GitHub was hit by a massive 1.35 Tbps DDoS attack – the most powerful ever recorded

GitHub, one of the most popular code repositories, was hit by a massive DDoS attack on Wednesday, 28 February. It was flooded with an overwhelming 1.35 terabit per second (Tbps) of traffic at once – the most powerful DDoS attack ever recorded.

Instead of relying on bots, the threat actors exploited memcached servers and employed an amplification attack. This procedure involves hackers spoofing the victim's IP address and repeatedly sending UDP requests to memcached servers.

The attack on GitHub surpassed even the 2016 massive DDoS attack against Dyn, which peaked at 1.2 Tbps and shut down internet services across the US. Yet, GitHub survived the attack almost unscathed and experienced only a few minutes of sporadic downtime.

"Between 17:21 and 17:30 UTC on February 28, we identified and mitigated a significant volumetric DDoS attack," GitHub said in a blog, which was posted after the attack was mitigated. "The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35 Tbps via 126.9 million packets per second."

The site was able to survive the attack thanks to Akamai's DDoS mitigation service, which took over within minutes of being alerted about the attack, rerouting the barrage of traffic from GitHub to its scrubbing centres, WIRED reported.

"We modelled our capacity based on fives times the biggest attack that the internet has ever seen," Josh Shaul, vice president of web security at Akamai told WIRED. "So I would have been certain that we could handle 1.3 Tbps, but at the same time, we never had a terabit-and-a-half come in all at once. It's one thing to have the confidence. It's another thing to see it actually play out how you'd hope."

Despite the unprecedented power wielded by such an attack, it can still be mitigated, according to Akamai researchers, who say that setting up a rate limit on port 11211 – the default port used by memcached – is the way to go about it.

However, according to Akamai, the attack on GitHub could likely be eclipsed by threat actors leveraging vulnerable memcached servers.

"Because of memcached reflection capabilities, it is highly likely that this record attack will not be the biggest for long," Akamai said in a blog. "Because of its ability to create such massive attacks, it is likely that attackers will adopt memcached reflection as a favourite tool rapidly. Additionally, as lists of usable reflectors are compiled by attackers, this attack method's impact has the potential to grow significantly."