Ask HN: Why can GitHub get DDoS'd, but Google can't?

9 points by shockzzz ↗ HN
To clarify, I'm not saying someone _should_ DDoS Google (or Facebook). I'm just curious about how Google (or Facebook) sets up their infrastructure to protect themselves, as opposed to Github.

Or maybe everyone's at risk! How come the anti-information people haven't targeted Google?

20 comments

[ 3.3 ms ] story [ 60.2 ms ] thread
The thing about a DDoS attack, is that it's a significantly higher traffic volume that the target normally sees.

So, a "sufficiently large" site might well not even notice if you tried to DDoS them.

I would assume Google and Facebook (and Twitter) to be examples of such "sufficiently large" sites.

so it really is just handling traffic volume?
Technically yes. I am no expert but I understand the best approach is to divert attack traffic to a sinkhole, i.e. handle attack traffic, not block it.
Except there's no provable way to distinguish between "attack traffic" and normal traffic. You're also diverting your normal users anyhow, so the DDOS is still working as intended.
>Except there's no provable way to distinguish between "attack traffic" and normal traffic.

Depends on the DDOS method used. Stuff like the NTP abuse of a few years ago could be sinkholed without effecting any real users. HTTP DDOS has pretty low impact per node so most attackers use some form of amplification attack with other protocols.

Oh there are totally heuristics you can use. For example, limiting traffic from geolocations in which it shouldn't be showing high traffic usage (8 million hits per minute from China at 3am Beijing time?).

The key word is "provable."

I was told a story by a friend who works for a CDN (big one that handles lots of online video):

"Hey - look at this, I think someone's trying to DDOS us."

> "A hundred thousand requests a second? Neat - is it affecting our latency?"

"Um... no, not really."

> "Give me a shout if they hit a million a second."

For the same reason an ant can be squished by stomping on it and an elephant can't: because they're bigger.
To be fair, GitHub has been handling the attack VERY well.
Yes, they're kickin ass!

I wish there was a way to send that team a beer or something, they're heroes at this point.

I was just using Github an hour ago and literally felt no difference in accessibility. Insanely good job Github.
Absolutely, they deserve the greatest respect for that.
I hope they release a well documented aftermath and all that they did to keep themselves afloat.
I'm making up figures here, but the answer is going to be something along the lines of:- Because Google has somewhere between one and ten thousand times as many servers as Github, distributed across somewhere between twenty and sixty times as many distinct geographic locations.
DDOS attacks are interesting because, as of now, it's basically the only classification of cyberattack that there's no provably correct method to prevent.

Say you get a letter every few weeks from a penpal from years back. You get a few other pieces of mail each day as well, so you quickly sort through them to see if your penpal wrote to you and if so, you pull that message out and throw away the rest.

Imagine you get to your mailbox one day and there are thousands of letters in it. The mail truck comes by for a second run and puts thousands more. Before you've even gotten back to your front door, a third truck comes and does the same.

It's no longer feasible for you to find out if your penpal wrote to you. That's a DDOS.

However, the post office was clearly receiving and processing all of those pieces of mail. They have the capability because they do it every day. Sure, the attacker put some extra load on them, but it wasn't a 100,000% increase like you sustained.

Your mailbox is Github, the post office is Google. Google's infrastructure is set up in a way that there's a lot of it.

So in theory, Google could DDoS anyone who has a smaller post office?

Also, wouldn't a DNS provider or hosting service be able to "beef up" to handle the traffic from a DDoS? Especially if it's a nice one, it seems like something you'd expect from them.

Correct. Which is actually how this attack is happening. It's using Baidu's servers, which are ostensibly very robust. If you were to hijack Google/Amazon/Facebook/Netflix servers, you'd probably be able to DDOS nearly anyone on the planet.

And yes, there are ways to essentially start throwing servers online and yes companies do it. The problem is it becomes obscenely expensive — if you do this and go bankrupt, again, the DDOS has succeeded. It's actually somewhat problematic to do it automatically for exactly that reason. What if you preferred to just take your service offline until you could investigate enough to stop the attack instead of pay hundreds of thousands per day in server costs?

This is why DDOSs are a bitch!

Edit: Also worth noting, it's probably for this reason that Github is still accessible: throwing servers online and eating the cost.

There should be like, DDoS insurance.
Startup idea? No it's miiiiiiiinneeee