The status messages from the weekend state the problems GitHub had.
We discussed a feint DDoS attack last week on blogpost:
There are cases of DDoS that PCI compliance asks you to place the risk in a low category:
Risk level: Severity is low for Denial-of-service attack, abnormal termination
So the low risks are when the system cannot be compromised _Directly_ as discussed last week, a low speed DDoS attack can mask other attacks. But DDoS is still not a direct breach. And that is the only reason DDoS is not as high a priority in the scheme of things.
I thought I would let you in on hte Secops secret – Don’t spend as much attention on DDoS attacks, insteaad focus on the actual remote execution attacks and escalation of privilege attacks.
In my updated risk matrix, the reality is DDoS is not included , as one cannot actually hack a machine with DDoS.
This of course does not mean that one can ignore it for a well-publicized attacks. One has to mitigate
the attack, but again mitigate is not solve for good.
Let me know if you have any questions on this issue: