Last Wednesday, GitHub was hit by the largest DDoS attack ever recorded, measuring 1.3 Tbps of sustained traffic for eight minutes.
Ironically, just one day before the attack on GitHub, three major DDoS mitigation providers (Akamai, Arbor Networks, and Cloudflare) warned that they had observed an uptick in a relatively rare form of reflection/amplification DDoS attack via Memcached servers. Each attributed the rise of these attacks to an estimated 88,000 misconfigured Memcached servers accessible via the public internet that could easily be recruited in future attacks.
Amplification attacks occur when a server is tricked into sending a larger response than initially queried. Reflection occurs when the requesting IP is spoofed. The result is that multiple servers can be tricked into sending large responses to a single target IP, rapidly overwhelming it with the sheer volume sent.
Memcached servers are used to cache frequently used data to improve internal access speeds. They are a free and open source distributed memory caching system designed to work with a large number of open connections and communicate via TCP or UDP on port 11211. Since it can be easily compromised, the data it caches can be configured easily by attackers. This result is that small requests to the server can result in much larger replies from the cache. Researchers believe the reply could be up to 51,000 times the size of the request. This represents the amplification side of the attack- the ability to amplify a 203-byte request into a 100-megabyte response.
If the requests include a spoofed IP address, the reply can be sent to a different target IP address. This represents the redirection side of this attack. If successive requests are made to multiple compromised Memcached servers all being delivered to a single target IP, the result is an amplification/redirection DDoS attack like what happened to GitHub last Wednesday.
GitHub explained, “Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack. The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the Memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second.
Unlike the Mirai botnet DDoS attack which occurred back in 2016, the impact against GitHub was minimal. GitHub was able to mitigate the attack by filtering all traffic sourced from UDP port 11211, the default port used by Memcached. “Given the increase in inbound transit bandwidth to over 100 Gbps in one of our facilities, the decision was made to move traffic to Akamai, who could help provide additional edge network capacity,” noted GitHub.
Mitigation, according to experts, includes configuring Memcached servers to operate behind a firewall and turning off support for UDP.
Experts believe there’s potential for an even larger Memcached attack in the future. Fortunately, the number of vulnerable servers is already beginning to decrease as operators begin to secure their Memcached servers.
NNT suggests implementing System & Device Hardening measures and continuously monitoring your environment using File Integrity Monitoring to detect any potential security issues before any damage is done.
Read the article on InfoSecurity Magazine