Last week, the developer platform GitHub was hit by 1.35 terabits per second of traffic all at once. It has been described as the most powerful distributed denial of service (DDOS) attack in history, and employed a DDOS technique that is growing in popularity as it needs no botnet - a memcashed amplification attack.
This type of attack sees criminals send spoofed requests to vulnerable memcached servers that also have UDP support enabled. Due to the way memcached works, the servers respond to the requests with far larger packet sizes. The servers then send the large packets to the victim IP, which overwhelms the victim's systems and disrupts its functioning.
Sam Kottler, manager, Site Reliability Engineering at GitHub, said the attack originated from more than a thousand different autonomous systems across tens of thousands of unique endpoints. "It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second."
However, GitHub withstood the attack, experiencing roughly 10 minutes of disruption during the onslaught. In a statement, it said it was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to the attack.
"We understand how much you rely on GitHub and we know the availability of our service is of critical importance to our users. To note, at no point was the confidentiality or integrity of your data at risk. We are sorry for the impact of this incident and would like to describe the event, the efforts we've taken to drive availability, and how we aim to improve response and mitigation moving forward," added GitHub.
Just the beginning
GitHub received help from Akamai Prolexic, which rerouted traffic to GitHub through its "scrubbing" centres, which removed and blocked data identified as malicious.
In its blog, Akamai said: "Akamai's Prolexic platform was able to mitigate the attack by filtering all traffic sourced from UDP port 11211, the default port used by memcached."
Akamai said that several other businesses have experienced similar reflection attacks recently, and it has seen a marked increase in scanning for open memcached servers since the initial disclosure. "We predict many more, potentially larger attacks in the near future."
Memcached attacks are likely to rise rapidly in popularity, due to their ability to create such enormous attacks, added Akamai. "Additionally, as lists of usable reflectors are compiled by attackers, this attack method's impact has the potential to grow significantly. The good news is that providers can rate limit traffic from source port 11211 and prevent traffic from entering and exiting their networks, but this will take time."
A surge in popularity
We have seen DDOS attacks enjoy a surge in popularity among cyber-criminal groups over the last few years, says Simon Campbell-Young, sales director of Credence Security. "As botnets become bigger and more powerful, DDOS attacks are likely to remain as one of the greatest threats faced by businesses. Add to that a new tool such as memcashed amplification, that requires no botnet at all, and the danger is obvious."
According to Campbell-Young, the rise in number of DDOS attacks can be attributed to a number of factors. "Firstly, the growing availability in DDOS-for-hire services, which lower the barrier for entry, allowing almost anyone with only a smattering of tech knowledge to successfully attack an organisation for around USD100."
Next, he says the proliferation of unsecured Internet of things (IOT) devices is making businesses even more vulnerable to attack. "Last year, the notorious Reaper botnet employed some cunning new tricks, targeting known vulnerabilities in IOT devices, and hijacking them to carry out its ends. Devices included connected Web cams, security cameras, and digital video recorders. Each device infected spreads the malware to other connected devices, extending its reach significantly."
There's no doubt that DDOS attacks are stronger and more prevalent than ever before, he concludes.
Share