GitHub was hit by the most powerful DDoS attack in history

Leave unsecured software exposed to the internet, and you could be contributing to a denial-of-service attack.

GitHub was hit by the most powerful DDoS attack in history

Last week saw the largest distributed denial-of-service (DDoS) attack in history.

GitHub was hit by a record-breaking attack which peaked at some 1.35 terabits per second (outstripping the notorious DDoS attack on Dyn, which knocked the likes of Twitter, Spotify, Reddit, and umm.. yeah, GitHub, offline back in October 2016.)

A short while later a second attack wave against GitHub peaked at a mildly more bearable 400 Gbps.

Ddos attack

This latest attack on GitHub exploited a newly-disclosed reflection/amplification vulnerability on servers running Memcached, an open-source distributed caching utility, in order to generate large amounts of unwanted traffic - swamping the attacker’s target.

As The Register describes, Memcached is not supposed to be installed on internet-facing systems in the first place.

Memcached’s own documentation is quite upfront about the fact that it is not designed to be exposed to the wilds of the internet:

By default memcached listens on TCP and UDP ports, both 11211. -l allows you to bind to specific interfaces or IP addresses. Memcached does not spend much, if any, effort in ensuring its defensibility from random internet connections. So you must not expose memcached directly to the internet, or otherwise any untrusted users. Using SASL authentication here helps, but should not be totally trusted.”

Fortunately, it shouldn’t be too hard for businesses to ensure that UDP is disabled on servers running Memcached, or that perimeter firewalls are blocking UDP.

What impresses me, however, is not the size of this particular DDoS attack but rather that GitHub appears to have been able to get itself back on its feet after a mere nine minutes:

On Wednesday, February 28, 2018 was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a distributed denial-of-service (DDoS) attack. We understand how much you rely on GitHub and we know the availability of our service is of critical importance to our users. To note, at no point was the confidentiality or integrity of your data at risk.

There’s a good blog post by Barry Raveendran Greene, principal architect at Akamai, where he describes in technical terms what businesses can do to prevent themselves from contributing to the problem.

If we fail to behave as responsible members of the internet community, we risk causing problems for our online neighbours.

Update: Well that world record didn’t last long.

Tags: , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , ,

4 Responses

  1. Percy Proof

    March 6, 2018 at 12:50 am #

    Leaved unsecured software exposed to the internet …”? My proof-reading services are available

  2. Mark Jacobs

    March 6, 2018 at 1:41 pm #

    Also, the quoted text “By default memcached listens on TCP and UDP ports, both 11211. -l allows you to bind to specific interfaces or IP addresses.” is wrong - “I allows” should be “It allows”

    • Graham Cluley in reply to Mark Jacobs.

      March 6, 2018 at 1:45 pm #

      I think you’re mistaken Mark. The -l is a command-line argument that can be used by memcached. I’ve updated the formatting to make it clearer that it’s not a typo.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.