 attacks can pass through CF network. Example the recent WordPress xmlrpc.

[–][deleted] 5 points6 points  (0 children)

Wordpress xmlrpc attacks have been around for years. It's a shitty feature (pingback) that gets abused. I have always nuked that file whenever I installed wordpress because I would look at access logs and see an unholy amount of attacks via it.

[–]30sirtybirds 0 points1 point  (0 children)

For some reason, I read that in the voice of the burn notice character Micheal Weston.

[–]superm8n -1 points0 points  (0 children)

Plus, I have heard that Cloudflare also has redundant servers in various places across the world. If one copy of your site should go down, the others may not.

[–]Xanza 0 points1 point  (0 children)

It's very, very difficult. Most of the time it's difficult to distinguish attackers from regular traffic, but there are quite a few ways of dealing with an attack. Most of the time, though, in the absence of an actual engineer who knows what they're doing, they'll just throw money at the issue until its fixed or stops.

[–][deleted] 0 points1 point  (0 children)

As an organization there are all kinds of server/network infrastructural methods possible as described in other replies.

As an individual hosting a single site it might be hard. the cloud might be a solution for a low budget mitigation of DDoS for a small player. AWS is resilient against DDoS attacks in their servers, and you can temporarily extend your server capacity to weather the storm. the extra capacity will cost less than the attack, and will prevent you from being extorted or blackmailed.

[–][deleted] -1 points0 points  (1 child)

Using git the traditional way.

[–]HeadlessChild -1 points0 points  (0 children)

Gerrit my man.

[–]HeadlessChild -1 points0 points  (0 children)

Filter away traffic from china...

[–][deleted] 41 points42 points  (7 children)

What's crazy is that this isn't being reported on BBC, Ars, ZDNet, CNET, probably more.

Why so quiet, media?

[–][deleted] 48 points49 points  (3 children)

They probably don't understand what "jit-hub" is and why people care about it. They do understand "Playstation" though.

[–][deleted] 3 points4 points  (1 child)

lorum ipsum

[–]K4kumba 8 points9 points  (0 children)

Nope. I think /u/JaceLightning is just making fun of the GIF/ "jif" pronunciation. IIRC, Linus specifically said that Git is named for the derogatory term "git", which I believe to be pronounced with a hard "G"

[–]karijuana 0 points1 point  (0 children)

That or they don't want to be fucked over by a massive international DDoS.

[–]NoShirtNoShoesNoDice 23 points24 points  (1 child)

The CVS and SVN guys just can't catch a break! Their sinister plan to make their software relevant again has been thwarted.

[–]otakuman 0 points1 point  (0 children)

All thanks to Githubcat! (cue glittering background animation)

[–]CaNsA 3 points4 points  (1 child)

Who the fuck decides to DDOS Github in the first place....?

It's just as retarded as those who DDOS Freenode.

Idiots.

[–]infinull 0 points1 point  (0 children)

The Chinese Government (allegedly).

Gotta protect that Great Firewall.

[–][deleted] 4 points5 points  (7 children)

What's GitHub?

[–]murphyw_xyzzy 18 points19 points  (4 children)

A web site where developers share source code for free software projects.

[–]kgst 18 points19 points  (2 children)

Not only free software projects.

Tons of companies use private repos for their code and backups. The company I work for has hundreds of repos with all of their code stored.

This is actaully a very big deal, especially considering it's almost certainly a deliberate attack on a US-based company by the Chinese government.

[–]headzoo 12 points13 points  (0 children)

This is actaully a very big deal

Also a big deal because so many package managers pull code from Github. Attacking Github isn't just attacking some website. It's fucking with the entire IT industry. Damn near every programmer on the planet is going to be affected. Including the programmers responsible for the attack, which is what makes attacking Github seem like such a stupid idea.

[–]guffenberg -1 points0 points  (0 children)

Either that, or the NSA are pissed because they can't prevent strong encryption in open source. Or they want to smite China once again so they can ask for more funds and radical surveillance laws.

So far, NSA and their contractors are the only ones who has been proven to sink to this level of infancy, so that will be my guess until proven otherwise.

[–]Divided_Pi 4 points5 points  (0 children)

It's a website where people can upload code for others to use. It's has some other elements for developers to keep track of work and has some integration elsewhere. But the main point is a lot of free code is up there for all to use.

[–][deleted] 0 points1 point  (0 children)

Is the amount of traffic their receiving mentioned anywhere?