GitHub experiencing a large DDoS attack (opens in new tab)

(status.github.com)

90 pointstrevorhartman12y ago102 comments

102 comments

74 comments · 24 top-level

cmer12y ago· 19 in thread

This is getting really problematic. It stops our whole team every time.

Anybody has experience with Gitlab and Gitlab CI? How's the flow compared to Github, especially for pull requests, commenting and collaboration?

twerquie12y ago

This happens to our team too.

Does anyone else find it ironic that Git is a distributed version control system, yet we rushed to centralize it and base our entire workflow around GitHub?

fideloper12y ago

I've tinkered with the idea of setting up a git repo on a hosting provider like Digital Ocean for just an occasion. Maybe back it up hourly from github, and/or also push to it regularly by adding it as a remote in our git repos.

Anything business related we use beanstalkapp, for its better price-per-private repo and deployments in any case (no issues with them ever!)

camus12y ago

Github is just a node. IF Github dies , people still have the full repos on their computers.That's not always the case with SVN... And most people are too lazy/dont have resources to set up a git server anyway.

5 more replies

barkingcat12y ago

I always wonder if people prefer to use a centralised model that github seems to promote, or if people are not tooled up to take advantage of the distributed nature of git?

How technically hard is it to have an internal roundrobin git system that's synced up with the github repos needed, and then redirect to the internal git servers as needed when github goes down? I'm just wondering, no snark.

Github will go down by the nature of it being a web service. Web services aren't 100% by nature.

WestCoastJustin12y ago

Although, I don't have experience with Gitlab, I did create a screencast about git/gitolite, which can do 90% of what you want @ http://sysadmincasts.com/episodes/11-internal-git-server-wit...

Then look at something like Gitweb [1], cgit [2], or Gerrit [3] to front the repo. I personally use git, gitolite, and gitweb.

[1] https://git.wiki.kernel.org/index.php/Gitweb

[2] http://git.zx2c4.com/cgit/

[3] http://code.google.com/p/gerrit/

druiid12y ago

I've been very happy with Gitlab. The CI server seems a bit simplistic at this point and I haven't tried it, but I'm slowly moving all of the stuff I need to have more consistent access to, from Github.

sytse12y ago

GitLab co-founder here. Thanks for commenting druiid. GitLab CI 3.1 will have very nice integration with GitLab 6.0. It will still be simple, but should cover most cases.

cheeseprocedure12y ago

Have you tried Jenkins as a CI server? While the core Gitlab product is quite nice, the feedback I've heard on the CI component is that it becomes problematic once builds become non-trivial (though to be fair, I've heard this mostly from Jenkins folks).

BrainInAJar12y ago

We just built our own build scripts (in make(1) like god intended) and wrap jenkins around that. Pretty hard to go wrong with tech that's been tested for the last 35 years

1 more reply

y0ghur7_xxx12y ago

We are using Gitlab for about half a year with Jenkins, and we could not be happier. We are about 50 devs working with it every day. It has some quirks (for example AD integration) but it has served us well, and we would not want anything else.

sytse12y ago

GitLab co-founder here, thanks for the comment y0ghur7_xxx. Please let me know if you have any idea's to improve Active Directory Lightweight Directory Service support.

jbrooksuk12y ago

I used GitLab by myself, it works really well and since V5 is super easy to get installed.

nonchalance12y ago

Is there a VM image like Github enterprise?

2 more replies

fomb12y ago

Git's distributed right?

taylorbuley12y ago

Started timing out for us mid-deploy.

Not a good situation.

gwenbell12y ago

I use Gitboria, accessible through CJDNS.

leishulang12y ago

time to learn peer to peer git pull for your team

danielsju612y ago

man git daemon

whatthesmack12y ago

man git-daemon #ftfy

gavingmiller12y ago· 8 in thread

I ask because I have no plausible answer: What does someone stand to gain by DDoSing github?

thenonsequitur12y ago

It could be to cause a failure in an ancillary github service that results in opening up a new attack vector which could then allow the attackers to steal code from private repos.

leishulang12y ago

maybe some hackers who believes git repos should be, well, distributed?

briandear12y ago

So maybe they can build a distributed system themselves instead of making a point the f*c%s everyone while they have their childish tantrum. This is like nuking a city because you don't like the mayor.

look_lookatme12y ago

Could be an extortion scheme.

camus12y ago

blackmailing ? "if you dont pay we'll DDOS you" or whatever. Given all these infected Windows computers all over the world ,it's not going to stop soon. That's the Microsoft legacy.

JimmaDaRustla12y ago

It's Microsoft's legacy to have their customers' computers infected with a virus to operate as a giant botnet?

Sheesh.

gtaylor12y ago

Am I crazy in thinking that there's zero chance Github would pay a "ransom"? Seems like they'd just work with their vendors/providers and mitigate it to avoid setting that precedent (making them even more vulnerable to future attempts).

1 more reply

astrodust12y ago

It'll only get worse in April when XP goes off life support.

AnSavvides12y ago· 5 in thread

I do not understand why GitHub get attacked so often - honestly it's not like they are doing anything wrong, they are a fabulous service and the go-to place for most (if not all) developers for all sorts of projects, be it open source or in an enterprise/corporate context.

1qaz2wsx3edc12y ago

Extortion, research, or for evil. Attacking Github may be an attempt to effect someone that uses it (Github may not be the direct target). What if it's possible to effect HFT trading.

---

We do know that they've been consistently attacked. Github has been unsuccessful in mitigating attacks.

Github needs to explain why these attacks are happening. What is being done to stop them. What has been done to stop them. And if they are different from previous attacks.

manojlds12y ago

Didn't you just answer your question? It is the "go-to" place for most developers.

Cakez0r12y ago

That doesn't really answer his question. Why would somebody want to inconvenience developers?

6 more replies

level0912y ago

I bet DDos-protection companies (Dosarrest, cloudflare etc..) are happy to see this .. what's better than a new business potential

dickeytk12y ago

extortion, potentially.

cheeseprocedure12y ago· 4 in thread

Can someone with experience mitigating an attack like this describe how it's done? A known set of hosts/address spaces is fine, but it's the "distributed" part I don't understand how to deal with.

pktgen12y ago

We don't know anything about the attack, but in general:

1. All of this requires that you have more bandwidth than the attacker.

2. ACL drop everything but the ports/protocols you use on your frontend IP. For github.com that would be TCP 80 and 443. (ACLs are cheap, can be done at wire-rate on any capable edge router, so they're a good "first step." In this case it would have the bonus of dropping DNS amplification attacks which are increasingly common.)

3. If it's a TCP SYN flood (probably from spoofed IPs) enable SYN cookies. (Of course now the bottleneck is their load balancer.)

4. If it's an L7 attack, they'll need to identify patterns in the requests to identify and drop the traffic. For example, the attacker may be requesting a single URL only. If it's an L7 attack on a TCP service, they can also automatically add a drop rule for that source address, because at this point the client IP will have been validated (via the SYN challenge).

They may also be able to identify certain patterns in the traffic that can be ACL'd at the edge. For example, IP TTL being identical.

timdorr12y ago

Usually there is some pattern to the traffic that can be identified and filtered out. There are manual ways to do this (iptables, basic firewalls) or more sophisticated "anti-DDOS" boxes you can buy to automate or simplify the process (e.g. Cisco Anomaly Guard or Juniper Junos DDoS Secure).

300bps12y ago

Can someone with experience mitigating an attack like this describe how it's done?

I believe Step 1 is to submit the fact that GitHub is being DDoS'd to Hacker News, reddit, Slashdot and other social networking sites with a direct link to GitHub's web site. This will cause a flood of real people to load the web site, thereby crowding out the DDoS.

The site will still be down, but at least it will be due to real people and not the DDoS.

lsh12312y ago

There are services that specialize in handling DDOS attacks with distributed data centers and large pipes. It is very hard to do it on a shared infrastructure (e.g. AWS) w/o affecting other customers thus hosting providers will be more interested in protecting other clients.

danielsju612y ago· 3 in thread

Just a PSA Git is distributed, fire up a quick instance with git daemon.

git daemon --verbose --export-all --base-path=.git --reuseaddr --strict-paths .git/

daemon1312y ago

>> Just a PSA Git is distributed

Can you please elaborate?

swede12y ago

Public Service Announcement

You can have multiple remotes for your Git repositories, one of them (Github) being down should not affect your work since you can coordinate a new one with your team in the manner described above.

1 more reply

AdamGibbins12y ago