My guess would be a hack of some kind (eg compromising a popular project's code or downloads) and then using the DDOS as a smokescreen. This is something bad guys are increasingly doing with banking hacks - steal the money and then divert everyone's attention with a DDOS. That makes it a lot harder for the victims to find out what happened and distracts the financial institution.
Interestingly, I had a kind of DOS attack on my email account when someone gained access to a credit card account of mine and used it to send money to themselves - I got inundated with hundreds of random emails per second when they were sending money to themselves, so as to make it hard for me to get the notifications and do something about it.
Fortunately, the pattern of emails wasn't very sophisticated and I had made a rule to filter them out within a few minutes and had the account closed within 5 minutes, but I can see how this would be a pretty effective tactic against less computer literate targets.
Um, no. The reason they DDoS financial institutions is so they have a chance to cash out the stolen goods immediately. Stolen financial data has an expiration date and the DDoS extends that just long enough for it to be useful.
DDoS'ing github because you trojaned a source tree calls attention to the fact that you did it. Only the dumbest of all hackers would do such a thing and that is almost certainly NOT what is happening here. When you trojan a source tree, it only becomes useful after your intended victim downloads and installs it, which can take months or even years.
If you DDOS GitHub as a whole, how does that call attention to the one project a bad guy has trojaned?
If the project has mostly "commercial" developers then chances are they work on it during the week. DDOS GitHub during the week and let off for the weekend. That gives a few days worth for your trojan to be downloaded by the unsuspecting. People will also have tired hearing about the "github news" so new news about trojaning will take a little longer to disperse.
Here are some random ones off the top of my head. I'm happy to accept that you can't think of any value of these to bad guys, but the bad guys are not limited by your or my imagination.
That is fascinating - I have been meaning to revise my security processes and a livecd for banking is a very good idea.
So most dos attacks are
1. Put key logger on company x machines
2. Gather banking keys
3. Transfer money
4. Hit with dos and get key logger to do as much damage as poss
Only two weaknesses leap out:
1. Two factor authentication - I genuinely do not know at what level a bank stops requiring a separate token for each transaction but it seems silly to ever do that.
2. The money mule - I recently was amazed that directors in Hollywood sometimes accept a percentage of net. But allowing your bank account to be used by some guys on the Internet?
Really those two issues seem ... Well with those blockers I would not invest in the internet crime startup. Weird they have bootstrapped quite well
It's very common to target ecommerce stores like this. Specifically jewellery stores for some reason. Probably because it's a luxury good and somehow botnet owners link that to wealth of the owners. We host tens of thousands ecommerce stores and sometimes get these forwarded. We estimate that our customers receive at least one a month. DDOS attacks are a weekly to bi-weekly occurance for us.
The company I work for owns a site which has a niche community of buyers and sellers. There is a particular guy on there who has a reputation of scaming other users. When the users complain and post negative feedback about him, he threatens our company and follows through with DDoS attacks until the negative feedback/comments about him are removed.
Would it be reasonable to think of these expletive redacted botnets as a force of nature? As something useful to harden resources against, or just disasters that you hope don't hit? (I'm thinking of this in terms of sour grapes, not poor planning.)
Most hosts (Linode, SoftLayer) will null-route you in a heartbeat when you get a massive influx of traffic that affects their network.
DDoS protection is expensive. Unless it is economically feasible for you to pay for the protection, most sites don't have it until they're a high target.
CloudFlare will protect you from DDoS attacks to an extent.
There are 2 kinds of DDoS attacks I know of (there are more but they're similar): bandwidth exhaustion and computer resource exhaustion.
Bandwidth exhaustion DDoS mitigation is difficult, because it requires you to have a fat inbound pipe to let all the bogus traffic through. Fat pipes are _expensive_, there are few hosting providers that allow you to have a dedicated line more than 1 Gbps.
Supposedly their Business plan ($200/month) protects against this, and their free plans protect much smaller amounts of traffic.
You can prevent against some common resource exhaustion attacks (SYN floods) by having a proper firewall setup.
CloudFlare has been known to let the attack traffic route to your server if it's big enough.
with CloudFlare spreads the load over loads of sites you need more then 1000GB/s to bring them down under an pure DDoS bandwidth exhaustion, they have loads of sites spread all over the world
computer resource exhaustion is more likely to work then bandwidth exhaustion on CloudFlare
Like spam, botnet operating costs may be so low that hardly anyone at all may need to succumb to make the operation pay off. Someone's likely to cheat and pay to make the pain go away eventually.
I've been put into a similar situation before, but I couldn't find any convincing evidence that I wouldn't be extorted in the future, even if I did pay.
What's the logic behind this? After all, DDoSers probably aren't upstanding citizens.
Yeah, I had one https:// clone stop in mid-download. I repeated it immediately and it stopped midway again, I tried again after half an hour or so and it went through.
This was before they disabled port 80, so I expect this was resource exhaustion, the smart-https git service wasn't completely isolated from the DDOS target.
Yes, because a respectable company like Atlassian would risk their entire business to give a small boost to just one of their many products by dealing with black market botnets.
Hardly believe that (Atlassian owned) Bitbucket is doing such attack. Bitbucket offers free private repos, not just git but mercurial hosting. Although way less popular, I think Bitbucket has features to gain ground in the long run without the need of tactics like DDOSes.
No grudge necessary. This comment thread is lulzy enough by itself. Watching an entire user community freak out over not being able to access their source code in real time over HTTP is a good enough payoff.
Why is it so hard to guess? Obviously GitHub is popular. Most popular sites have been DDOSing. People perform DDOS either they hate that site, they want to gain something out of it, or they just want to turn it down for fun. Stop speculating. It's really simple...
OK yes, but who hates GitHub and how could you possibly hate Github enough to bother with going to the trouble? Maybe its just kids who knows but, I guess I never understand why people waste their time doing things that have zero possible positive benefit to themselves.
Zero possible positives? Ideally, hackers, not crackers, are supposed to HELP companies and organisations to discover their loopholes before it was too late for them. So many attacks are friendly. Many hacker groups (not crackers) would steal stuff and post the irrelevant stuff online just to remind the infrastructure team that they did a bad job.
But on the other hands, Github is a popular site, and it attracts many users so people can spawn lots of PC to create mass attack. Why not? It's a popular site so they want to test how well their tools can keep up with GitHub. People would assume that as of today, 2012, operation engineers have learned enough to protect and recover from DDOS.
GitHub team did a very good job recovering. Not bad. But certainly the infrastructure is still not able to handle such DDoS. GitHub needs to invest more money on that to secure service.
Whatever the reason might be, it's not necessary to speculate. In some movies, we even had banks / investors hired others to crack their own banks or stores next to the bank to destroy critical evidence (financial loss). That's a scam. Maybe we should speculate if it was GitHub's own DDOs? God knows. Everyone will call me crazy if I believe in such thing. No I don't think it was GitHub, but let me remind everyone these strange things happened before in both fiction an real life. But the point I want to make is no one knows and it shouldn't matter.
Whoever attacks it is not important at all. GitHub will learn from this and make the service more reliable.
Why does anybody ddos anything? Pretty much the same reason you carve your name in a tree or drive super slow with the bass up so high it sets off everyone's car alarms.
Only a very well orchestrated DDOS using a botnet has the endurance and strength of this attack.
One can think that they are distributing some malware through github or that an anti USA hostile government agency is reaping code. Only Github knows.
More info: http://krebsonsecurity.com/2011/11/ddos-attacks-spell-gameov...