What is a DDoS amplification attack?

These attacks usually use the UDP protocol. It is a simple connectionless communication model with a minimum protocol mechanism. This means that one of the sides in the communication can send large amounts to the other without restrictions. Without any confirmation, it doesn’t matter if the second side receives the data. 

Due to the way the UDP protocol works, cyber-criminals use it to generate DDoS amplification attacks. The attacker sends a small UDP request with a spoofed IP address of the victim to public services.

The UDP protocol doesn’t require a connection verification between the parties. This is why the public services reply with the requested data to the IP address of the victim. As bigger is the data returned by exploited public service, bigger is the DDoS amplification factor.

In the past few years, hackers have exploited many public DNS resolvers and NTP servers to generate massive DDoS attacks against popular websites and services.

Understanding Memcached

Memcached is a widely-used, open-source caching system that enhances the performance of dynamic web applications by reducing database load. It achieves this by storing data in memory, allowing for rapid retrieval and minimizing the need for repeated database queries. By caching frequently accessed objects such as database query results and session data, Memcached helps applications run more efficiently and respond faster to user requests. Its straightforward design and robust performance have made it a staple in optimizing large-scale web applications. However, without proper configuration and security measures, Memcached can become vulnerable to exploitation, emphasizing the need for diligent management.

Memcached DDoS amplification attack explanation

A Memcached DDoS amplification attack is a malicious exploit where attackers leverage vulnerable Memcached servers to generate overwhelming traffic towards a target. By sending small requests to multiple servers, the attackers receive significantly larger responses, resulting in an amplification effect. This massive traffic surge can cripple the target’s network infrastructure, disrupting service. To mitigate such attacks, organizations should secure their Memcached servers, implement access controls, and utilize robust DDoS mitigation solutions to protect against this highly impactful cyber attack.

How does it work? Step-by step 

1. Identifying vulnerable servers: Attackers scan the internet to locate Memcached servers that are accessible and have User Datagram Protocol traffic enabled. UDP is preferred due to its connectionless nature, making it easier to spoof source IP addresses.

By default Memcached works with enabled UDP support on port 11211. To understand this attack we have reviewed the source code of the database on GitHub.For some reason in the communication settings of the defined a fixed payload of 1400 bytes for the UDP packets.

The basic UDP request sent to Memcached is with size 15 bytes, and the server responds with 1400 bytes. This makes the amplification factor more than 93x! That amplification factor means that with a single server with 1Gbps port and a significant amount of vulnerable servers, the attacker can generate DDoS attacks over 90 Gbps.

2. Spoofing the source IP address: Using various techniques, attackers disguise their own IP address and make it appear as if the attack traffic originates from the targeted victim’s IP address. This ensures that the amplified response traffic is directed towards the victim.

Suggested article: What is DNS Spoofing (DNS poisoning)?

3. Sending small forged requests: Attackers send lightweight and innocuous-looking requests to the vulnerable Memcached servers. These requests typically have a small size, often around 15 bytes, which minimizes the effort required to send them.

4. Amplification of response traffic: Exploiting the Memcached servers’ behavior, which responds to small requests with much larger responses, the attackers achieve an amplification factor that can reach staggering levels. This means that for each small request sent, the server responds with a significantly larger volume of data, often in the range of hundreds or thousands of times larger.

5. Overwhelming the target: The amplified response traffic, generated by the Memcached servers, floods the victim’s network infrastructure with an immense volume of data. This flood of traffic can quickly exhaust the victim’s network bandwidth, computing resources, and cause service disruptions or complete downtime.

How big can it be?

In the realm of cybersecurity, we have witnessed an unprecedented magnification factor, reaching an astonishing 51,200 times the original request size! Picture this: a mere 15-byte request has the potential to unleash a colossal 750 kB response. This mind-boggling amplification factor poses an immense security risk, particularly for web properties ill-equipped to handle the overwhelming deluge of attack traffic. With its significant amplification potential and susceptible servers, Memcached becomes a prime target for malicious actors intent on launching devastating DDoS attacks against a wide array of targets.

Furthermore, according to the GitHub’s February 28th DDoS Incident Report, the largest open source code web service was down due to a Distributed Denial of Service attack that caused intermittent unavailability of their service for a few minutes. The attack exploited a vulnerability in Мemcached, resulting in a volumetric attack that peaked at 1.35Tbps. GitHub successfully mitigated the attack by diverting traffic to Akamai and implementing access control measures, and they are working on improving their automated intervention and expanding their edge network to enhance resilience against future attacks.

How to protect from Memcached DDoS amplification attacks?

Our Anycast Network is protected from such attacks, and we already mitigated more than 20 attacks like this for the last five days.

Тo protect your website, online service, etc you can also implement DDoS protection software. ClouDNS DDoS Protected DNS service can help identify and filter out malicious traffic, thereby minimizing the impact of amplification attacks.

Other way to protect from Memcached DDoS amplification attacks is by regularly monitoring the traffic. We provide robust monitoring solutions which enable the timely detection of abnormal traffic patterns, facilitating early response and mitigation.

Furthermore, with enough network capacity, we can easily filter the attack of the Memcached server responds from UDP port 11211. We can say for sure that all our customers are protected and safe.

The average size of the DDoS attacks we filter was between 50Gbps and 80Gbps. First we expect that value to grow in the next two weeks. Then to drop significantly because the system administrators will take care of the vulnerable servers.

DDoS Protected DNS

Ways to secure a Memcached server

The system administrators of Memcached servers can protect them in one of the following ways:

• Update the configuration of the server to listen only on 127.0.0.1 (localhost). Do this if use the Memcached server only locally and there are no external connections to the server. You can do this with the option –listen 127.0.0.1
• Disable UDP support, if you are not using it. You can do this with the option -U 0
• Add firewall for UDP port 11211, if you need both external connections and UDP support, make sure the server is accessible only by the IPs you need
• Instead of exposing your Memcached server directly to the internet, you can use a caching proxy server
• Restrict access to the Memcached server using access control lists (ACLs) to allow only trusted IP addresses.

Conclusion

By exploiting vulnerable Memcached servers, attackers can unleash a massive flood of traffic, causing widespread disruptions. To defend against these attacks, organizations must secure their Memcached servers, implement strict access controls, and utilize effective DDoS mitigation solutions.

The post DDoS amplification attacks by Memcached appeared first on ClouDNS Blog.

First, let’s talk about what Nslookup is – it is a small but very powerful network administration command-line software. It has a simple interface, but it is useful. The Nslookup command is available on many of the popular computer operating systems like Windows, macOS, and Linux distros. You can use it to perform DNS queries and receive: domain names or IP addresses, or any other specific DNS Records.

There are Nslookup online tools too. You can access such a site full of online network tools and search for the option for nslookup. You can define your query for a specific DNS record, to identify the domain, the port in use, and timeout in seconds. For better security, we recommend you to use the software on your computer. 

If you want high speed, you must use Anycast DNS services! Check this article about Anycast DNS!

How does Nslookup work?

Nslookup operates by sending queries to DNS servers to retrieve information about domain names, IP addresses, and other DNS records. When a user enters a command in Nslookup, the tool sends a DNS query to a DNS server specified by the user or the system default. The server then processes the query and responds with the requested information, such as IP addresses associated with a domain name or the domain name associated with an IP address. Nslookup uses the DNS protocol to communicate with DNS servers, utilizing both UDP and TCP protocols depending on the query type and size. By analyzing the responses from DNS servers, Nslookup commands help users troubleshoot DNS-related issues, gather information about domain names, and diagnose network problems effectively.

How to install the Nslookup command?

Nslookup command is present on most operating systems like Windows, macOS, and most Linux distributions. However, in case it is not on the Linux distro you have chosen, or you have previously uninstalled it, you can install it following these steps:

1. Check what distro do you use. We will show you how to install the Nslookup command on Ubuntu, Debian, Linux Mint, Kali Linux, CentOS, Fedora, Red Hat, Arch Linux, and Manjaro.

2. First, open the Terminal. You will need to have administrative privileges or be a sudo user. Based on the distribution you have, use one of the following commands.

For Ubuntu, Debian, Kali Linux, and Linux Mint:

 $ sudo apt-get update
 
and then:
 
$ sudo apt-get install dnsutils

For CentOS, Fedora, and Red Hat:

$ sudo dnf install bind-utils

For CentOS, Fedora, and Red Hat (Earlier versions):

$ sudo yum install bind-utils

For Arch Linux and Manjaro:

$ sudo pacman -S dnsutils

3. Now, you are ready to use the Nslookup command on your device and try the examples below.

How to use Nslookup?

Nslookup commands are simple and easy to use, requiring only a basic understanding of the command-line interface. Follow these simple steps to utilize it effectively:

1. Open Command Prompt or Terminal: Nslookup commands are executed via the command-line interface. Open Command Prompt on Windows or Terminal on macOS and Linux.
2. Enter Nslookup Command: Type “nslookup” followed by the domain name or IP address you want to query. 
3. Interpret the Results: Nslookup will provide information such as the IP address of the queried domain, its authoritative DNS server, and other associated DNS records.
4. Use Specific Options (Optional): Nslookup offers various options to refine your query. For instance, adding “-type” followed by a record type (like A, MX, NS) allows you to retrieve specific DNS record types.
5. Exit: Once you’ve obtained the desired information, you can exit Nslookup by typing “exit” and pressing Enter.

Nslookup syntax

The Nslookup syntax is very simple, and you can use it the same on different OSes.

nslookup [-option] [name | -] [server]

Options. First, you will put the option you want to use with the domain name or IP address. The option can be related to the type of DNS record, timeout, a port in use, debugging, or another.
Name. Here you will put the hostname (domain name) or IP address. It is the target of your DNS query.
Additional Options. Depending on the query, you can add an extra option as a parameter.
Server. You can use the default server for your query or specify another one from where you want the DNS query to be performed.

Nslookup: command not found – how to fix it?

It is possible when you try to use the Nslookup command that you get an error saying that the command is not found. Don’t worry. The problem of missing the Nslookup command can be solved in a very simple way.
Nslookup is a part of the BIND utilities, together with two other popular commands – Dig command and Host command.
If the service was stopped, you would need to restart your Linux computer, and it will be running again.
In case that it is not working because it was deleted or missing. Please follow the steps from the previous part on “How to install Nslookup command”. After the installation, you will be ready to use it.

Here are the 10 most used Nslookup commands that will help you to understand better your domain’s management:

1. How to find the A record of а domain.

Searching for a great Managed DNS service? Test ClouDNS for free!

2. How to check the NS records of a domain.

3. How to query the SOA record of a domain.

30-day Free Trial for Premium Anycast DNS hosting

4. How to find the MX records responsible for the email exchange.

5. How to find all of the available DNS records of a domain.

6. How to check the using of a specific DNS Server.

7. How to check the Reverse DNS Lookup.

8. How to check for a PTR record?

9. How to change the timeout interval for a reply.

10. How to enable debug mode.

Debug mode provides important and detailed information both for the question and for the received answer.

Why do you need it?

The Nslookup commands are very popular and powerful tools. So, it is not a surprise that a lot of administrators use it for testing and troubleshooting their networks. There are two main reasons why you need the Nslookup command. 

• The first one is obviously for troubleshooting server connections. Thanks to its beneficial functionalities, you can get the information you need quickly. In addition, it is extremely easy to use, and it is available on every operating system (OS).
• The second reason is not so obvious, but it should not be neglected. That is security and safety. It can be helpful for protecting against different phishing attacks, which involve falsifying a domain name. Attackers use a misspelled domain name or trick users by adding or omitting a hyphen. Some examples are when they replace the numeral 1 for a lowercase l (examp1e.com), or the phishing domain could be insta-gram.com instead of instagram.com. These tactics are used to trick regular users and make it seem that an unfriendly site looks friendly and familiar. Nslookup can also help to prevent another malicious attempt – DNS cache poisoning. With this attack, criminals place fraudulent data and distribute it to the DNS recursive servers, pointing to a fake authoritative server.

Free Nslookup Tool by ClouDNS

Nslookup command alternatives

Nslookup is one of the popular command-line software for DNS probing. You can use it to monitor your network and spot problematic areas. If you are interested in similar tools, you can see Dig, and Host too. You can use them together or find one that covers all of your diagnostic needs.

• Dig: Also known as Domain Information Groper, Dig command is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers returned from the specified name server that are essential in diagnosing DNS servers.
• Host: The host command in Linux is a simple utility for performing DNS lookups. It’s designed to convert hostnames to IP addresses and vice versa. It can also discover more specific DNS records, such as MX records for mail servers.

Dig vs Nslookup

Both Dig and Nslookup are command-line tools used for DNS troubleshooting and querying. However, they differ in their functionality and output.

Dig is a flexible and robust tool that provides detailed DNS information, including authoritative name servers, IP addresses, TTL (Time to Live), and various DNS record types such as A, AAAA, MX, TXT, and more. It offers more extensive functionality and supports advanced DNS features like DNSSEC (Domain Name System Security Extensions). Experienced system administrators and network engineers commonly prefer to use Dig due to its comprehensive output and advanced capabilities.

Nslookup, on the other hand, is a simpler tool that primarily focuses on basic DNS queries. It primarily retrieves IP addresses and DNS records associated with domain names. It may lack the advanced features and flexibility of Dig , but it provides a simple interface for quick DNS lookups and basic troubleshooting tasks. Nslookup is a great tool for beginners or for quick DNS lookups without the need for in-depth analysis.

Nslookup vs Ping 

Though Nslookup and Ping fall under the umbrella of network administration tools, their functionalities differ. Nslookup is a built-in network command-line tool that debugs and finds information about your network, specifically your domain name servers (DNS). This includes the establishment of domain names or IP address mapping alongside any DNS-specific records.

On the flip side, Ping is essentially a diagnostic tool intended to test your network connectivity. It’s used to verify whether or not a host is reachable in a network by sending ICMP echo requests and waiting for a response. The main purpose of Ping is to measure round-trip time for packets sent from the source host to a destination computer.

Want to check your network connectivity? Try ClouDNS ICMP PIng monitoring service for free! 

Nslookup vs WHOIS

Both Nslookup and WHOIS prove quite useful in retrieving network database information but they function on different levels. Nslookup operates as a query-oriented command used to access domain name servers and DNS-related details, such as an IP associated with a specific computer or domain name.

Meanwhile, WHOIS operates as a protocol used to query databases that record registered entities or assignees of an Internet resource. This includes domain names and IP address blocks. However, unlike Nslookup, WHOIS does not possess the capacity to access DNS servers. It’s primarily employed to identify the owner or registered user of a domain, and to obtain contact information associated with the domain, an IP network, or an autonomous system.

Conclusion

The Nslookup command is a great utility that offers many functionalities. One of its main advantages is that it is available for all kinds of operating systems, like Windows, Linux, and macOS. In case you do not have it already, you can install it in several easy steps. When you are ready, you can start testing your network easily and quickly! The Nslookup command is amazing and stands out among the DNS probing commands!

Notes:

Authoritative answer – This is the answer that originates from the DNS Server which has the information about the zone file.
Non-authoritative answer – When a nameserver is not in the list for the domain you did a lookup on.
Different port – By default, the DNS servers use port 53.

30-day Free Trial for Premium Anycast DNS hosting

The post 10 most used Nslookup commands (Updated 2024) appeared first on ClouDNS Blog.