GitHub reported on March 1 that it was the victim of a Distributed Denial of Service (DDoS) attack that peaked at 1.35 Tbps (Terabits per second), making it the largest DDoS attack that has been publicly reported to date.
The attack is part of the ongoing memcached amplification attacks that were first publicly reported by multiple service providers on Feb. 27. CloudFlare had initially reported that it saw peak attacks of 260 Gbps from the attack, while Arbor Networks reported attacks of up to 500 Gbps. Those numbers have all grown, culminating in the massive attack that hit GitHub on Feb. 28.
“Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack,” GitHub noted in an incident report on the attack. “The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.”
The attack came from mis-configured memcached servers that were amplifying traffic toward Akamai. Memcached is a widely used open-source tool for distributed memory object caching. It is typically deployed alongside databases as a way to help distribute processing loads and improve query response time.
GitHub reported that after it first identified the memcached DDoS against its infrastructure it moved its traffic over to Akamai to help deal with the volumetric attack. By 17:30 UTC, four minutes after moving traffic to Akamai and eight minutes after the attack began, GitHub said that the attack was mitigated. There was a second attack spike that came in at 18:00 UTC of 400 Gbps that was also mitigated by the Akamai edge.
“Mitigation was in place globally across the Akamai Prolexic Routed platform prior to the attack event,” Chad Seaman, Senior Engineer, Security Intelligence Response Team at Akamai, told eWEEK. “The 8 minutes was the amount of time it took from the first signs of the attack on the customer’s networks to when the affected customer was able to route onto mitigation services, ending the attack impact.”
The largest previous attack ever mitigated by Akamai was the one against blogger Brian Kreb in 2016 which came in at 628 Gbps and was attributed to the Mirai Internet of Things (IoT) botnet. It’s currently not entirely clear who is behind the attack on GitHub, though Akamai has some ideas on where the traffic is coming from.
“It came from all over the world, though our Frankfurt scrubbing center was hit the hardest, which is typically indicative of Eastern Europe activity,” Seaman said.
Though GitHub is the hardest hit target so far for the memcached DDoS attack, other service providers are also reporting significant volumes of attack traffic. Hardik Modi, Sr. Director of NETSCOUT Arbor’s Security Engineering and Response Team said that Arbor observed attacks greater than 700Gbps using the memcached reflection/amplification technique.
“Our observation is that this has been operationalized in booter-stresser services,” Modi said.
Booter-stresser services provide DDoS for hire capabilities to attackers. Modi added that the amplification factors that can be achieved from the memcached attack mean that attackers don’t need a large botnet of servers to participate. While GitHub is the highest profile target impacted by the memcached DDoS, Modi said that Arbor is seeing the memcached amplification attack used against multiple targets, including residential broadband networks.
“Now that the first large enterprise targets have been announced with corresponding sizes, it stands to bear that these attacks will be used against other high profile targets,” Modi said. “At the same time, the operational community is responding quickly to rate-limit the resulting DDoS traffic and in some cases, block the exploitation attempts as well.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.