On February 28, 2018, the code hosting website GitHub was hit by the largest-ever DDoS attack that peaked at 1.3Tbps. The powerful attack was abusing the memcached protocol to power so-called memcached DDoS attacks.
Memcached is a free and open source, high-performance, distributed memory caching system designed to speed up dynamic web applications by alleviating database load.
Clients communicate with memcached servers via TCP or UDP on port 11211.
Researchers from Cloudflare, Arbor Networks and security firm Qihoo 360 discovered that recently attackers are abusing the memcached for DDoS amplification attacks.
The abuse of memcached servers in DDoS Attacks is quite simple, the attacker sends a request to the targeted server on port 11211 spoofing the IP address of the victim. In a memcached DDoS attack, the request sent to the server is composed of a few bytes, while the response can be tens of thousands of times bigger, resulting in an amplification attack.
Experts at Cloudflare dubbed this type of attack Memcrashed, according to the researcher the amplification technique could allow attackers to obtain an amplification factor of 51,200.
Researchers predicted then that threat actors in the wild would abuse misconfigured Memcached servers in future attacks, and it is exactly what is happening.
Experts at Arbor Networks reported that earlier this month a US service provider suffered a 1.7Tbps DDoS attack. The service provider was able to repel the attack thanks to adequate countermeasures, but we can consider it an exception because a so huge volume of traffic is able to take off the majority of websites online.
The experts confirmed that also in this case attackers exploited unsecured memcached database servers to amplify attacks.
“Today, NETSCOUT Arbor can confirm a 1.7Tbps reflection/amplification attack targeted at a customer of a U.S. based Service Provider has been recorded by our ATLAS global traffic and DDoS threat data system.” reported Arbor Networks. “The attack was based on the same memcached reflection/amplification attack vector that made up the Github attack”
The previous record DDoS attack was observed by ATLAS in 2016, it was a 650Gbps attack towards a target in Brazil.
Unfortunately the availability online of unsecured memcached servers will allow threat actors to power similar attacks in the future.
“While the internet community is coming together to shut down access to the many open mecached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit,” continues the post published by Arbor Networks.
“It is critically important for companies to take the necessary steps to protect themselves.”
Cloudflare recommends disabling UDP support unless it’s needed and isolating memcached servers from the Internet. Internet service providers have to fix vulnerable protocols and prevent IP spoofing.
“Internet Service Providers – In order to defeat such attacks in future, we need to fix vulnerable protocols and also IP spoofing. As long as IP spoofing is permissible on the internet, we’ll be in trouble.” concluded Cloudflare.
“Developers – Please please please: Stop using UDP. If you must, please don’t enable it by default. If you do not know what an amplification attack is I hereby forbid you from ever typing SOCK_DGRAM into your editor.”
The fear for this new kind of attack represents a good opportunity for cyber criminals, crooks already started to blackmail companies asking for a ransom demand in Monero cryptocurrency to avoid being attacked via Memcached servers.
Let’s see how long the 1.7Tbps attack will remain the largest-ever DDoS attack …
Stay tuned …
(Security Affairs – memcached DDoS Attack, hacking)