Last Wednesday, GitHub was hit by the largest DDoS attack ever recorded, measuring 1.3 Tbps of sustained traffic for eight minutes.

Ironically, just one day before the attack on GitHub, three major DDoS mitigation providers (Akamai, Arbor Networks, and Cloudflare) warned that they had observed an uptick in a relatively rare form of reflection/amplification DDoS attack via Memcached servers. Each attributed the rise of these attacks to an estimated 88,000 misconfigured Memcached servers accessible via the public internet that could easily be recruited in future attacks.

Amplification attacks occur when a server is tricked into sending a larger response than initially queried. Reflection occurs when the requesting IP is spoofed. The result is that multiple servers can be tricked into sending large responses to a single target IP, rapidly overwhelming it with the sheer volume sent.

Memcached servers are used to cache frequently used data to improve internal access speeds. They are a free and open source distributed memory caching system designed to work with a large number of open connections and communicate via TCP or UDP on port 11211. Since it can be easily compromised, the data it caches can be configured easily by attackers. This result is that small requests to the server can result in much larger replies from the cache. Researchers believe the reply could be up to 51,000 times the size of the request. This represents the amplification side of the attack- the ability to amplify a 203-byte request into a 100-megabyte response.

If the requests include a spoofed IP address, the reply can be sent to a different target IP address. This represents the redirection side of this attack. If successive requests are made to multiple compromised Memcached servers all being delivered to a single target IP, the result is an amplification/redirection DDoS attack like what happened to GitHub last Wednesday.

GitHub explained, “Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack. The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the Memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second.

Unlike the Mirai botnet DDoS attack which occurred back in 2016, the impact against GitHub was minimal. GitHub was able to mitigate the attack by filtering all traffic sourced from UDP port 11211, the default port used by Memcached. “Given the increase in inbound transit bandwidth to over 100 Gbps in one of our facilities, the decision was made to move traffic to Akamai, who could help provide additional edge network capacity,” noted GitHub.

Mitigation, according to experts, includes configuring Memcached servers to operate behind a firewall and turning off support for UDP.

Experts believe there’s potential for an even larger Memcached attack in the future. Fortunately, the number of vulnerable servers is already beginning to decrease as operators begin to secure their Memcached servers.

NNT suggests implementing System & Device Hardening measures and continuously monitoring your environment using File Integrity Monitoring to detect any potential security issues before any damage is done.


Read the article on InfoSecurity Magazine



The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)

[email protected]

United Kingdom

5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023

 [email protected]
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2024, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.