GitHub was hit by the most powerful DDoS attack in history

Graham Cluley

GitHub was hit by the most powerful DDoS attack in history

GitHub was hit by the most powerful DDoS attack in history

Last week saw the largest distributed denial-of-service (DDoS) attack in history.

GitHub was hit by a record-breaking attack which peaked at some 1.35 terabits per second (outstripping the notorious DDoS attack on Dyn, which knocked the likes of Twitter, Spotify, Reddit, and umm.. yeah, GitHub, offline back in October 2016.)

A short while later a second attack wave against GitHub peaked at a mildly more bearable 400 Gbps.

Ddos attack

This latest attack on GitHub exploited a newly-disclosed reflection/amplification vulnerability on servers running Memcached, an open-source distributed caching utility, in order to generate large amounts of unwanted traffic – swamping the attacker’s target.

As The Register describes, Memcached is not supposed to be installed on internet-facing systems in the first place.

Memcached’s own documentation is quite upfront about the fact that it is not designed to be exposed to the wilds of the internet:

“By default memcached listens on TCP and UDP ports, both 11211. -l allows you to bind to specific interfaces or IP addresses. Memcached does not spend much, if any, effort in ensuring its defensibility from random internet connections. So you must not expose memcached directly to the internet, or otherwise any untrusted users. Using SASL authentication here helps, but should not be totally trusted.”

Fortunately, it shouldn’t be too hard for businesses to ensure that UDP is disabled on servers running Memcached, or that perimeter firewalls are blocking UDP.

What impresses me, however, is not the size of this particular DDoS attack but rather that GitHub appears to have been able to get itself back on its feet after a mere nine minutes:

On Wednesday, February 28, 2018 GitHub.com was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a distributed denial-of-service (DDoS) attack. We understand how much you rely on GitHub and we know the availability of our service is of critical importance to our users. To note, at no point was the confidentiality or integrity of your data at risk.

There’s a good blog post by Barry Raveendran Greene, principal architect at Akamai, where he describes in technical terms what businesses can do to prevent themselves from contributing to the problem.

If we fail to behave as responsible members of the internet community, we risk causing problems for our online neighbours.

Update: Well that world record didn’t last long.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

4 Replies to “GitHub was hit by the most powerful DDoS attack in history”

  1. "Leaved unsecured software exposed to the internet …"? My proof-reading services are available

  2. Also, the quoted text "By default memcached listens on TCP and UDP ports, both 11211. -l allows you to bind to specific interfaces or IP addresses." is wrong – "I allows" should be "It allows"

    1. I think you're mistaken Mark. The -l is a command-line argument that can be used by memcached. I've updated the formatting to make it clearer that it's not a typo.

      Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES