Like a roller coaster that "launches" you, GitHub's inbound data went from "zero to 60" in an instant.
This chart shows the peak 1.35 TB of data per second, with a secondary 400 GB per second later on.
"The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second."
That memcached vulnerability is something we wrote about last week at SecureWorld. It is designed to help large web applications run more efficiently to speed things up. Turns out, it does the same thing in a DDoS attack and helps amplify the whole thing.
There is some great news here, however, in the battle against DDoS attacks. GitHub's engineering blog says it was able to mitigate the attack in just minutes:
"Given the increase in inbound transit bandwidth to over 100Gbps in one of our facilities, the decision was made to move traffic to Akamai, who could help provide additional edge network capacity. At 17:26 UTC the command was initiated via our ChatOps tooling to withdraw BGP announcements over transit providers and announce AS36459 exclusively over our links to Akamai. Routes reconverged in the next few minutes and access control lists mitigated the attack at their border. Monitoring of transit bandwidth levels and load balancer response codes indicated a full recovery at 17:30 UTC."
GitHub says it will continue to expand the size and resiliency of its edge network and also focus on something else: automation.
That way, humans may not need to be involved before DDoS defenses kick in—so the time to total recovery will become even faster.
Editors Note: Within days of the GitHub attack, a new record sized DDoS attack was launched and tracked. Read about it here.
Image credit: Akamai
