Microsoft’s GitHub has come under fire for DDoSing the project’s most important open source website

This month, you may have noticed that the servers used by the GMP project – an open source arithmetic library at the heart of GCC and other programs – have slowed to a crawl. This is due to a deluge of network traffic, the origin of which is quite surprising.

The packets appear to originate from servers associated with Microsoft.

Torbjörn Granlund, lead author of GMP, raised the alarm in a note on the project’s mailing list.

“GMP servers are being attacked by several hundred IP addresses belonging to Microsoft Corporation,” he wrote. “We don’t know if this was done maliciously by Microsoft, if it was some kind of mistake, or if [it is one] of their customers in the cloud … run an attack. The attack targets the GMP repo, which has thousands of identical requests. Requests are intelligently selected as causing heavy system load.

“We are shutting down all Microsoft IP addresses as an emergency response.”

The following day, Mike Blacker, director of hunting, operations, and threat response at Microsoft’s GitHub, identified the culprit: a GitHub Actions Workflow that cloned the Mercurial repo and was forked more than 700 times.

“Microsoft and GitHub investigated the issue and determined that a GitHub user updated a script within the FFmpeg-Builds project that pulled content from gmplib.org,” Blacker explained.

“This build is configured to run parallel simultaneous tests on 100 different types of computers/architectures. This activity does not appear to be malicious. [GMP] it appears that there is limited infrastructure that cannot sustain limited, but simultaneous requests.”

GitHub tries to prevent workflows from running on forked repositories. But workflow clone defense does not work consistently.

This is not the first time that a software project has screamed DDoS due to heavy traffic requests. In February, 2022, Drew DeVault, founder of SourceHut, described the behavior of Google’s Go Module Mirror as a distributed denial of service attack. After two years of complaints from DeVault, Google’s Golang team earlier this year agreed to make its software less demanding on other people’s computing resources.

Granlund wasn’t entirely satisfied with Blacker’s explanation, or the implied weakness of the project’s server(s) – which, until a recent AMD Epyc 7402P upgrade, had been a particularly unstable Intel Xeon E5-1650 v2.

“Our machine is quite powerful, it’s a server class machine with many cores and lots of RAM, and its connection is 1GbE to a top-class datacenter,” he answered.

“This is NOT a legitimate use of any server on the internet. Your response seems to suggest that it is our fault, that we should have more powerful servers to accommodate this behavior. Really?”

That was Saturday, June 17, and Granlund fired off a follow-up message to Blacker noting that the traffic flood remained constant and that he was continuing to block Microsoft addresses in response.

On June 18, the author of FFmpeg-Builds published a commit to alert developers who have forked the repository to fix their workflow scripts. This checks the source repo and, if it’s not the original, echoes a message to the developer’s terminal:

This past week, too much traffic is still an issue.

“Our servers are fully reusable, but that is the result of our adding all the participating Microsoft network sets to our firewall,” the GMP project explains on its webpage. “We understand that we are far from the first project to take such steps against Github.”

They seem to think they have the right to bash away at smaller sites

The register Granlund was asked if he was satisfied with the Microsoft-GitHub response, and he told us he’s only heard from Blacker once.

“I blocked about 40 IP ranges from accessing our web server,” he explained.

“A week after it started, there was still heavy traffic from the same IP addresses, maybe 100 different Microsoft addresses in total, belonging to about 40 ranges. The difference was that that traffic only caused of small load, and a log line in the firewall.

“Problem solved. I don’t care if they can no longer access gmplib.org. I find it interesting how little responsibility Github/Microsoft assumes here. They seem to think they have the right to bash away at smaller sites.”

GitHub did not immediately respond to a request for comment. ®

PS: If you noticed the TLS-cert-issuing Let’s Encrypt’s one-hour outage this month, there’s a technical analysis here by software engineer and cryptographer Andrew Ayer.