On Wednesday, developer repository site
GitHub was hit with a critical DDoS attack that took the site offline multiple times for a few minutes each time. According to a GitHub incident report, the first portion of the
attack against the developer platform
peaked at 1.35Tbps, and there was a second 400Gbps spike later. This would make it the biggest
DDoS attack recorded so far. Until now, the biggest clocked in at around 1.1Tbps.
According to the
incident report,
GitHub was offline Wednesday from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC, thanks to the attack. The report noted that
user data wasn't at risk during the attack.
The GitHub attack is the latest in a string of incidents where hackers have exploited a vulnerability in the
memcached protocol to amplify the impact of such an attack. Memcached is typically used to speed up websites, but an issue with its UDP protocol makes the attack amplification possible, as noted by
CloudFlare.
Memcached, as is likely inferred by the name, is a tool that uses data caching to help ease the burden on data stores, it's not necessarily meant to be used with systems that are connected to the internet. But, that hasn't stopped attackers from finding a way to use it to launch and accelerate cyberattacks. By mislabeling a victim's IP as a target address, attackers can overload their network with traffic (up to 51,200x more in acceleration) and trigger a denial of service attack.
To fix its own problem, GitHub moved some of its traffic to Akamai for additional capacity at the edge. In its own post
Akamai, one of the companies who discovered the vulnerability early on, wrote that it predicts "many more, potentially larger attacks in the near future. Akamai has seen a marked increase in scanning for open memcached servers since the initial disclosure."
Josh Shaul, vice president of web security at Akami told, “we modeled our capacity based on five times the biggest attack that the internet has ever seen. So I would have been certain that we could handle 1.3 Tbps, but at the same time we never had a terabit and a half come in all at once.”
There are few parallels to the scale of the attack, with GitHub saying there were “over a thousand different autonomous systems across tens of thousands of unique endpoints.”