February 28th saw the popular code repository website GitHub targeted by a massive distributed denial of service (DDoS) attack. Peaking at a monstrous 1.35 Tbps, the DDoS employed a new type of amplification attack which utilised poor authentication on memcached servers.
Previously, the largest DDoS attack recorded was capable of outputting 1.2 Tbps and involved the use of a malicious botnet. The significance of the recent GitHub DDoS is not only the size of the attack but specifically the technique used. Unlike the previous largest DDoS, there was no botnet involved and instead attackers looked to exploit publicly exposed servers operating the open source distributed memory object Memcached to launch the attack.
Memcached is designed to speed up dynamic web applications by alleviating database load. However, sending a request to an exposed memcached server results in a large response being returned, therefore, an attacker has the ability to generate large quantities of traffic which can be used to flood servers in an attempt to take them offline. By spoofing the victim’s IP address, an attacker can repeatedly send requests to vulnerable memcached servers, which would then return the response to the victim’s IP causing a DDoS.
It has been reported that 1000s of publicly exposed memcached servers were used to launch the attack on GitHub. Estimates suggest there to be around 100,000 publicly accessible memcached servers which could be exploited by an attacker.
Impact and Preventative Measures
Remarkably, GitHub only suffered downtime of around 10 minutes largely due to the efforts of Akamai’s DDoS mitigation service Prolexic. The DDoS attack itself was short lived, lasting for several minutes before traffic returned to normal levels, suggesting that it may have simply been to test the attack’s capabilities.
It is advised that memcached should not be installed on publicly accessible systems because it has no security mechanism. Instead, systems operating memcached should be behind a firewall or apply rate-limiting for UDP traffic on port 11211, which is the default port used by memcached. Adminstrators are advised to disable UDP support if it is not needed.
With the emergence of this new amplification attack, there have already been reports of ransom DDoS (RDoS) attacks, whereby an attacker threatens to launch/continue a DDoS unless a ransom is paid. Therefore, RDoS attacks are likely to increase with the prevalence of this new DDoS technique. Security firm Corero have already observed a steady increase in the past few days regarding memcached based attacks, highlighting how quickly cyber criminals will adopt and deploy new attack techniques.
Last updated: 4th March 2018