CODE REPOSITORY GitHub has been slapped by the ‘biggest ever’ distributed denial of service (DDoS) attack.
In a post on its engineering blog, the firm revealed that on 28 Feb, GitHub.com was offline from 17:21 to 17:26 (UTC time) and intermittently unavailable from 17:26 to 17:30 due to the massive DDoS attack.
According to GitHub, the first portion of the attack peaked at 1.35Tbps, followed by a second 400Gbps spike later that day. This would make it the biggest DDoS attack of all time, as until now the biggest recorded peaked at around 1.1Tbps.
However, the site advised that during no point of the attack “was the confidentiality or integrity of your data at risk.”
“The attack originated from over a thousand different autonomous systems across tens of thousands of unique endpoints,” GitHub said in the blog post. “It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second.”
GitHub said an attack of this nature could generate vast amounts of traffic, with the spoofing of IP addresses allowing responses to be targeted against another address, like those used to serve GitHub.com, and send more data toward the target than needs to be sent by the unspoofed source.
“The vulnerability via misconfiguration described in the post is somewhat unique amongst that class of attacks because the amplification factor is up to 51,000, meaning that for each byte sent by the attacker, up to 51KB is sent toward the target,” it added.
Due to the scale of the attack, GitHub has decided to move traffic to Akamai, which it says might help provide additional edge network capacity. It said it is now investigating the use of its monitoring infrastructure to automate enabling DDoS mitigation providers and will continue to measure its response times to incidents like this – with a goal of reducing mean time to recovery.
The hackers, one believed to be from Canada and another from Florida, stole more than 57 million customer records in 2016. Uber paid them $100,000 through its bug bounty programme to keep the information quiet. µ
Vaibhav S 