If you’ve been paying attention to cybersecurity, it’s very likely you’ve seen news regarding Github’s survival of the largest DDOS attack recorded in history. Clocking in at 1.3 TBPS (terabytes per second) it’s impressive that their network didn’t tank. This is in part due to the services of Akamai who was able to successfully proxy and scrub the network traffic.
What was of particular interest of this attack was that it didn’t use a botnet to conduct it’s DDOS. Traditionally large attacks required equally large botnets. In 2016 Dyn a DNS provider suffered multiple attacks on the same day where the ability to lookup DNS records was prevented for legitimate users. That attack was carried out by a Mirai botnet with millions of IP’s that were used to successfully deny service.
The DDOS against Github utilized servers running Memcached. Memcached is a caching service that helps optimize databases performance so it’s important to understand that Memcache itself is not malware. What allowed that attacks to occur is the fat that the servers were misconfigured. Memcache was never meant to be a public facing service and as a result there wasn’t any effort to build in security controls.
The attack is simple the first step is that the attacker spoofs the victim’s IP address and then sends a packet to the public facing Memcache server. The server will then send a packet which is amplified in size to the spoofed IP. According to Github’s report the ratio of bytes the attacker sent compared to the bytes the victims receives can be as high as 1:51000 which means if the attacker can find public facing Memcached servers they can easily use them as an attack vector with no malware needed and with the amplification factor it is also an efficient attack as well.
While many of the 88,000 open Memcached servers have now had the vulnerable protocol disabled to prevent this vector, up to 12,000 open Memcached servers still exist to be used as an attack vector.
Currently, the most crucial step toward stopping these attacks is putting servers running Memcached behind a firewall layer or disabling UDP support in your system altogether. This will prevent malicious actors from using your systems for these types of attacks. Finally, if you discover that your servers have been leveraged for this type of attack, reach out to your ISP to report the misuse and help discover who initially sent the queries to the systems.
For those not using Memcached, it is an unfortunate reality that until all public Memcached servers are remediated, you could be the target of this kind of attack. Given this, it is important to have a policy in place to respond in the event of a DoS outage. This could include, having proper backups for systems that may be targeted and a regular testing policy for disaster recovery. As always, proper monitoring of critical systems is important to see if an outage is the result of a DoS attack. If even a brief outage would cause significant business damage, dedicated DDoS mitigation providers such as Akamai and Cloudflare have shown ability to mitigate the amount of traffic involved in the attack.