Security researchers recently discovered memcached, a database caching system for speeding up websites and networks that allowed malicious users to carry out attacks on systems by a factor of 51,000. So for instance, a single home computer with a 100 megabit/second upload capacity from its ISP is capable of targeting 5 terabits per second of traffic.
It was earlier reported that memcached servers were abused to carry out 1.3Tbps DDoS attack on Github. The level of attack was thought to have topped previous records set in 2016, however, the vandals have been again discovered to have abused the servers for a 1.7Tbps attack using the newly documented memcached amplification method against an unnamed US service provider.
As Ars Technica reports, the record attacks were discovered by a separate DDoS mitigation service, Arbor Networks. The attack targeted an unnamed customer of a US-based service provider. Despite the record level of the attack, the customer and the ISP survived owing to the defense capabilities.
Vice president of global sales engineering and operations at Arbor, Carlos Morales, is quoted as saying, “It’s a testament to the defense capabilities that this service provider had in place to defend against an attack of this nature that no outages were reported because of this.”
In addition to disrupting the services, some of the memcached-based DDoS attacks are accompanied by a ransom demand. Researchers indicate the ransom demand could be possibly to stop the data flood. Some of the attackers were misusing the systems for DDoS attacks with words including ‘Pay 50 XMR’ and details to a wallet. With the current value of the digital currency Monero, 50 XMR translates to about $18,415. The 1.3Tbps attack on Github also included similar ransom demand.
The report further explains that the new amplification technique is being enabled by flouting network service providers which permit forged UDP packets to traverse their networks and memcached servers which are exposed to the internet. It works by sending a query to an open memcached server. These queries are manipulated to make them appear as if they originated with the intended target of the DDoS.
Researchers indicate that there were about 93,000 memcached servers which improperly accepted input from anyone on the internet. A significant number of service providers are yet to adopt measures which prevent spoofed UDP traffic on their networks and shut down all publicly available memcached servers they hosted.
In response to the biggest DDoS attack, Chester Wisniewski, Senior Security Advisor at British security company Sophos said, “While DDoS attacks are just a normal part of the background radiation of the internet, these attacks are demonstrating once again how the risky behavior of a few system administrators can put the entire internet at risk of being disrupted. The systems being used in these amplification attacks should never have been exposed to the internet to start with. If we want to make these types of attacks harder to conduct, we need to hold system administrators and developers liable for their bad behavior.”
Wisniewski further said, “These attacks aren’t difficult to prevent, yet the carelessness of the few results in harm to the greater internet community.”
In light of the attacks, Srinivasan C R, Chief Digital Officer, Tata Communications said that these sophisticated DDoS attacks are now targeting multiple layers of the enterprise. He said, “The most common attacks target the application layer, servers and devices. The recent attacks in the US exploit the default configuration of publicly available memcached servers leaving systems vulnerable to attacks on an unprecedented scale. It is critical for enterprises to take steps to protect themselves as attackers continue to exploit this vulnerability while the global community works to secure the memcached servers.”
“The best way to protect businesses is to stop these attacks in their tracks before they get a chance to debilitate networks. Scrubbing ensures that the network layers act as the first line of defence by monitoring and cleansing all incoming traffic in real-time. At Tata Communications’ security operations centres, engineers work hand-in-hand with our AI-enabled DDoS mitigation system to monitor attacks. Clean traffic is routed into the network, whereas any suspicious traffic is routed back to the source. It’s a system which ensures legitimate traffic always gets through, while malicious traffic is mitigated at the source rather than near the target network – so it does not choke bandwidth. Tata Communications has multiple scrubbing centres across the globe,” he said.
“Attacks of the size we’ve seen recently require enterprises to work with global DDoS mitigation service providers with cloud-based capabilities. Tata Communications’ multi-layered DDoS protection solution uses cloud-based technology helping deliver real-time detection and mitigation, protecting critical assets like the data centre and using cloud signaling to raise the alarm during a volumetric attack. We also actively study changes in data traffic and data patterns to understand global usage trends. This helps us detect unusual activity and allows us to forecast attacks,” he further added.