Chronicles of Compromise

“The Bandwidth Wars” – The Flood No One Could See

There was no explosion.
No breach.
No stolen passwords dumped online.

Just silence.

On February 28th, 2018, one of the internet’s most critical platforms, GitHub, simply… stopped responding.

No warning. No ransom note. No obvious attacker.

Behind the scenes, something far more unsettling was unfolding.

A weapon had been unleashed, not targeting data, but availability itself.

And it was only the beginning.

Bundles of black, blue, and orange network cables neatly bundled running through a large data center hallway

At 17:21 UTC, traffic to GitHub surged violently.

Within seconds, inbound data peaked at 1.35 terabits per second, a number so large it was almost abstract. For context, that’s equivalent to hundreds of thousands of HD movies streaming simultaneously.

But this wasn’t a botnet in the traditional sense.

No army of infected laptops.
No malware spreading across the globe.

Instead, the attackers exploited something hiding in plain sight: misconfigured Memcached servers.

Memcached is designed to speed things up, a caching system used by websites to reduce load times.

But thousands of these servers were exposed to the public internet.

Attackers discovered they could:

  1. Send a tiny spoofed request (pretending to be GitHub)
  2. Trigger a massive response from the server
  3. Redirect that response toward the victim

The result?

An amplification factor of up to 50,000x.

A whisper became a tsunami.

GitHub didn’t collapse for long.

Within 10 minutes, traffic was rerouted through a DDoS mitigation provider, and the attack was absorbed.

This was new.

Historically, attacks of this size would cripple infrastructure for hours, if not days.

Instead, something unexpected happened:

The internet adapted.

  • Traffic was filtered
  • Malicious packets dropped
  • Systems scaled dynamically

This wasn’t just survival.

It was the first sign that defence was evolving as fast as offence.

But the attackers were paying attention too.

Amazon Web Services cloud data center exterior

Two years later, the ceiling shattered.

In early 2020, Amazon Web Services (AWS) detected a DDoS attack that dwarfed GitHub’s incident.

2.3 terabits per second.

Nearly double the previous record.

But this time, something was different.

No outages made headlines.
No widespread disruption.
No panic.

Because most of the world never noticed.

The attackers used Connectionless Lightweight Directory Access Protocol (CLDAP), another overlooked service exposed to the internet.

Much like Memcached:

  • Small requests triggered massive responses
  • Responses were redirected to the victim
  • Scale did the rest

But AWS had an advantage GitHub didn’t fully have in 2018:

Hyperscale infrastructure.

Defence Becomes the Story

AWS absorbed the attack using AWS Shield, its advanced DDoS protection system.

Instead of reacting, AWS:

  • Automatically detected abnormal traffic patterns
  • Distributed the load across global infrastructure
  • Neutralised the attack before it reached critical systems

The attack still happened.

It just… didn’t matter.

And that’s what makes this moment so important.

Hooded figure surrounded by green encrypted code and cybersecurity terms

The Invisible Enemy

Unlike ransomware or data breaches, these attacks left almost no fingerprints.

No group claimed responsibility.
No clear nation-state attribution.

But patterns suggest:

  • Cybercriminal experimentation
  • Possible state-sponsored capability testing
  • A growing interest in infrastructure-level disruption

Because DDoS isn’t about stealing data.

It’s about sending a message:

“We can turn off the lights whenever we want.”

Lessons Learned — The New Rules of DDoS

1. The Internet Can Be Weaponised Against Itself

Misconfigured services (Memcached, CLDAP) turned legitimate infrastructure into attack tools.

2. Scale Is the New Battlefield

Attackers are no longer just targeting systems, they’re targeting capacity limits.

3. Defence Has Entered the Cloud Era

Traditional on-premise defences struggle.
Cloud providers now act as shock absorbers for the internet.

4. Visibility Matters More Than Ever

You can’t stop what you can’t see.
Real-time monitoring is critical.

5. Resilience > Prevention

You may not stop the flood.
But you can survive it.

The War Without Damage

No data was stolen.
No systems permanently destroyed.

And yet, these attacks marked a turning point.

The battlefield had shifted.

From breaking in…
To overwhelming everything.

The GitHub attack proved what was possible.
The AWS attack proved what was coming.

And somewhere, right now, the next evolution is already being tested.

Not with louder weapons.

But with bigger ones.

Cybersecurity defense team members work at multiple monitors with global cyberattack map and breach alert

Sources & Further Reading

  1. Akamai (2018) — “GitHub DDoS Attack: Memcached Amplification Analysis”
    https://www.akamai.com/blog/security/memcached-amplification-attacks
  2. GitHub Engineering Blog (2018) — “February 28 Incident Report”
    https://github.blog/2018-03-01-ddos-incident-report/
  3. Cloudflare (2018) — “Memcached DDoS Attack Explained”
    https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
  4. AWS (2020) — “AWS Shield Threat Landscape Report”
    https://aws.amazon.com/shield/ddos-attack-protection/
  5. NETSCOUT (2020) — “Threat Intelligence Report: DDoS Trends”
    https://www.netscout.com/threatreport
Stephen Daly
,
, , , , ,

Leave a comment

Designed with WordPress