GitHub DDoS attack: Sunk by a second wave

Following the news that forum site GitHub has fallen victim to a DDoS attack, Dave Larson, CTO of Corero Network Security, offered his analysis:

“From what GitHub have disclosed it looks like the DDoS attacks targeted at their networks followed a very typical progression. It is not unusual for attackers to probe a site with different attack vectors to figure out what type of vulnerabilities exist.

"It is likely that as the attacker(s) saw that GitHub were able to stop one type of DDoS attack they modified the characteristics of the attack until the website and services were again impacted.

"A second wave of attacks, just a day later, is also a common sequence, more than likely coming from the same source, having already analysed how GitHub would likely react in trying to mitigate the attack, the second wave of DDoS attacks do appear to have been successful in taking down the site.

"We are seeing more often that DDoS attacks against web servers evolve over a period of 24-48 hours until they take down a site or their perpetrators give up and move on.

"GitHub have done the right thing in keeping their users informed of the status of the attacks. But when the attackers are sufficiently motivated and have extensive resources, which is common when the perpetrators are powerful syndicates or state actors, as may be the case here, it is difficult to stay ahead of the attack if your response methodology relies on human analysts.

"With the growing power and sophistication of DDoS and other attacks aimed at service disruption, coupled with the increasing ease of launching attacks, every organisation no matter how large or small can become a victim.

"With that in mind, new ways of protecting against these types of attacks are needed as traditional security technologies, such as firewalls or IPS, are unable to defend against these types of attacks.

"A new First Line of Defence with real-time, always-on protection, is needed to protect against DDoS attacks at the Internet edge in order to allow traditional security technologies to function as they were intended and ensure service availability and integrity."