As someone who just started to learn how to code, GitHub has been both my greatest enemy and friend. The pushes and commits have saved my projects, but the combination of all the different Git commands have made me lose my mind and so frustrated to the point where I think it’s unfair because it’s the actual programming that should make me lose my mind, not the forking/cloning part. I wondered, was there ever a time that someone resented GitHub so much that they led a cyberattack on the repository hosting service?
As silly as it may sound, there actually was a DDoS attack on GitHub in 2018. DDoS stands for distributed denial-of-service and it is a cyber attack on a specific network or service by maliciously attempting to disrupt the normal operation of the target. This is achieved by flooding internet traffic to the target or its infrastructure. The overwhelming traffic would create a disruption, or denial of service, to legitimate traffic. Think of it like a highway with normal traffic. An unexpected traffic jam from a random, influx of cars heading into the highway would cause disruption for the regular traffic.
The incident with GitHub happened on February 28, 2018 at 5:21PM UTC (12:21PM EST) when GitHub experienced and identified a significant, volumetric DDoS attack at 1.35 terabits per second hitting the platform at once. DDoS attacks are identified usually by monitoring suspicious amounts of traffic from a single address or from a single behavioral profile. All of this traffic, according to GitHub, was coming from over a thousand ASNs, or autonomous systems, across tens of thousands of unique endpoints. Additionally, receiving a strange amount of traffic at off-peak hours or an unnatural pattern of traffic may be a sign of an attack as well.
Normally these systems would contain a malware that is remotely controlled by the attacker. An infected system is often referred to as a bot, and a group of bots is referred to as a botnet. Remote instructions would be sent to the botnet, overwhelming the server and ultimately resulting in a denial-of-service. The victim’s IP address would be sent some of these bot requests, and thus the ability of separating the traffic attacks and the normal traffic would be difficult, as the bot would be some device that uses the internet, just like every other device. Remarkably, no botnet was used during this attack. And still at the time, it was the largest DDoS attack ever recorded.
The world has never seen such an attack before and GitHub was not prepared to handle the disruption, so the platform called for assistance. Within 10 minutes of the DDoS attack, GitHub was able to contact Akamai, a cybersecurity company that provided mitigation services to large attacks like this one. Akamai would provide the assistance by acting as an intermediary, blocking and routing all the malicious packets to their center. Here, Akamai would act as another highway, allowing some of the traffic to flow to them which in turn would create less of a disruption for GitHub.
After eight minutes of Akamai’s help, the attack would be resolved. However, as a safety measure, GitHub would continue to use Akamai’s service for a few hours following the attack to ensure that the situation was taken care of. This shows the significance of having external partners in times of crisis in the cyber world. According to Sam Kottler, the Director of Engineering at GitHub, the platform prided itself in deploying additional transits to its facilities in the past year, more than doubling the capacity GitHub could take at a specific moment. Even so, the attackers were still capable of overwhelming the additional capacities.
A lot can happen in 10 minutes of no service, but considering how large this attack was, it was an impressive duration for cyberattack mitigation. A vice-president from ThousandEyes, a network intelligence and web monitoring firm, observed, “This was a successful mitigation. Everything transpired in 15 to 20 minutes. If you look at the stats you’ll find that globally speaking DDoS attack detection alone generally takes about an hour plus.” Whatever the case may be, creating a disruption of that scale on a high-profile service like GitHub is an impressive feat.
In response, GitHub plans to expand their edge network and continue to investigate and monitor their infrastructure and response times to overall improve mitigation.
