Last week, code repository GitHub experienced the most powerful DDoS attack recorded to date at 1.35 Tbps. No botnet was required, and it used an increasingly popular DDoS method.
GitHub’s site was only down for 10 minutes as it automatically called for help in the face of the massive assault from its DDoS protection service, Akamai Prolexic. Prolexic took over the fight, routing all GitHub’s incoming and outgoing traffic, sending it through its scrubbing centers to block the malicious packets while letting the legitimate traffic through. After 8 minutes, the attackers pulled back and the assault dropped off.
The closest previous attack in size was that launched on the Internet infrastructure company Dyn in late 2016 at 1.2 Tbps, which led to connectivity issues across the U.S.
“We modeled our capacity based on fives times the biggest attack that the internet has ever seen,” Josh Shaul, vice president of web security at Akamai told Wired. “So I would have been certain that we could handle 1.3 Tbps, but at the same time we never had a terabit and a half come in all at once. It’s one thing to have the confidence. It’s another thing to see it actually play out how you’d hope.”
Prolexic had only recently added specific provisions for mitigating DDoS attacks stemming from memcached severs. Only a few days earlier – on February 27th, Akamai and other security companies announced the discovery of this kind of reflection and amplification vector. At that time, Akamai had seen multiple attacks, but none larger than 190 Gbps; however, they noted the potential for much larger attacks.
On March 5th, only four days after the GitHub attack, Netscout Arbor confirmed that a 1.7Tbps reflection/amplification attack was directed at a customer of a U.S. based service provider. Its ATLAS global traffic and DDoS threat detection system identified the attack as based on “the same memcached reflection/amplification attack vector that made up the Github attack”. The service provider did not experience any outages, which as Arbor pointed out, is testament to the defense capacity the provider had in place.
Arbor noted the need for companies to ensure that their defense providers can mitigate attacks at this scale.