Getting up to the point.. Who committed the attack is still unknown - this is the most interesting part of an attack. The attacker(s) tries to stay anonymous while the victim(s) try very hard to catch him/her/them. But it is found that the attack was linked to the firewalls of china and hence they are in a strong doubt that chinese have been involved in this. Though we can’t just point at anyone without any relevant proof.

Now answering another interesting question - how was the attack made. Most of us have thought at first glance of multiple botnets attacking a server. But to generate this much amount of traffic, one might require thousands of botnets. And it was found that the attack wasn’t made by botnets. It used a new method which is quite famous by now - Memcached Server.

Before this attack was performed, most of people in this world didn’t knew about what is a memcached server. But now everyone knows it. So, here I will just write the two required points about memcached which are helpful to understand this process (everything else you will find in an article at the end of this answer). Memcached is a process running on a server at port 11211 which is generally used to cache large amount of frequently accessed data in the memory so that is can boost the speed of the server/website. The second point is, a small request query to a memcahced is capable of returning a large amount of data. And yep… a bouns point to note down is - Memcached uses UDP.

Now, understanding the attack, it goes something in this manner. Attacker first finds out the target’s IP address. Then, he/she generates a UDP packet with the reply address field spoofed to target IP. And then he/she sends such request to the memcached process running on the server. Not only one, but many such reuqest packets are sent which generates a large amount of traffic on the target. This is because attacker used the target’s IP address in the reply field and as I previously said, memcached generates large response packets for a small size request packet. Hence, the target is DDoSed…

Did you note - When using botnets, small computers combine and target a large server. While using memcached, a server alone is enough to target another server.

As I said, there is so much to know about like:

1. How much traffic was generated?
2. For how much time did this attack last?
3. How did GitHub tackle the attack?
4. Comments by GitHub on this attack.
5. What are the views about why this attack was performed?
6. GitHub can handle 3–5 times the traffic generated by this attack.
7. Everything about memcached - what is it, why is it used, what is it capable of?
8. And at last, how to handle and/or prevent this type of attacks?

All this can’t be typed here. So here’s a link to the article where everything is written - The Biggest DDoS attack on Github using Memcached Servers - Survived

At last - If you liked it, upvote it. Thanks…