Just a few weeks ago, GitHub website suffered the most serious DDoS attack.
GitHub is the world's largest social programming and code hosting site where a large number of open source projects are hosted, such as the well-known open-source operating system Linux.
It seems that the attack came from any place, which made it difficult for GitHub to resist.
Use TTL value to track the middleman's attack.
By Checking the TTL value in data packet, Netresec concluded that it was a middleman attack.
Traceroute is a great tool. It can sent data packets of TTL of any value, such as 1, 2, 3...etc. Because there is such a low TTL, these packets cannot reach the target machine. When the packet's TTL value is 0, the router will discard the packet, and the router will return a packet for notification called Time-Exceeded message, with the address of the router. So I can collect all the routers between me and the target servers.
I wrote a small traceroute tool. It can not only sends a packet, but first of all, it establishes a link with a normal TTL value, so anyway the packet can reach the target machine; then it initiates an http request. The TTL value of the carried packet is relatively small, so the packet will be discarded before reaching the target. But the middleman will updated the TTL value when he gets the packet by hijacking device. In this way, I can find where the middleman's device is.
I have found that the middleman device lurks between 11 and 12. The packet does not respond when the TTL value is 11 in the web request, but when the TTL value is 12, the packet has normal response. From the IP address of traceroute, we can see that the middleman's device is placed in the backbone network of China Unicom.
Netresec determined that the middleman device attacking GitHub was in China by http-traceroute. Of course, this does not mean that the attack was launched by China - there are other possibilities, such as hacking attacked or controlled these network devices.