Home / News

1.3 Tbps DDoS Attack Against GitHub is Largest Attack Seen to Date, Says Akamai

Graph from Akamai shows inbound traffic in bits per second that reached their edge. The first portion of the attack peaked at 1.35Tbps and a second 400Gbps spike a little after 18:00 UTC. (Source: GitHub)

On February 28th, Akamai reports experiencing a 1.3 Tbps DDoS attack against its customer GitHub. According to Akamai, the incident was the largest attack seen to date, “more than twice the size of the September 2016 attacks that announced the Mirai botnet and possibly the largest DDoS attack publicly disclosed.” Companies such as Cloudflare have recently warned about increasing number of such amplification attacks using distributed memory caching system or memcached servers, and both Cloudflare and Akamai warn this exploit has the potential to be quite significant due to its capability to drastically amplify an attack.

Akamai reports: “Many other organizations have experienced similar reflection attacks since Monday, and we predict many more, potentially larger attacks in the near future. Akamai has seen a marked increase in scanning for open memcached servers since the initial disclosure. Because of its ability to create such massive attacks, it is likely that attackers will adopt memcached reflection as a favorite tool rapidly. Additionally, as lists of usable reflectors are compiled by attackers, this attack method’s impact has the potential to grow significantly. The good news is that providers can rate limit traffic from source port 11211 and prevent traffic from entering and exiting their networks, but this will take time.”

By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under


Not sustained Phil Howard  –  Mar 3, 2018 2:51 AM

this was not a sustained (continuous) attack.  it might have forced a reboot or two.  what is the point in that?  to do a test and let Akamai report back what peak they achieved?

port 11211?  as soon as this port and maybe a few others get well blocked, attackers will figure out how to randomize it.  randomization is probably of only minor value, anyway.  just having a few ports in the attack can make blocking it so much harder

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com


Sponsored byVerisign

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API