The largest DDoS attack ever disclosed slammed into the servers of software development site GitHub at 17:21 UTC last Wednesday, hitting a peak of 1350 gigabits per second with a follow-up reaching 400 gigabits per second. The attack exploited amplification, a technique we’ve seen before in previous mega DDoS incidents but this time hitting a target called Memcached. Memcached is a popular technology designed to provide free & open source, high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. Memcached is simple yet powerful. Its simple design promotes quick deployment, ease of development, and solves many problems facing large data caches. Its API is available for most popular languages. By default, it allows unauthenticated external connections on UDP port 11211, which means the attackers were able to generate large amounts of traffic simply by sending servers left in this weak state a simple “stats” command from a spoofed IP address.
This compares favorably with previous amplification attacks such as the 2013 DNS-themed assault on Spamhaus, which boosted responses 50 times to 300 gigabits per second peak. Then later it was the NTP protocol that was abused in a 400 gigabits per second attack on French hosting company OVH that exploited an amplification rate of 500 times. The mitigation companies must have have suspected something unpleasant , which is why Akamai’s Prolexic division shut it down so rapidly. Luckily, it’s not that hard to stop using perimeter firewalls to block UDP on the named port or disabling UDP on Memcached servers altogether. The underlying problem here is once again poorly-secured infrastructure – estimates of the number of vulnerable Memcached servers range up to around 95,000, with almost all being in the US and China.
Someone will now have to persuade the owners of all those vulnerable Memcached servers to close the vulnerability or risk intervention by large ISPs. Perhaps this time the attackers were testing out a new idea because it has even been suggested that it was a ransom attack because there appeared to be an embedded demand for the Monero virtual currency.
DDoS attacks come in many different forms, from Smurfs to Teardrops, to Pings of Death. Attackers build networks of infected computers, known as ‘botnets’, by spreading malicious software through emails, websites and social media. Once infected, these machines can be controlled remotely, without their owners’ knowledge, and used like an army to launch an attack against any target. Some attacks are so big they can max out a country’s international cable capacity. Botnets can generate huge floods of traffic to overwhelm a target. These floods can be generated in multiple ways, such as sending more connection requests than a server can handle, or having computers send the victim huge amounts of random data to use up the target’s bandwidth. These attacks sometime attempt to use up all the available connections to infrastructure devices such as load-balancers, firewalls and application servers. Even devices capable of maintaining state on millions of connections can be taken down by these attacks or even sometime overwhelm a specific aspect of an application or service and can be effective even with very few attacking machines generating a low traffic rate.
How DDoS amplification attact work on Memcached servers.
To understand the attack we much learn how Memcached functions in high-performance environment. Memcached is a general-purpose distributed memory caching system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source, such as a database or API, must be read. Memcached’s APIs provide a very large hash table distributed across multiple machines. When the table is full, subsequent inserts cause older data to be purged in least recently used order.Applications using Memcached typically layer requests and additions into RAM before falling back on a slower backing store, such as a database.
Just like any other amplification methods in which hackers send a small request from a fake IP address to get a much broader Memcache instead, the reinforcement attack response also works by sending a request to the target server port 11211 using fake IP address that matches the victim’s IP address. Only few bytes of request sent to vulnerable server can trigger ten thousands of times the resposne. The majority of Memcached servers are exposed to overuse of reinforcement.
Some research also says that the Memcached primitive queries used in these attacks can also be routed through TCP port 11211 on incorrect Memcached servers. TCP is not currently considered as high risk Memcached reflection vector because TCP queries cannot be falsified in a relaible manner. Even though the attack can be easily detected just by setting a rule on UDP traffic on source port 11211, it cannot be mitigated without a dedicated DDoS mitigation solution due to the massive amounts of packets per second (bits per second) delivered on this kind of attack. Massive traffic like this is likely to turn edge routing devices unavailable before real traffic arrives at the server, regardless of its configuration.
Jerika Inc. customers are protected against all known DDoS amplification attacks, and as of now they are protected against this specific attack as well.