
GitHub under DDoS attack right now (again...) - nmc
https://status.github.com
======
illuminated
There are groups of people blackmailing companies for money, threatening with
DDoS attacks if they do not comply. A client of mine, a European company gets
these occasionally. The bigger the company/service, the bolder are the
requirements. Crime, unfortunately, doesn't have feelings for such a great
services as GitHub is. I hope GH will be able to mitigate the attack fast.

~~~
teacup50
To be fair to crime (... Heh), we're not doing ourselves any favors by putting
all our eggs in one basket.

How long until they graduate to exploiting GitHub and securing proprietary
code from private source repositories, or forging commits to critical
repositories (how often do _you_ verify that every commit in the repo with
your name on it is definitively yours?)

~~~
illuminated
True, but these people usually want money - fast. The process you describe
takes time and with time the risk of being caught expands. So I guess "real
criminals" would opt for fast money rather than long term possibilities. The
option you're describing seems more likely for various "agencies" and the
likes...

------
taspeotis
Honestly if I had the eleventy squillion bytes/s bandwidth of a large DDoS
behind me and I wanted to DDoS GitHub ... I'd DDoS the status page too (just
for shits and giggs).

But on a serious note, is DDoS'ing a server that serves mostly static content
way too hard? I imagine taking out one of GitHub's ways of communicating
what's going on is appealing.

~~~
randywaterhouse
There are two types of DDoS attacks, which Github actually wrote about last
week (thereabouts[1]), although you'll be unable to read the blog post until
the site is back (unfortunately).

But I can outline the two they discussed. The first is a "complex attack",
which basically consists of doing things that make the server overload itself
(repeatedly handshaking SSL, etc.), and that would be mitigated to some extent
by reducing the complexity of the site (i.e. you can't SSL handshake with a
server that only knows HTTP). Similarly, dynamic content could be an attack
surface, so static content would make it more difficult to use such a
complexity attack.

The other type of attack, a simple bandwidth attack, doesn't care if your
server is a top-of-the-line quad-chip Xeon server or an RPi in your basement,
because all it does is exploit the bottleneck that is bandwidth. This attack
just pumps packets like mad in your direction, and your network will likely
become congested (and eventually fail) at some level other than your server
(i.e. router level, firewall can't handle 100 Gb/s so the packets never even
make it to your server).

So, in light of the second there, DDoS'ing static content is just as easy as
DDoS'ing dynamic content sites, as long as you're using a bandwidth type
attack.

I encourage you to read the blog post when the site is back up, it's
definitely worth a read!

[1] [https://github.com/blog/1796-denial-of-service-
attacks](https://github.com/blog/1796-denial-of-service-attacks)

~~~
iclelland
It seems back now, but in case anyone finds this comment the _next_ time
GitHub is under DDoS:

[http://webcache.googleusercontent.com/search?q=cache:KNnwGeD...](http://webcache.googleusercontent.com/search?q=cache:KNnwGeDlspwJ:https://github.com/blog/1796-denial-
of-service-attacks+&cd=1&hl=en&ct=clnk&gl=ca)

------
gtirloni
In my teenage years I don't think anyone with access to a few servers hooked
to T1 lines had to have any excuse to use that to DoS anyone. I always assumed
they had some sense of fun (whatever that is) or were compensating for
something else in their life.

Anyway, I don't think we ugly bags of water have changed much in the last 20
or so years. I wouldn't read too much into this GitHub DDoS event.

------
bleakcabal
Of all the sites I frequently visit/use, GitHub is by far the one to get DDoS
the most often. Anyone has any insights on why?

~~~
lectrick
I'm not prone to violence but if I met someone who I was certain DDOS'd Github
I'd certainly immediately punch them hard in the face.

Github is a noble company with noble end-goals, and collaborative open-source
is a revolutionary "work" idea. To see someone smash a bottle on the counter
and threaten the nicest guy in the room gives me rage.

~~~
wreegab
> I'd certainly immediately punch them hard in the face

Looks to me you are prone to violence.

------
iancarroll
What happened to the Hubot command to redirect the attack to the contracted
provider? Surely they can handle it.

~~~
namuol
This isn't as simple as it sounds; they'd need to identify DDoS traffic and
reroute, while still allowing "legitimate" users through.

But this may not be the sort of brute-force bandwidth DDoS that this was
designed to handle either -- it could be a more targeted attack to existing
bottlenecks in GitHub's architecture.

~~~
iancarroll
They made praising comments about the service last time.

------
bdcravens
Since most are on the github.io domain, maybe someone is fighting back against
the propagation of 2048 clones?

~~~
kmfrk
.io domains are hosted separately for this reason (and others, probably).

------
cvburgess
This is getting ridiculous. There are so many sites to attack, why Github?

~~~
doyoulikeworms
Could this be in any way related to Julie Ann Horvath's treatment at the
company?

~~~
lectrick
I didn't know the story. From
[http://thinkprogress.org/economy/2014/03/19/3416013/github-j...](http://thinkprogress.org/economy/2014/03/19/3416013/github-
julie-ann-horvath-sexism/) :

"The sight of her male coworkers leering at a group of women in the office was
the last straw for Github’s first female hire."

Take a workplace with all-men, and due to _sheer probability_ you're going to
get a lot of leerers when any number of women walk in. That's really a bit
unfair of an assessment. I'd like to see what happens when an attractive man
walks into a workplace that is all-women.

~~~
skylan_q
_I 'd like to see what happens when an attractive man walks into a workplace
that is all-women_

I've been in this situation a few times and it makes me feel incredibly
terrified.

------
bigtunacan
These days when I see a GitHub post that they are experiencing a DDoS attack I
have a slightly cynical reaction to it. I was at a software conference where
we had thousands of people hitting GitHub to clone projects for workshops all
that same time. They shut us down and said they were experiencing a DDoS... We
were lucky that a couple of GitHub employees were at the conference and were
able to contact the main office to get things straightened out.

------
raindev
Message about DDoS attack could cause another wave of DDoS performed by
thousands of users continuously refreshing a website to see if it's up.

------
billynomates1
My company is in the process of moving from our own SVN server to using
GitHub. Is this a bad idea in light of all these DDoS attacks recently?

~~~
thiderman
Github still holds quite a lot of nines in terms of uptime. It's just that
it's extra visible when something big like Github goes down.

The important part you should consider is to switch go git. I'd recommend
starting to use Github, and if you find that it's down too much, look at
alternatives or at hosting a solution yourself.

~~~
vertex-four
No they don't now. Because of the recent DDoSes, they're at 99.93%.

~~~
jx2zhou
Correct me if I'm wrong, but that still seems like a lot of nines.

~~~
kjs3
Not if you need less than 30m of downtime a month to run your business.

------
bttf
If anything this is just a minor annoyance to users. If whoever is responsible
gets a kick out of DDoS'ing a site like GitHub for no rhyme or reason they
really should find better things to do with their time, i.e. they are losers.

------
afhsfsfdsss88
This is Chris Dodd and his new friends.

[http://www.webupd8.org/2014/03/how-to-install-popcorn-
time-f...](http://www.webupd8.org/2014/03/how-to-install-popcorn-time-from-
source.html)

------
thatinstant
Let's look on the bright side... At least 2048 is up! ;-)
[http://gabrielecirulli.github.io/2048/](http://gabrielecirulli.github.io/2048/)

~~~
iLoch
No. No! Nononononononooooooooo

------
joemaller1
...and let me help by trying to load the site. /dumbmonkey

------
raindev
GitHub's website loads pretty fine for now. The team is working on the traffic
filtering now, the status page said.

------
Arnor
The pinnacle of asshattery... This is why we can't have nice things...

------
ahmedmhmd
Can this be a part of the story?

[http://thinkprogress.org/economy/2014/03/19/3416013/github-j...](http://thinkprogress.org/economy/2014/03/19/3416013/github-
julie-ann-horvath-sexism/)

------
raindev
Wondering who is continuously DDoSign GitHub last time...

------
ericraio
Seems like a waste of time for however is DDoSign.

~~~
bdcravens
Waste of time? Not really. Think of all the projects that rely on it for
package management, plugins, etc. Think of all the companies using private
Github. Lots of lost productivity.

~~~
Already__Taken
Not really, you won't deploy live code from github and if you are it's
decentralised anyway so you just use your latest private clones and it's
exactly the same.

Everyone can keep working happily even using other syncing methods to
collaborate.

At worst it messes with the issue queues and integration services.

~~~
ericraio
+1, As stated, this isn't affecting the git repos themselves. :)

------
ch4s3
Its back for me in Baltimore, MD

