Memcache flaws are being exploited to drive intense amount of traffic to websites. The resulting overload forces websites to shut down temporarily while the attack is mitigated.
Wednesday, February 28, 2018 is the date of the largest DDoS attack ever witnessed. Popular code distributor Github.com endured an 8 minute attack which saw traffic spikes up to 1.35 terabits per second, followed by smaller spikes of around 400 gigabits per second. The overwhelming traffic used by the attackers made the attack hard to stop. This attack is unlike any DDoS attack witnessed, with incredible magnitude. Until Wednesday, the highest witnessed attack of this kind consisted of 1 Tbps spikes and was delivered using malware called Mirai. The Github attack is different from the attacks suffered by French telecom OVH and Dyn DNS.
The most recent attack relies on the exploitation of a security flaw in Memcached servers. This flaw was pointed out by multiple entities, including Akamai and Cloudflare. Researchers believe that the servers’ UDP protocol is problematic, and it opens an avenue for attacks like these, with relatively low effort. Github has confirmed that the Memcache flaw was exploited in this most recent amplification attack, with high speeds generated by 126.9 million packets a second.
Amplification attacks offer hackers a large range of capability. Well carried out attacks can launch incognito, with low Gbps rates, and ramp up into hundreds of gigabits per second attacks. These attacks become difficult to identify and difficult to trace. Hackers use spoof IP addresses to deliver the attacks. These spoofed IPs reroute responses from Memcache to another address, allowing for much more data to be sent that would normally be handled. This amplification technique results in 51,000 times more data being sent. Github calls this technique unique.
Marek Majkowski of Cloudflare says that the Memcached protocol is being more frequently used. He specifically notes that the attack vector is coming from UDP port 11211. Attacks like these are being deployed worldwide using a default insecure configuration. Amplification factors as a range from 10,000x to the new high of 51,200x, established by the Github breach.
Akamai’s Prolexic, a fully managed DDoS protection suite, was responsible for ultimately protecting Github. Once Github implemented the protections, Akamai filtered and blocked malicious traffic. In a public statement, Github makes clear that user data was not at risk. They also apologized to users and promised to prepare for more such attacks in the future. Security will be improved and expanded.
In the aftermath of these attacks, cyber businesses will be wise to learn. With attacks increasing in size and sophistication, it is important for businesses to factor the cost and likelihood of large-scale DDoS attacks. Tools like this DDoS Downtime Cost Calculator will help business owners in this.