GitHub, Struck by Record-Breaking DDoS, Walks It Off

Graphic: Github

Yesterday, the internet’s favorite code repository, GitHub, was hit by a record 1.35-terabits-per-second denial-of-service attack—the most powerful recorded so far. Yet, the website only endured a few minutes of intermittent downtime.

The attacker, likely realizing their efforts were for naught, withdrew after less than an hour. GitHub was able to suffer the attack and keep kicking thanks to Akamai’s DDoS mitigation service.

Advertisement
Image: GitHub

“Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack,” GitHub wrote in an autopsy of the event Thursday. “The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.”

Per GitHub, the angry little person (or people) responsible employed an amplification attack, whereby an attacker spoofs a target’s IP address and repeatedly sends byte-sized (UDP) requests to memcached servers—data-caching systems, which are intended to improve database performance, that problematically return a hugely disproportionate amount of data.

Because the attacker spoofed GitHub’s IP, the responses flooded toward the site at more than a terabit per second.

Advertisement
Illustration: Cloudflare

Tod Beardsley, research director at Rapid7, called the attack a “harbinger of the new world of DDoS.”

Advertisement

“Unless and until these vulnerable memcached servers are themselves booted off the Internet,” Beardsley said, “they will remain as an irresistibly attractive means for firing packet cannons at any target one might choose, all with no botnet infrastructure required.”

The good news is, you can mitigate memcache-based amplification attacks by setting up an incoming rate-limit on port 11211, according to Akamai.

Advertisement

“Because of its ability to create such massive attacks, it is likely that attackers will adopt memcached reflection as a favorite tool rapidly,” the company wrote in a Thursday blog post. “Additionally, as lists of usable reflectors are compiled by attackers, this attack method’s impact has the potential to grow significantly.”

Gulp.

Advertisement

Share This Story

About the author

Dell Cameron

Privacy, security, tech policy | Got a tip? Email: dell@gizmodo.com | Send me encrypted texts using Signal: (202)556-0846

EmailTwitterPosts
PGP Fingerprint: A70D 517E FB9A 02C9 C56E 86D5 877E 64E7 10DF A8AEPGP Key
OTR Fingerprint: 2374A8EA 6D2B7712 0D82D659 C0FE8253 A3F080FD