More than four days after it began, the massive DDoS attack on GitHub is still ongoing. The attack has evolved significantly since it started and GitHub officials said they believe that the goal of the operation is to force the site to remove some specific content.
In the evening hours of March 25, DDoS attack traffic began hitting a pair of URLs hosted on GitHub. The URLs, github.com/greatefire/ and github.com/cn-nytimes/, both are related to Chinese content and researchers looking at the attack discovered that the attackers apparently were using scripts placed around the Web were hijacking Baidu traffic to flood GitHub. The attack succeeded in causing interruptions to GitHub’s services at various points over the next couple of days as the company’s team worked to filter the traffic and mitigate its effects.
By Friday afternoon, GitHub had implemented volumetric defenses to help defeat the attack, but the effects were temporary. The attack continued over the weekend and the attackers began adjusting their methods as time wore on.
“The ongoing DDoS attack has shifted again to include Pages and assets. We are updating our defenses to match,” company officials said on the GitHub status page at 10 AM UTC Saturday.
GitHub officials said that information they have received lead them to believe the attack is part of an effort to make the company take down some content.
“We are currently experiencing the largest DDoS attack in github.com’s history. The attack began around 2AM UTC on Thursday, March 26, and involves a wide combination of attack vectors. These include every vector we’ve seen in previous attacks as well as some sophisticated new techniques that use the web browsers of unsuspecting, uninvolved people to flood github.com with high levels of traffic. Based on reports we’ve received, we believe the intent of this attack is to convince us to remove a specific class of content,” Jesse Newland wrote on the GitHub blog on Saturday.
As of about 12 PM UTC Monday, GitHub was reporting that the site’s resources are running normally, but the DDoS attack was still continuing.