Code Repository GitHub Struck by Massive DDos Attack the Largest on Record

Code Repository GitHub was Struck by Massive DDoS (distributed denial-of-service) Attack on Wednesday, the Largest on Record, forcing it Offline for five minutes between 17:21 to 17:26 UTC, with intermittent connectivity between 17:26 to 17:30 UTC. DDoS is a cyber attack that aims to bring websites and web-based services down by bombarding them with so much traffic that their services and infrastructure are unable to handle it all. It’s a fairly common tactic used to force targets offline. The ensuing DDoS attack generated a flood of internet traffic that peaked at 1.35 Terabits per second, making it the largest on record. Fortunately, the software development site survived the disruption and was only down for few minutes. GitHub has admitted yesterday that it weathered the largest-known DDoS attack in history this week. Read more on GitHub blog post.

DDoS Protection Provider Akamai helped GitHub to Recover

GitHub called in assistance from Akamai Prolexic, a DDoS protection provider, which rerouted traffic to GitHub through its “scrubbing” centers which removed and blocked data deemed to be malicious. Following eight minutes of the assault, the attackers called it off and the DDoS stopped.
However, there’s more to the story. The Github attack may be an early indication of the hazards on the way, as the IT infrastructure that powered Wednesday's assault is apparently vulnerable for abuse. "It is highly likely that this record attack will not be the biggest for long," Akamai warned in a blog post.

The last time the world saw a 1 Terabit DDoS attack was in 2016. The Mirai botnet, an army of infected computers, bombarded a cloud provider in France with 1.1 Tbps in traffic after infecting tens of thousands of vulnerable IoT devices.

Memcache Server used in DDoS Attack

Wednesday's attack on Github did not rely on any botnet. GitHub said the attackers hijacked and leveraged something known as a "memcache server," which is usually hooked up to a data center. As the name suggests, these servers are designed to cache data and speed up web applications and internet sites. Unfortunately, this same technology can amplify a packet of data traffic by up to 51,000 times, according to Cloudflare, another DDoS protection provider.

For example, sending a 203 byte request to a memcached server can result in a 100 megabyte response. Now imagine that response bombarding an actual website. This can be done when a memcache server spoofs the IP address of a target website, like Github.

Memcached Servers need to be Firewalled

Chinese security researchers warned about this potential threat in November 2017. In the past week, Cloudflare and Akamai have spotted a wave of attacks powered by the memcached servers, but the GitHub assault appears to be the largest so far. To stop the abuse, DDoS providers like Cloudflare are urging the owners of memcached servers to firewall them or disable part of their functionality.

According to Cloudflare, launching such an attack is easy. First the attacker implants a large payload on an exposed memcached server. Then, the attacker spoofs the 'get' request message with target source IP. The flood of internet traffic is definite to overwhelm the target website, taking it offline. Making matters worse is that many of these memcached servers are running on the open internet. Akamai has noticed over 50,000 vulnerable systems across the globe, making them potential assets for hackers to use in DDoS attack schemes.

Uber discontinued using GitHub

Last month, Uber revealed it has stopped using GitHub for in-house code, alleging that hackers behind the 2016 data breach against it used credentials found on the platform to gain access to an AWS S3 bucket. The hackers, one believed to be from Canada and another from Florida, stole more than 57 million customer records in 2016. Uber paid them $100,000 through its bug bounty programme so as not to leak the information.

Due to the scale of the attack, GitHub has decided to move traffic to Akamai, which it says might help provide additional edge network capacity. It said it is now investigating the use of its monitoring infrastructure to automate enabling DDoS mitigation providers and will continue to measure its response times to incidents like this, with a goal of reducing mean time to recovery.
The service has become critical for any company handling code, so while an outage is never welcomed, the response in this case is impressive and certainly bodes well. GitHub said it continues this attack, and others, to ensure it is suitably defenced. While most of the software development firms cannot avoid using GitHub, it’s time to think seriously and plan on protection against future attacks.