With the cyberworld facing the most disturbing security threats quite early on, 2018 is predicted to be an eventful year on the cyberthreat front. GitHub faced the largest ever DDoS (Distributed Denial of Service) attack last week, which peaked at 1.3 terabits per second, or 126.9 million packets per second.
And the record of the largest DDoS attack got broken just within a week, when earlier this month, a customer of US based service provider suffered a 1.7 Tbps attack, as reported by the Arbor Networks. Although no outage was experienced as proper security measures were in place by this provider but the attack is proof enough that memcached attacks are among the cyberthreats that should be considered seriously by the network administrators in the future.
These DDoS attacks were based on UDP (User Datagram Protocol) Memcached traffic. Memcached is a protocol used to cache data and decrease strain on heavy data stores such as disk or databases. It enables the server to be enquired about key value stores, intended to be used on systems which aren’t exposed on public internet.
However, the attackers spoof IP addresses of UDP traffic, and send the request to a vulnerable UDP server. The server prepares the responses, not knowing the request is fake. Hence, the information is delivered to an unsuspecting host, which causes the attack.
When GitHub was attacked last week, its servers stopped responding for a few hours, until Akamai filtered out the malicious traffic from UDP port 11211 (the default port used by memcached). Akamai warned that because of memcached reflection capabilities, the same attack might soon occur again with higher data rate.
“Many other organizations have experienced similar reflection attacks since Monday, and we predict many more, potentially larger attacks in the near future. Akamai has seen a marked increase in scanning for open memcached servers since the initial disclosure,” stated Akamai in a blog post. “Because of its ability to create such massive attacks, it is likely that attackers will adopt memcached reflection as a favorite tool rapidly.”
Arbor Networks confirmed the second DDoS attack and its data rate, and mitigated it using ATLAS global traffic and DDoS threat data system.
“While the internet community is coming together to shut down access to the many open memcached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit,” wrote Carlos Morales, VP of sales, engineering and operations at Arbor Networks in a blog post.
These attacks can be mitigated by blocking off UDP traffic from Port 11211, and locking down the systems to avoid being part of such attacks.
Prior to this, the biggest DDoS attack was detected in September 2016 in Brazil, which peaked 650 gigabits per second. The memcached DDoS attacks are the first ones to cross terabit limit.