Madness is not reserved for basketball this March. Traditional distributed denial-of-service (DDoS) attacks were overthrown by record-breaking DDoS attacks that weaponized vulnerable memcached servers.
Earlier this month, GitHub, a software development platform, disclosed a 1.35Tbps DDoS attack followed by a 400Gbps spike. At the time it stood as the largest recorded DDoS exploit.
But GitHub’s time in the spotlight didn’t last long. Just after the GitHub incident was disclosed, an attack detected by a U.S.-based service provider stole the record-breaking title after an unnamed organization suffered a whopping 1.7TBps DDoS attack.
However, neither attack took their victims down. GitHub was unavailable for less than 10 minutes while the second victim showed no reported outages. While the scope of the exploits were larger than ever, their targets had enough defense in place to deter the interruption.
Still, the new form of DDoS attacks leveraged servers open to the internet and helped open the door to the “1Tbps DDoS era.” Days apart, both attacks leveraged the “memcached reflection/amplification attack vector,” according to NETSCOUT Arbor, and thrived on the wide world of vulnerable, memcached servers idly waiting on the open internet.
Historically smaller DDoS attacks were not able to harness the same kind of bandwidth accessible to memcached servers seen in the recent attacks, therefore increasing the speed of junk data received by the victims.
But the sharp increase in record-breaking DDoS attacks is enough to give IT departments pause. Here are four questions answered about the new mode of attack:
1. What’s a memcached server?
A memcached server is a simple memory cache, but when one stores data, a “key” is assigned, said Ashley Stephenson, CEO of Corero Network Security. When the data needs to be retrieved, the key is used to withdraw that particular set of data.
This simplifies disc storage, especially for data that’s retrieved often. Memcached servers provided “network-based services that listen on TCP or UDP port 11211 and you’re allowed to send this information with a simple command,” according to Stephenson.
Hackers exploited the UDP ports by spoofing the victim’s IP address associated with the port to elicit a higher response rate.
2. What makes memcached servers vulnerable?
Because memcached servers hold so much potentially sensitive memory, they should not be open to the internet. Despite this, DDoS attacks seen in the past month are mostly due to an “unfortunate oversight,” said Weston Henry, lead research analyst at SiteLock.
The open source group behind the design of memcached servers instruct users to not have the servers exposed but many are already set to a default configuration, which leaves them open and susceptible to either breaches or manipulation by bad actors.
The default configuration of the servers essentially allows them to “promiscuously [listen] to anyone’s request with no logins, no user IDs. They just sit there saying, ‘sure, ask me to do something,'” said Stephenson.
3. But how did the hackers find the servers?
Once servers are open to the internet, it does not take much effort to find them. Similar to how Google crawls the internet for websites, hackers turn to showdan.io to crawl for open servers, said Stephenson.
A “crawler picks an IP address anywhere in the internet and sends it a [specified] command, a HTTP command on port 80, and sees if it gets a reply,” said Stephenson. “If it gets a reply, Google records all the text.” After this, a command on HTTPS is sent to port 443 and if another reply is received, Google saves that text too.
This process is repeated by malicious actors crawling the internet to find a response from a memcached server to mark its IP address as having a vulnerable memcached server.
Once hackers have a compiled list of vulnerable servers, they can choose to exploit them. An exploit usually takes a large file, perhaps a megabyte file, and stores it on one of the vulnerable servers, according to Stephenson.
The file is given a simple key name, such as a single letter. From there, hackers can set and send the file so all of these servers become “preloaded” with this “big megabyte of junk data” under the specified key name, said Stephenson.
In other words, the process mimics how data is already retrieved from memcached servers but veiled in an exploit and unauthorized access.
When the hacker is ready for the actual attack, they choose their target IP address and send the retrieve command to the preloaded servers. Once the junk data is released, the victim will receive the influx of junk data.
The amplification factor in memcached servers is more severe because multiple retrieval commands can be sent at the same time, thus dumping a number of large payloads on one unsuspecting target, or a DDoS attack.
4. How can a DDoS attack be avoided?
Corero discovered a “practical kill switch” to offset the threat of another large-scale DDoS attack, according to a company announcement. But researchers now believe the vulnerable servers may also unwittingly grant hackers access to “steal or modify” data.
IT departments should be able to tell if their servers are open just from network visibility, yet visibility remains an issue for operators. To prevent a targeted attack, operators within a company should use scanning tools to find what’s on their networks.
In addition to internal scanning, external scans of an IP address base may be able to detect “what’s listening,” said Henry.