Cyber Incident Victim: GitHub
Date:
Feb 2018
Location:
United States of America
Summary
A developer platform experienced the largest recorded DDoS attack at 1.35 terabits per second, leveraging memcached servers' amplification vulnerabilities without requiring a botnet. The assault caused intermittent outages but was mitigated within minutes by routing traffic through a DDoS protection service, which filtered malicious packets and blocked the attack after eight minutes. The attackers likely targeted the high-profile service to demonstrate capability or extort ransom, though the rapid defense rendered the effort ineffective. This incident highlighted risks from exposed memcached servers, prompting infrastructure providers to implement filters and urge server owners to secure systems against such amplification attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 28, 2018, at approximately 12:15 pm EST, GitHub experienced a distributed denial-of-service (DDoS) attack that peaked at 1.35 terabits per second, marking the largest such attack recorded at the time. The assault caused intermittent outages on the developer platform as its systems automatically assessed the situation. Within ten minutes, GitHub activated its DDoS mitigation service, Akamai Prolexic, which rerouted all inbound and outbound traffic through its scrubbing centers to filter malicious packets. The attackers ceased their efforts after eight minutes of Prolexic’s intervention, allowing traffic levels to normalize. This incident surpassed the scale of the 2016 attack on Dyn, which peaked at 1.2 terabits per second and disrupted internet connectivity across the United States. Akamai’s defenses, including recent updates to counter memcached-based attacks, successfully handled the unprecedented volume, validating the company’s prior capacity planning for attacks five times larger than any previously observed. GitHub maintained routing through Prolexic for several additional hours as a precautionary measure. ThousandEyes, a web monitoring firm, noted the entire mitigation process concluded within 15 to 20 minutes, highlighting the efficiency of automated responses compared to typical human-involved detection times exceeding an hour.
The attack exploited misconfigured memcached servers—database caching systems inadvertently exposed on the public internet without authentication. Attackers spoofed GitHub’s IP address and sent small queries to these servers, triggering responses 50 times larger than the original requests. This amplification technique required no botnet or malware, leveraging approximately 100,000 vulnerable servers primarily owned by businesses and institutions. Industry analysts, including Arbor Networks and CenturyLink, had observed escalating memcached-based attacks in preceding weeks, with some reaching 500 gigabits per second. Prolexic had mitigated a 200 gigabit-per-second memcached attack against a Munich-based target just days earlier. Infrastructure providers responded by urging server owners to secure memcached systems behind firewalls and implementing filters to block suspicious memcached traffic. CenturyLink also developed methods to preemptively neutralize attack commands. Despite these efforts, the GitHub attackers likely targeted the platform for its high visibility, potentially aiming to extort a ransom, though the short duration suggested they abandoned the effort after failing to cause significant disruption. The incident underscored the persistent risk posed by exposed memcached servers, with hundreds of malicious actors actively scanning for vulnerable systems.