Tech by VICE

GitHub's Largest DDoS Attack Is Still Going, 4 Days Later

The site’s largest DDoS attack shows no signs of tapering off

by Lorenzo Franceschi-Bicchierai
Mar 30 2015, 3:38pm

​Image: Bruce Willia​ms/Flickr

On Wednesday night of last week, someone started targeting the popular coding site GitHub with a massive distributed denial of service attack, which the company later call​ed the largest in its seven-year history.

More than four days later, the attack is still ongoing.

The attackers essentially hijacked thousands of internet users' connections to Chinese internet giant Baidu, serving them malicious Javascript code that redirected their traffic to two specific pages hosted on GitHub, according to an anal​​ysis of the attack published on Friday. (Baidu denied any responsibility in the attack)

One of the pages is the GitHub page of GreatFire, a well-known anti-censorship group that's been monitoring Chinese ​censorship and developing tools to circumvent the country's Great Firewall. The second page was a mirror of The New York Times's website, which is blocked in China.

Given the nature of this attack, Ryan Lackey, an engineer at security firm CloudFlare, told Motherboard that the "very sophisticated network attack" was going to be hard to stop, as the attackers can make the bogus traffic look very close to regular internet traffic.

In the last three days, it looks like this is exactly what happened. While GitHub is not releasing any details (and a GitHub's spokesperson declined to answer any questions from Motherboard on multiple occasions), looking at the site's Status page, it seems like the attackers are relentless.

"The ongoing DDoS attack has shifted again to include Pages and assets," read a status update from Saturday.

"The ongoing DDoS attack has changed tactics," GitHub wrote on Sunday.

While there's no definitive evidence yet, security experts are pointing the finger at China, given that the attack originated inside China's network, and that pretty much no one else has a motive to target GreatFire's GitHub pages.

Mikko Hypponen, a renowned security expert and chief research officer for F-Secure, said that while he has no proof that it's China, "it sure looks like it."

"Who else would have the motive? Who else would have the capability to hijack traffic like this?" he told Motherboard.

Richard Bejtlich, chief security strategist at FireEye, echoed Hypponen in a blog​ post where he called this attack "unacceptable" and "reprehensible."