GitHub Hit with the Biggest DDoS Assault Ever Recorded – No Botnets, No Malware Used!
GitHub has apparently managed to survive the biggest online assault ever recorded. The Distributed Denial of Service (DDoS) attack began at 17:21 UTC when 1.35 terabits per second of traffic hit the platform. The attack did NOT use any botnet. GitHub.com was unavailable from 17:21 to 17:26 and intermittently unavailable from 17:26 to 17:30 on February 28, the company said today.
While the developer platform initially struggled with outages, within 10 minutes all the traffic was routed to Akamai - its DDoS mitigation service - to block malicious traffic. "The first portion of the attack peaked at 1.35Tbps and there was a second 400Gbps spike a little after 18:00 UTC," the platform said in its report.
In comparison, the previous biggest assault that targeted internet infrastructure company Dyn in 2016 peaked at 1.2 Tbps and had caused issues for a number of major companies. GitHub's swift response to this attack is actually in part because of that Dyn attack, since companies who struggled during the 2016 traffic onslaught had started to work on solutions to deal with similar or even bigger attacks.
What exactly happened during this GitHub DDoS attack
The GitHub DDoS attack didn't use any botnets and actually came from memcached servers. Earlier in the week, Cloudflare posted about a new amplified denial-of-service attack vector that abuses the memcached distributed in-memory caching utility, used to speed up dynamic web applications by sharing the database load. "The general idea behind all amplification attacks is the same," the company had said.
"An IP-spoofing capable attacker sends forged requests to a vulnerable UDP server. The UDP server, not knowing the request is forged, politely prepares the response. The problem happens when thousands of responses are delivered to an unsuspecting target host, overwhelming its resources - most typically the network itself."
GitHub said that the attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. "It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second," the developer platform added.
The attack type that had only started to appear a few days ago with smaller attacks spotted in Asia, Europe and North America, had major infrastructure companies getting prepared for possible bigger attacks. Akamai also recently implemented specific mitigations for these so-called memcrashed attacks. According to the company, about 100,000 memcached servers - that are supposed to speed networks/websites and never left exposed on the public internet - currently remain exposed. These can be - and are being - used by attackers to send them a special command packet that the server will respond to with a much larger reply.
Known as the amplification attack, attackers don't need to recruit a botnet as they can simply spoof the IP address of their victim and send small queries to multiple memcached servers that are then designed to elicit a much larger response. The memcached systems can then return 50 times the data of the requests back to the victim.
While Akamai acted quickly, it appears GitHub would probably act as Dyn for future amplification attacks as threat intelligence firms work to reduce the downtime and outages that the platform experienced. GitHub has assured that "at no point was the confidentiality or integrity of your data at risk".