Distributed Denial of Service Attack On GitHub-Case Study and Lessons LearntBy THIRUMALAREDDY JANARDHAN REDDYMT2018125Scope:Denial of service and Distributed denial of service attack is the most common means of attack today. It prevents authorized users from using a service. This project mainly focuses on various DDoS attacks on the popular code sharing platform GitHub over the last few years and various lessons that can be learnt from those attacks.Objective:The main objective of this project is to understand various types of denial of service attacks. In order to have a better understanding on existing DDoS attacks, we have taken DDoS attacks on GitHub as a case study. Let’s analyze what went wrong in those attacks so that we can defend any such future attacks.Background:A denial-of-service is a type of cyber-attack in which an attacker tries to make a system or service unavailable to its authorized users. A denial-of-service is achieved by flooding the targeted host with malicious traffic until the target cannot respond preventing access for legitimate users.[pic 1]In a Distributed Denial of service (DDoS attack), multiple computer systems are used to attack a target by sending large amounts of unwanted traffic to the target. It is different from other denial of service attacks as they use a single network connection to overwhelm a target with malicious traffic. In a DDoS attack, the incoming traffic flooding the target can be from many different sources. So we cannot stop this attack just by blocking a single IP address and it is also difficult to distinguish legitimate traffic from malicious traffic.The denial of service attacks are very dangerous and their consequences can be disastrous and challenging to recover. They can affect the profits and operations of a business. If customers can’t connect to a site, they will go for a competitors site and will lose faith in the performance of the organization. This will affect the revenue, profits and reputation of the company.GitHub is a popular code hosting platform that helps developers to manage and share code among each other. Many developers rely on GitHub for developing their projects and availability of service is very important to its users. Denial of service is an attack on the availability of the service and is a serious concern for GitHub.Literature ReviewDistributed denial of service attacks is one of the most important attacks in today’s cyber world. Attackers need not be highly skilled to launch a denial of service attack. Moreover, tools used in these attacks are easily accessible to the attackers which increases the frequency and threats of these attacks. In this section, we will understand the classification of various DDoS attacks and see how various attacks can be launched.DoS and DDoS attacks can be categorized into three types:Volumetric Attacks: In volumetric attacks attacker sends large number of requests to a target system. The attackers goal is to exhaust the bandwidth of the attacked site. Volumetric attacks are easy to generate by adopting simple amplification techniques. The magnitude of this attack is measured in bits per second (Bps).Protocol Attacks: Protocol attacks consume all the processing capability of the attacked target or intermediate critical resources like firewalls and load balancers causing service disruption. These attacks exploit the vulnerabilities in layer3 and layer4 of the protocol stack to make the target inaccessible.Application Layer Attacks: These attacks exploit the weakness in the Layer7 protocol stack. These attacks are very challenging to identify and even mitigate in some cases. The most common type of application-layer attack is to send requests to a server in an attempt to make the entire database connection pool of the server busy so that it blocks the permissible requests.Common DDoS Attacks: SYN FloodThe Transmission Control Protocol is used for data transmission between hosts that communicate over an IP network. TCP is a connection-oriented protocol and it requires a three- way handshake to communicate. The client request communication with the server by sending an SYN message and the server acknowledges the request by sending an ACK flag to the client.After receiving acknowledgment, the client closes and establishes the connection. In a SYN flood attack, the attacker sends an overflow of spoofed requests to the target server. The client does not close the connections even after target acknowledges the request. This causes timeout out at the target server while waiting for client to establish the connection causing the target to crash.HTTP FloodThis is a volumetric DDoS attack and is used to flood a target with HTTP requests. HTTP is used for loading webpages and sending form contents over the internet. The target becomes overwhelmed with the requests and it cannot respond to normal traffic resulting in a denial of service for normal users. It is very complex to mitigate this attack as it is difficult to distinguish malicious traffic from normal trafficUDP FloodThe User Datagram Protocol (UDP) a connectionless protocol and does not require advance communication between sender and receiver to set up a connection. By definition, a UDP flood is any DDoS attack that floods a target with User Datagram Protocol (UDP) packets. In this attack, the attacker floods random ports on a remote host which causes the host to check for the application listening at that port repeatedly. And when no application is found the host replieswith an ICMP ‘Destination Unreachable’ packet. This process exhausts host resources, which can ultimately lead to denial-of-service to actual users.ICMP(Ping) FloodIn this attack, the attacker tries to overwhelm a target with ICMP echo-request packets. ICMP echo-request and echo-reply messages are used to ping a device for the purpose of testing the connection between the sender and the device. An ICMP request requires bandwidth on both the incoming(echo-request) and outgoing(echo-reply). The Ping Flood attack aims to overwhelm the target device’s ability to respond to the high number of requests and overload the network connection with bogus traffic.NTP Amplification AttackIn NTP amplification attacks, the attacker exploits publically-accessible Network Time Protocol (NTP) servers to flood a targeted server with UDP traffic. The Network Time Protocol allows internet connected devices to synchronize their internal clocks. The attack is defined as an amplification attack because the query-to-response ratio in such scenarios is anywhere between 1:20 and 1:200 or more. If an attacker obtains a list of open NTP servers, then he can easily generate a high-volume DDoS attack.