back to article GitHub wipes hand across bloodied face, stumbles from brutal DDoS beating

Popular source-code warehouse GitHub was back online today after weathering a huge denial-of-service attack throughout the week. The status page of the San Francisco-based outfit charts the progress of the assault and the attempts to end it. Problems with the web service first cropped up on Tuesday, 1 October, before the team …

COMMENTS

This topic is closed for new posts.
  1. Stu

    GitHub & businesses

    “GitHub’s business is to act as a code repository for companies big and small. This is unfortunately a brutal case of the impact of third party services on business security and availability," he said."

    Yes I'm sure the likes of Rockstar thoroughly entrusted a cloudy public hosting site to host the code for all it's GTA V developers. Or IBM developing an update to a SAN software stack?

    Not a chance. Not even a small developer would trust it for private, internal code. Sure for sharing code around publically, but not businesses big and small, just use something like Atlassian Stash on-premises or whatever, or, shock horror, GIT itself on a linux box.

    1. Peter Mount

      Re: GitHub & businesses

      Agreed. Use it for public code but use internal repos for the day to day stuff.

      The beauty of modern repositories like git & mercurial is that you're not limited to a single central repository as they are distributed. This make it pretty simple to keep both internal and external repostories in sync

    2. JDX Gold badge

      Not even a small developer would trust it for private, internal code

      What a stupid thing to say. Many, many businesses use services like github, bitbucket, asssembla.

      Apart from anything else there are a whole slew of tech/software companies who are virtual/decentralised... they don't have a central location or an office in which to put a server.

      Keeping a backup separate is another story of course. As is the fact that with git, losing your 'central' server doesn't matter.

      But a physical git server in your basement... you do realise that's just security through obscurity, right? The moment anyone does want to attack you, you are far more likely to have serious problems. "Close the git server from the web" isn't an option if you want to allow your developers to work remotely.

      1. Paul Crawford Silver badge

        Re: Not even a small developer would trust it for private, internal code

        "Close the git server from the web" isn't an option if you want to allow your developers to work remotely.

        No, but you could have a firewall list that only allows the IP addresses of your developers to gain access. Even with a bit of IP re-use on domestic broadband being added in, you are down from ~1 billion computers able to attack to a hundred or so.

        1. asdf

          Re: Not even a small developer would trust it for private, internal code

          >"Close the git server from the web" isn't an option if you want to allow your developers to work remotely.

          There is this new fangled technology a few brave companies use called VPN which is the only way they often allow access to the goodies from the outside.

        2. Trevor_Pott Gold badge

          Re: Not even a small developer would trust it for private, internal code

          "No, but you could have a firewall list that only allows the IP addresses of your developers to gain access."

          Pain in the ASCII when everyone's on these dynamic IPs handed out by telcos and/or IPv6 which appears to mean "completely random IP addresses depending on location that often change faster than the DNS TTLs for most dynamic services. If you have a dynamic service that supports AAAA, of course."

          But hey, sure, Dunning Kruger the problem. Woo.

          1. Paul Crawford Silver badge

            @Trevor_Pott

            The first point is a perimeter firewall & its rules won't help your external users under DDoS as most likely your link will be saturated and/or the firewall overloaded with malformed packets. But what it can do is prevent your internal users from loosing the service, which I believe was the issue in reply to JDX. Of course, it also reduces the probability of a service under overload from becoming vulnerable.

            The second point, the external users IP address, then it all depends. For example my home is on cable in the UK and my IP address has changed only 7 times in the last 4 years. And had I use a /16 mask then only 2 changes would have been needed (obviously trading off more potential zombies attacking).

            We have an arrangement we we can log-in to our web server and ask for that IP address to be added to the firewall permissions, in a few minutes it then opens up SSH access, etc. Not totally automated, but good enough to allow modest home (or on-site) working to function while keeping out almost all login-forcing attempts.

            As for IPv6, we just ignore it for now as our current infrastructure (and most UK broadband connections) don't support it by default. But eventually we will have to use it, so yes I will accept more potential pain there.

            1. Trevor_Pott Gold badge

              @Paul Crawford

              So you are the model for the entire internet? The suggestion was made in a "well just do this and you're fine" manner. You may have minimal IP changes - and apparently "automated" manual entry that relies on developers knowing how to work the thing (rare in my experience) - and can simply "ignore IPv6" so evidently that's everyone sewn up then.

              Also, let's totally ignore the fact that if you're a cloud vendor doing things properly you'll have alliances with upstream telcos to have DDoSes blocked upstream of you - where your systems can feedback into theirs to block IPs and so forth - so that traffic can continue to flow. There are even some bandwidth/hosting providers that specialize in this. Github chose not to avail themselves of this, while providing a hosted service and that is the real issue here, not that companies are using a hosted service in the first place.

              "I think I've got something that probably works for my situation (though it's never had to withstand a concerted attempt to attack it) thus everyone who doesn't do it exactly like me and/or trusts a hosted provider is a moron" is arrogance of the first order.

              Maybe your solution works for you. For now. Congratulations. It also doesn't take into account the needs of others nor has it come under serious attack. To advance that as a cure-all whilst poo-poohing hosted services on principle is to sell snake oil and claim it's a panacea.

        3. itzman

          Re: Not even a small developer would trust it for private, internal code

          even firewalls get the incoming packets before they drop them....they are no proof against a brute force DDOS

      2. 02X7Cm

        Re: Not even a small developer would trust it for private, internal code

        When you're talking about DDOS attacks "security through obscurity" is the only way to prevent DDOS from happening in the first place. If nobody but your core developers know the location of the repository... so no it's not "stupid".

        Of course you can't stop anybody from deliberately targeting your developers thru social engineering / trojan / malware / 0-day exploit that will then potentially compromise your systems, but the point here is that a DDOS attack on your "central" repository potentially stops one (or more) from working.

        Git maybe decentralised, but when groups work together people still need to merge/fork/branch on common ground.

        Any tech/software companies that relies on a cloud repository WILL think twice about renewing their services or bringing it 'in-house' or at least deploying a private cloud / vps (perhaps even run by the public cloud providers) where their own repo will not be affected in case of a DDOS on the public cloud.

        The OP DOES make a good point in that companies like IBM where security and trade secert is of paramount importance would not even have a repository accessible from a public IP. They're more likely deployed and accessible only via limited VPN access if they're even allowed to access it over the internet.

        It's pretty common knowledge that if you want things to be secure, first of all, get off the grid.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not even a small developer would trust it for private, internal code

          Seriously, security though obscurity is what you call a defense stragety? Good luck a-hole

      3. Anonymous Coward
        Anonymous Coward

        Re: Not even a small developer would trust it for private, internal code

        "Many, many businesses use services like github, bitbucket, asssembla."

        Then they deserve everything they get. I can understand a proper enterprise ready cloudy solution such as http://tfs.visualstudio.com/ , but these insecure and flaky third party ventures are simply not suitable for business use...

        1. Trevor_Pott Gold badge

          Re: Not even a small developer would trust it for private, internal code

          Developers, Developers, Developers, Developers.

          Developers, Developers, Developers, Developers.

          Developers, Developers, Developers, Developers.

          MICROSOFT IS GOOD, BUY MICROSOFT.

          Developers, Developers, Developers, Developers.

          Developers, Developers, Developers, Developers.

          Developers, Developers, Developers, Developers.

          Developers, Developers, Developers, Developers.

          BELIEVE IN MICROSOFT. MICROSOFT IS GOOD.

          Developers, Developers, Developers, Developers.

          Developers, Developers, Developers, Developers.

          Developers, Developers, Developers, Developers.

          Developers, Developers, Developers, Developers.

          MICROSOFT IS GOOD. MICROSOFT HAS NO PROBLEMS.

          Developers, Developers, Developers, Developers.

          Developers, Developers, Developers, Developers.

          Developers, Developers, Developers, Developers.

          Developers, Developers, Developers, Developers.

          THE LICENSING IS APPROPRIATE AND NOT GOUGING AT ALL. MICROSOFT IS GOOD.

    3. TeeCee Gold badge

      Re: GitHub & businesses

      Yup, there's an old saying about eggs and baskets (ok, basket, singular) that applies here.

      1. ThomH

        Re: GitHub & businesses

        The good thing about git repositories is that checking out is cloning. So everybody has their own fully functional git repository, and the remote is backed up quite well even if you've no formal process.

        If GitHub vanishes temporarily, pick any local machine to be the new central repository, and remember to push from there when GitHub comes back up.

    4. toadwarrior
      Trollface

      Re: GitHub & businesses

      Who let grandpa on the internet again? Time to give him his pills.

      1. Frumious Bandersnatch

        Re: GitHub & businesses

        Who let grandpa on the internet again? Time to give him his pills.

        Pfft. It was "grandpas" that built most of this Internet of yours ...

        1. Trevor_Pott Gold badge

          @Frumious Bandersnatch

          Pfft. It was "grandpas" that built most of this Internet of yours ...

          Yeah, and a right pile of badly engineered shit it is, too. "Forward thinking" you old folks were not.

          1. This post has been deleted by its author

          2. Jordan 1

            Re: @Frumious Bandersnatch

            4.3 billion IP addresses ought to be enough for everyone.

    5. ckm5

      Re: GitHub & businesses

      Hate to tell you, but there are a lot of cloud businesses that use GitHub as a primary repository - some even use pulls to manage their release.

      God forbid anyone ever use cloud-based services like EC2, Heroku & Joyent. I mean, no serious business would ever trust cloud crap for core operations....

    6. Anonymous Coward
      Anonymous Coward

      Re: GitHub & businesses

      "Sure for sharing code around publically, but not businesses big and small.........."

      Looks like some peolpe like using Git for storing development

      http://digital.cabinetoffice.gov.uk/2013/09/12/latest-data-on-government-transactions/

      http://digital.cabinetoffice.gov.uk/2013/08/21/visualising-foreign-travel-advice/

  2. Anonymous Coward
    Anonymous Coward

    Isn't this why you use GH Enterprise?

    Hosted on your own internal network...

  3. dave 81
    Meh

    One question not covered

    Why take down GitHub, What reasons for temporarily disrupting the service?

    1. James Hughes 1

      Re: One question not covered

      I'm guessing it's someone who has actually had to use GIT (or had it foist upon them). A hopelessly badly designed effort at a distributed SCCS. And I have to use it everyday. Any SCCS where you need to be more highly trained than you need to be to write the code in the first place has got it priorities wrong.

      1. Anonymous Coward
        Anonymous Coward

        Re: One question not covered

        "to be more highly trained than you need to be to write the code in the first place has got it priorities wrong."

        Some of the biggest projects in the world are using git without issue... Really if you can't work out how to use the 3 or 4 commands you need in daily usage and read the manual when you need to do something more complex I think it says more about you than git. Maybe you should find a job that's more suitable and requires less thinking.

        1. Stretch

          Re: One question not covered

          Your point seems to be equivalent to "...bad workman...". You miss the fact that we have plenty of tools that do the same thing and, helpfully, ARE NOT POORLY DESIGNED SHITE.

      2. Richard 12 Silver badge

        Re: One question not covered

        I just use Git GUI.

        Almost everything I need to do is a click on a button or menu option, and when I've needed to do something more esoteric I just Google it and add it to the "custom tools" menu so it becomes just another menu option.

        There are annoyances with it - the tags list gets too long & can't easily edit a custom tool (have to open config file), but overall it's much easier than VSS or ClearCase so I'm happy.

        Mercurial may well be better but I've not used it.

    2. silent_count
      Holmes

      Re: One question not covered

      Let us consider the matter at hand. Who would benefit from damaging the open source community? I'm not quite ready to name a suspect, Watson, but I surmise that we'll find the culprit barricaded in an office, behind a wall of Surface RTs, with many imminently throwable chairs to keep Inspector Leserade and his constables at bay.

    3. Anonymous Coward
      Anonymous Coward

      Re: One question not covered

      Probably just a chinese deversion, to obtain what the government wants, yet stamps out @ the same time - innovation.

  4. Stretch

    hoorah

    svn ftw.

This topic is closed for new posts.

Other stories you might like