GitHub was hit by the most powerful DDoS attack in history

Leave unsecured software exposed to the internet, and you could be contributing to a denial-of-service attack.

GitHub was hit by the most powerful DDoS attack in history

Last week saw the largest distributed denial-of-service (DDoS) attack in history.

GitHub was hit by a record-breaking attack which peaked at some 1.35 terabits per second (outstripping the notorious DDoS attack on Dyn, which knocked the likes of Twitter, Spotify, Reddit, and umm.. yeah, GitHub, offline back in October 2016.)

A short while later a second attack wave against GitHub peaked at a mildly more bearable 400 Gbps.

Ddos attack

This latest attack on GitHub exploited a newly-disclosed reflection/amplification vulnerability on servers running Memcached, an open-source distributed caching utility, in order to generate large amounts of unwanted traffic – swamping the attacker’s target.

Sign up to our free newsletter.
Security news, advice, and tips.

As The Register describes, Memcached is not supposed to be installed on internet-facing systems in the first place.

Memcached’s own documentation is quite upfront about the fact that it is not designed to be exposed to the wilds of the internet:

“By default memcached listens on TCP and UDP ports, both 11211. -l allows you to bind to specific interfaces or IP addresses. Memcached does not spend much, if any, effort in ensuring its defensibility from random internet connections. So you must not expose memcached directly to the internet, or otherwise any untrusted users. Using SASL authentication here helps, but should not be totally trusted.”

Fortunately, it shouldn’t be too hard for businesses to ensure that UDP is disabled on servers running Memcached, or that perimeter firewalls are blocking UDP.

What impresses me, however, is not the size of this particular DDoS attack but rather that GitHub appears to have been able to get itself back on its feet after a mere nine minutes:

On Wednesday, February 28, 2018 was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a distributed denial-of-service (DDoS) attack. We understand how much you rely on GitHub and we know the availability of our service is of critical importance to our users. To note, at no point was the confidentiality or integrity of your data at risk.

There’s a good blog post by Barry Raveendran Greene, principal architect at Akamai, where he describes in technical terms what businesses can do to prevent themselves from contributing to the problem.

If we fail to behave as responsible members of the internet community, we risk causing problems for our online neighbours.

Update: Well that world record didn’t last long.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “GitHub was hit by the most powerful DDoS attack in history”

  1. Percy Proof

    "Leaved unsecured software exposed to the internet …"? My proof-reading services are available

    1. Graham CluleyGraham Cluley · in reply to Percy Proof

      Thanks Percy. And fixed!

  2. Mark Jacobs

    Also, the quoted text "By default memcached listens on TCP and UDP ports, both 11211. -l allows you to bind to specific interfaces or IP addresses." is wrong – "I allows" should be "It allows"

    1. Graham CluleyGraham Cluley · in reply to Mark Jacobs

      I think you're mistaken Mark. The -l is a command-line argument that can be used by memcached. I've updated the formatting to make it clearer that it's not a typo.


What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.