GitHub hit with largest ever DDoS attack

Developer platform Github has been hit with the most powerful distributed denial of service attack on record, managing to survive 1.35 Tbps of traffic flooded to its website relatively unscathed.

The company revealed that its website went down for about ten minutes intermittently on February 28 as a result of the attack, which GitHub said originated from "over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints".

The first portion of the attack peaked at 1.35Tbps via 126.9 million packets per second, followed by a second 400 Gbps spike.

The largest recorded DDoS attack until now was on domain name server provider Dyn in late 2016, which peaked at 1.2 Tbps of traffic.

Github called in Akamai as the attack struck to access additional edge network capacity.

The attack drew its power from memcached instances that were inadvertently accessible on the public internet with UDP support enabled.

Attackers abuse the memcache protocol by implanting a large payload on an exposed memcached server and then spoofing the 'get' request message with a victim's IP address.

"Spoofing of IP addresses allows memcached's responses to be targeted against another address, like ones used to serve GitHub.com, and send more data toward the target than needs to be sent by the unspoofed source," GitHub said.

"The vulnerability via misconfiguration described in the post is somewhat unique amongst that class of attacks because the amplification factor is up to 51,000, meaning that for each byte sent by the attacker, up to 51KB is sent toward the target."

Akamai said this type of attack was likely to become more popular given its "ability to create such massive attacks".