Just one week following the huge DDoS attack against code repository GitHub using Memcached, the same technique was used to direct an even larger attack against an unnamed U.S. service provider. According to DDoS protection firm Arbor Networks, the U.S. service provider was hit with an attack reaching a previously unheard of 1.7 Tbps. Furthermore, Akamai, Cloudflare and Arbor all reported a surge last week in amplification attacks using memcached-servers to increase traffic by a factor of 50,000.
Memcached is a type of caching system, which optimizes websites that rely upon external databases. It is installed on many Linux operating system versions by default. These types of server should not be exposed to the Internet, however, according to Rapid7, at any given time, over 100,000 are. As Rapid7 phrases it, “That’s quite a spread of potential DDoS soldiers just sitting and waiting to be brought into the amplification army”.
Arbor Networks’ Carlos Morales agrees that memcached attacks are around to stay because of the sheer number of exposed servers. “While the internet community is coming together to shut down access to the many open memcached-servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit,” he wrote.
Cloudflare first reported on the spike in the then obscure amplification attack method – taking advantage of the memcached protocol – just two days before the GitHub attack happened. The massive sizes of amplification attacks using this vector are possible because all the reflected packets are very large, there are no checks or authentication and the data will be delivered to the client at great speed. Cloudflare also described the ease of launching such an attack. The first step is to implant a large payload on an exposed memcached-server; the next is to spoof the “get” request with target Source IP. The request can be very small and the response enormous (up to 1MB).
Cloudflare reported that there are vulnerable memcached-servers all over the world situated in major hosting providers, with a greater concentration in North America and Europe. They advised security teams to double check usage of memcached-servers, immediately stop using UDP, and if absolutely necessary to do so, then do not enable it by default and always respond with a smaller packet size than the request.
Brian Krebs recently reported that the record-breaking DDoS assaults are being fuelled by the opportunity for “digital shakedowns in which victims are asked to pay a ransom to call off crippling cyberattacks”. Krebs cited experts from Cybereason, a Boston-based security company that has been tracking the recent attacks. Cybereason said it has seen memcached-attack payloads, which contain a ransom note requesting payment in cybercurrency Monero. The payment request is repeated until the file hits approximately 1MB in size.
“The payload is the ransom demand itself, over and over again for about a megabyte of data,” said Matt Ploessel, principal security intelligence researcher at Cybereason. “We then request the memcached ransom payload over and over, and from multiple memcached-servers to produce an extremely high volume DDoS with a simple script and any normal home office Internet connection. We’re observing people putting up those ransom payloads and DDoSsing people with them.”