Last week we reported on the world’s largest DDoS attack that hit Github website and caused a brief service disruption. The 1.35 Tbps DDoS attack was carried out by exploiting a recently exposed critical vulnerability in unsecured Memcached servers.
Now, the IT security researchers at DDoS protection firm Arbor Networks have confirmed that a US service provider whose name has not been mentioned has suffered a massive 1.7 Tbps DDoS attack making it the world’s largest DDoS attack till date.
“While the internet community is coming together to shut down access to the many open Memcached servers out there, the sheer number of servers running Memcached openly will make this a lasting vulnerability that attackers will exploit,” said Vice President of Global Sales Engineering and Operations at Arbor Networks in their blog post.
The researchers call it an amplification attack which was also explained by Cloudflare last week in their blog post. “Over the last couple of days, we’ve seen a big increase in an obscure amplification attack vector — using the Memcached protocol, coming from UDP port 11211. Unfortunately, there are many Memcached deployments worldwide which have been deployed using the default insecure configuration.”
The vulnerability in Memcached servers was originally discovered [PDF] by 0Kee Team, a group of Chinese hackers who noted that the developers at Memcached failed to follow appropriate security protocols during the support implementation for the User Datagram Protocol (UDP) which is why hackers are carrying never seen before DDoS attacks through exposed servers.
Moreover, if attackers manage to prepare the amplification attack well, they can launch an attack with lowest possible IP spoofing capacity. Spoofing of IP addresses allows Memcached’s responses to be targeted against another address, like ones used to serve GitHub.com, and send more data toward the target than needs to be sent by the unspoofed source.
Currently, there are estimated 88,000 misconfigured Memcached servers at risk of being abused and the majority of these servers are located in Europe and North America. If identified and exploited by malicious elements, we may witness a situation where large-scale DDoS attacks will become a trend.
However, the worse news for victims is that attackers are also using Memcached servers to launch DDoS attacks with Monero (XMR) cryptocurrency ransom notes in the traffic itself. A couple of days ago, Akamai researchers noted ransom notes demanding 50 XMR from victims in order to stop the attacks. At the time of publishing this article, 50 XMR is about $17,309.
However, researchers advise Memcached server users to disable the UDP port and increase their security by using firewalls.
Previously, Arbor’s ATLAS global traffic analyzer recorded the largest DDoS attack of 650Gbps on a target in Brazil while Dyn DNS and French telecom OVH suffered a series of massive 1 Tbps DDoS attacks and before the attack on Github both attacks were labeled as the world’s largest DDoS attacks.
If you are running a business; do not forget to calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.
Image credit: DepositPhotos