Fernando CortÃ©s - Fotolia
Improperly secured memcached database servers lead to two record-breaking terabit DDoS attacks in the span of just five days and experts believe the two-terabit mark isn't too far off.
Last week GitHub was taken offline briefly by a 1.35 terabits per second (Tbps) DDoS attack, confirmed and mitigated by Prolexic Technologies, the DDoS mitigation subsidiary of Cambridge, Mass., company Akamai, which broke the record for largest DDoS attack set by the Mirai-based Dyn attacks in 2016. Sunday, Arbor Networks confirmed an even larger terabit DDoS attack clocking in at 1.7Tbps that used the same reflection attack technique requiring just one line of Python code against vulnerable memcached servers, but no service outages were reported.
Sammy Migues, principal scientist at Synopsys, said performing an amplified DDoS attack using memcached servers is trivial because "memcached was never intended to be connected to the public internet."
"It was originally designed and implemented for an internal, benign environment, so it usually responds to requests without requiring authentication. Attackers don't even have to break into it," Migues told SearchSecurity via email. "Besides that vulnerability, its implementation of UDP (User Datagram Protocol) is flawed: It will often return a large number of bytes when queried with a small number of bytes -- the amplification can be as much as 50,000 times the request. And UDP is a connectionless protocol that makes it susceptible to address spoofing -- you can send packets from one internet address but say you're from another address."
Protecting against terabit DDoS
Carlos Morales, vice president of sales engineering and operations at Arbor Networks -- who wrote the original blog post on the latest terabit DDoS attack -- told SearchSecurity that mitigating attacks could be as easy as filtering a specific UDP port.
"The memcached reflection/amplification attack is relatively straightforward to mitigate using any combination of network access control lists, rate limiting, QoS policy filtering or source-address validation as described in [Internet Best Current Practice 84, (Ingress Filtering for Multihomed Networks)]," Morales said. "All memcached traffic is sourced from UDP port 11211 which is not a common application port so little or no legitimate traffic on this port should be seen from transit networks."
However, Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, noted those mitigation techniques must be done on the server side and there is little that the end victim can do on its own to stop a terabit DDoS attack.
"It's quite hard to protect a site that is being DOSed by such attacks. The attack leverages third-party servers you do not control, and hits you with a prevailing amount of traffic -- more than most hosting infrastructures can tolerate," Bilogorskiy told SearchSecurity. "Most companies pass on the cost of fighting a DOS attack to an anti-DDOS provider, but it is hard even for them to keep up at these volumes."
One terabit DDoS is just the start
Experts generally agreed that DDoS attacks crossing the 2Tbps mark aren't far off and Ofer Gayer, senior product manager at Imperva, suggested that 3Tbps DDoS attacks could be seen "within 18 to 24 months."
Donny Chong, product director at Nexusguard, said "an attack at the scale of 2Tbps is enough to take down regional internet backbone and ISPs, depending on how the attacks are distributed and where the source is located."
Donny Chongproduct director of enterprise, Nexusguard
"If major internet services such as what we have seen with the Dyn DNS case were to be targeted, it will not be far off to expect most internet services to be affected," Chong told SearchSecurity. "As the world's internet bandwidth continues to increase, more content are delivered over the internet, so will the size of attack. DDoS is here to stay, and there will always be new exploits on new services that will continue to set new records. The bottleneck that enterprise will now have to consider would be the scalability of appliances within their infrastructure, especially costly and poor-to-scale on-premise DDoS mitigation appliances."
Bilogorskiy said of the 1.35 terabit DDoS attack on GitHub, "The outage was reported, it just did not last very long."
"GitHub was down for about 10 minutes and I would say they reacted very quickly and also got lucky, as these attacks can and will get much bigger. Now everyone is scrambling to increase their capacity and ready their anti-DDoS plans," Bilogorskiy said. "I fully expect DDoS growth to outpace the defense and we will see more outages. The memcached amplification factor was more than 100 times larger than previous DDoS amplification factors, so if that trend holds, we will see new protocols being abused for reflection attacks with even larger impact."