What is a DDoS amplification attack?

These attacks usually use the UDP protocol. It is a simple connectionless communication model with a minimum protocol mechanism. This means that one of the sides in the communication can send large amounts to the other without restrictions. Without any confirmation, it doesn’t matter if the second side receives the data. 

Due to the way the UDP protocol works, cyber-criminals use it to generate DDoS amplification attacks. The attacker sends a small UDP request with a spoofed IP address of the victim to public services.

The UDP protocol doesn’t require a connection verification between the parties. This is why the public services reply with the requested data to the IP address of the victim. As bigger is the data returned by exploited public service, bigger is the DDoS amplification factor.

In the past few years, hackers have exploited many public DNS resolvers and NTP servers to generate massive DDoS attacks against popular websites and services.

Understanding Memcached

Memcached is a widely-used, open-source caching system that enhances the performance of dynamic web applications by reducing database load. It achieves this by storing data in memory, allowing for rapid retrieval and minimizing the need for repeated database queries. By caching frequently accessed objects such as database query results and session data, Memcached helps applications run more efficiently and respond faster to user requests. Its straightforward design and robust performance have made it a staple in optimizing large-scale web applications. However, without proper configuration and security measures, Memcached can become vulnerable to exploitation, emphasizing the need for diligent management.

Memcached DDoS amplification attack explanation

A Memcached DDoS amplification attack is a malicious exploit where attackers leverage vulnerable Memcached servers to generate overwhelming traffic towards a target. By sending small requests to multiple servers, the attackers receive significantly larger responses, resulting in an amplification effect. This massive traffic surge can cripple the target’s network infrastructure, disrupting service. To mitigate such attacks, organizations should secure their Memcached servers, implement access controls, and utilize robust DDoS mitigation solutions to protect against this highly impactful cyber attack.

How does it work? Step-by step 

1. Identifying vulnerable servers: Attackers scan the internet to locate Memcached servers that are accessible and have User Datagram Protocol traffic enabled. UDP is preferred due to its connectionless nature, making it easier to spoof source IP addresses.

By default Memcached works with enabled UDP support on port 11211. To understand this attack we have reviewed the source code of the database on GitHub.For some reason in the communication settings of the defined a fixed payload of 1400 bytes for the UDP packets.

The basic UDP request sent to Memcached is with size 15 bytes, and the server responds with 1400 bytes. This makes the amplification factor more than 93x! That amplification factor means that with a single server with 1Gbps port and a significant amount of vulnerable servers, the attacker can generate DDoS attacks over 90 Gbps.

2. Spoofing the source IP address: Using various techniques, attackers disguise their own IP address and make it appear as if the attack traffic originates from the targeted victim’s IP address. This ensures that the amplified response traffic is directed towards the victim.

Suggested article: What is DNS Spoofing (DNS poisoning)?

3. Sending small forged requests: Attackers send lightweight and innocuous-looking requests to the vulnerable Memcached servers. These requests typically have a small size, often around 15 bytes, which minimizes the effort required to send them.

4. Amplification of response traffic: Exploiting the Memcached servers’ behavior, which responds to small requests with much larger responses, the attackers achieve an amplification factor that can reach staggering levels. This means that for each small request sent, the server responds with a significantly larger volume of data, often in the range of hundreds or thousands of times larger.

5. Overwhelming the target: The amplified response traffic, generated by the Memcached servers, floods the victim’s network infrastructure with an immense volume of data. This flood of traffic can quickly exhaust the victim’s network bandwidth, computing resources, and cause service disruptions or complete downtime.

How big can it be?

In the realm of cybersecurity, we have witnessed an unprecedented magnification factor, reaching an astonishing 51,200 times the original request size! Picture this: a mere 15-byte request has the potential to unleash a colossal 750 kB response. This mind-boggling amplification factor poses an immense security risk, particularly for web properties ill-equipped to handle the overwhelming deluge of attack traffic. With its significant amplification potential and susceptible servers, Memcached becomes a prime target for malicious actors intent on launching devastating DDoS attacks against a wide array of targets.

Furthermore, according to the GitHub’s February 28th DDoS Incident Report, the largest open source code web service was down due to a Distributed Denial of Service attack that caused intermittent unavailability of their service for a few minutes. The attack exploited a vulnerability in Мemcached, resulting in a volumetric attack that peaked at 1.35Tbps. GitHub successfully mitigated the attack by diverting traffic to Akamai and implementing access control measures, and they are working on improving their automated intervention and expanding their edge network to enhance resilience against future attacks.

How to protect from Memcached DDoS amplification attacks?

Our Anycast Network is protected from such attacks, and we already mitigated more than 20 attacks like this for the last five days.

Тo protect your website, online service, etc you can also implement DDoS protection software. ClouDNS DDoS Protected DNS service can help identify and filter out malicious traffic, thereby minimizing the impact of amplification attacks.

Other way to protect from Memcached DDoS amplification attacks is by regularly monitoring the traffic. We provide robust monitoring solutions which enable the timely detection of abnormal traffic patterns, facilitating early response and mitigation.

Furthermore, with enough network capacity, we can easily filter the attack of the Memcached server responds from UDP port 11211. We can say for sure that all our customers are protected and safe.

The average size of the DDoS attacks we filter was between 50Gbps and 80Gbps. First we expect that value to grow in the next two weeks. Then to drop significantly because the system administrators will take care of the vulnerable servers.

DDoS Protected DNS

Ways to secure a Memcached server

The system administrators of Memcached servers can protect them in one of the following ways:

• Update the configuration of the server to listen only on 127.0.0.1 (localhost). Do this if use the Memcached server only locally and there are no external connections to the server. You can do this with the option –listen 127.0.0.1
• Disable UDP support, if you are not using it. You can do this with the option -U 0
• Add firewall for UDP port 11211, if you need both external connections and UDP support, make sure the server is accessible only by the IPs you need
• Instead of exposing your Memcached server directly to the internet, you can use a caching proxy server
• Restrict access to the Memcached server using access control lists (ACLs) to allow only trusted IP addresses.

Conclusion

By exploiting vulnerable Memcached servers, attackers can unleash a massive flood of traffic, causing widespread disruptions. To defend against these attacks, organizations must secure their Memcached servers, implement strict access controls, and utilize effective DDoS mitigation solutions.

The post DDoS amplification attacks by Memcached appeared first on ClouDNS Blog.

What is a DNS attack? How can it affect me? 

The name says it, an attack that targets the Domain Name System (DNS). It can have a different purpose: trying to destabilize it, bring it down, alter information, or another. The DNS is old, and, as you could guess, by itself, it is not the safest infrastructure in the world. But there are extra measures that can really help. 

Imagine these two scenarios so you can understand it easier:

1. The cybercriminal redirects the traffic that should go to your site, to one that he or she controls. He or she can have a fake page, mimicking yours and steal valuable data from your clients, pretending to be you. The unaware client, do what he normally does. Register and use the page to buy or put information on it. The troubles for you could be big if they take money from the victims. 
2. A strong DDoS attack can affect your servers, bringing them down. And keep them like this, under attack, for a long time. In practice, an attack can last even weeks. Losing control can affect your clients. Users won’t be able to access and use your services or buy products during the DNS attack. You can lose money and get negative feedback from clients. You can even permanently lose them.   

Anybody could be threatened by DNS attacks, even the big companies. Wikipedia, BBC, Blizzard, and many more have suffered different types of attacks, check here. Nobody is safe, and the news will just keep coming. 

Most common DNS Attack Types

Here are 5 of the most popular DNS attacks that you should be aware of. It is important to not neglect such threats and take measures for prevention.

DDoS Amplification

A DNS attack type like this is the one that you will see a lot on the media. With big headlines and big numbers. There are many types, but most often, the amplification attacks exploit the simple UDP protocol. Take it as the weakest link in the puzzle. It doesn’t use verification, and here comes the problem. The goal is to significantly increase, amplify, traffic. The hackers send a small DNS query and demand not just the IP but also extra information, so the answer is more significant. It could be even 10 times larger! The extra trick is that they can modify the request, so the answer goes to the target. That way, the target can get bombarded with many requests that it didn’t want and to experience downtime. 

How to mitigate it? You will need a large network of servers (DNS), like an Anycast network. If the capacity is enough, the traffic can be filtered without crippling the network. 

Additional measures that you could take are to set a limit to the server, to just listen on only 127.0.0.1 (the localhost). You can, of course, disable the UDP altogether if you don’t use it. 

And the third measure is to use a firewall for port 11211 and allowing server access, limited to just whitelisted IPs.  

DNS Cache Poisoning

This DNS problem focuses on DNS resolvers. Each of them has a cache memory, where it holds information for domains for a certain amount of time. The Resolvers have a copy of the DNS records and keep them the time that TTL (time to live) indicates. The attacker alters the DNS records and redirects the traffic to where he or she wants (another server). There could be a fake copy of your websites where unaware people will register and give their personal data. This is very common with fake spoofing emails. When the victim clicks on the link, malicious software can then modify the records in the DNS resolver. 

You can set limits to the queries to just a specific domain. Also, you can just store the records for a particular domain and no others. Use blacklists to limit. 

The best tool to prevent such a thread is DNSSEC. If a Recursive server was poisoned, it wouldn’t continue the query, and then the user will be safe. 

DNS Tunneling

DNS Tunneling is a DNS attack type that tries to take different important data through DNS without been detected. A tunnel that you don’t see, but criminals use. It is masked as a DNS query but takes hidden data. A sensitive data can go out unnoticed, and that could cost you dearly. 

Your DNS service must have a DNS Protection that acts as an intelligent firewall. But in case you don’t have, you can set up your firewall following the steps: 

You will need to have a firewall and add an access rule to block all the unwanted traffic right away. The second step is to make a protocol object in your firewall. You will need to find “Select Protocols”, choose DNS, and there should be “DNS tunnel”. Press it and save.

Create, in the end, an application rule. Again from the settings of the firewall, You will need to specify the trusted connection and then the protocol – “DNS-Tunneling”. 

DNS Flood Attack

DNS Flood is a simple and very effective attack. The idea is to send traffic from one or many devices to the targeted server. Push with substantial traffic until it drops. In a way, to flood it with information and submerge it until it drowns. If it is a single source, it is easier to manage, but it can be a huge network of bots that could be tricky to handle.

Flood Attack: Prevention and Protection

The protection exists! It is simple, again DDoS Protected servers. It will have a filtering of dangerous traffic. Also, have an Anycast network with a significant amount of servers that will provide excellent load balancing. Currently, we have 49, that will be a good number. And traffic monitor for showing on time any threads and reacting to the traffic will help. 

What is Web monitoring?

Distributed Reflection Denial of Service (DRDoS)

A slightly different type from the DDoS attack we just saw. In this case, not the direct queries, but the answers to them will go to the victim. This is the reflection. 

The cybercriminals will send DNS queries, but the IP of the source will be changed. Servers will respond and will send all that traffic to the target (The modified IP). The traffic can be overwhelming and flood the target, eventually stopping it. A Smurf attack is a popular DNS attack of that type. Sounds cute, but it isn’t. 

The solution again is the same as the one for the DNS Flood type of attack. Get DNS Protected servers. With a proper DNS plan, you will save yourself a lot of troubles. They will have monitoring of the traffic, filters for removing the unwanted requests, a load balancer for heavy traffic, and even more extras for smooth DNS experience. 

How to prevent DNS attacks?

Here are some tips that are going to help you prevent, detect, and mitigate a DNS attack.

• Up-to-date DNS software: It is important to use the latest DNS software that contains the latest patches installed. 
• Multi-factor authentication (MFA): It is crucial to implement MFA for all available accounts which have access to the DNS infrastructure of your organization. 
• Domain Name System Security Extensions (DNSSEC): It ensures the safety of your DNS by utilizing digital signatures based on public key cryptography. That way, DNSSEC adds a very useful extra layer of security to your organization’s DNS.
• Reliable DNS infrastructure: It is the foundation of a safe and protected environment for your organization’s online presence. Anycast DNS network is a must if you receive a lot of DNS requests. However, it will balance the load of an incoming threat. 
• DDoS protected DNS: This service is specifically designed to mitigate one of the most harmful cyber threats – DDoS attacks.
• Constant Monitoring: Logging and monitoring outbound and inbound DNS queries and response data can help significantly in detecting abnormal behaviors.
• Keep a private DNS resolver: Restricting the DNS resolver to only users on your network can minimize the risk of malicious external usage. That way, you prevent its DNS cache from being poisoned by cybercriminals.

Motivation behind DNS attacks

One of the most common reasons behind the DNS attack is unfair competitor behavior. Attacking the competition illegally so that it can suffer downtime and all the consequences of it. But there are more:

• Extortion. Do you know how ransomware is getting popular? There is also DNS attack ransomware, where the cybercriminals are using DDoS attacks to target a server. The server can’t respond to regular connections already, and the attackers demand a ransom to stop the attack. The cryptocurrency has facilitated the ransomware process a lot.
• Revenge. The reason behind the attack could be an act of personal revenge against a company, a supplier, or an individual. For example, it is not uncommon that an ex-employee tries to disturb the services of the previous employer.
• DDoS-for-hire. On the Dark Web, the side of the web that you can’t see in Google, there are all kinds of illegal services that you can hire. People hire DDoS DNS attacks to target their competitors. Bringing down their services during important periods. The attack can lead to serious losses in sales for the victim.
• Cover attack. You can imagine the DNS attack as a smoke grenade. Its purpose could be just a distraction. It is taking the attention towards fixing the DNS traffic while another attack is being conducted or malicious software is installed behind the scene.
• Notoriety. Some people want to be famous, even with their bad deeds. Getting some attention for a successful attack could be enough for some hackers. 
• Personal challenge. There are smart people who just want to test their knowledge. Such a person might perform an attack, with the only idea to see if he or she can do it.
• Cyberwarfare. Some countries use DNS attacks to target other countries, military groups, separatists, opposition, and even media sites sometimes. The goal is to silence or disrupt the communication of the targeted organization entirely.
• Gamers’ wars. Gamers are very connected with technology. They use DNS attacks to damage the score of their competitors so that they can rise above them. Also, they use it to attack particular competitions and change the final results.
• Hacktivism. Non-governmental organizations and individuals who want to make a point often use such tools to make a noise about their cause. Freedom of speech and ecological causes are common. It could attract media attention, start an international debate and stop the services of the targeted organization. 

Consequences of DNS Attacks

Becoming a target of a DNS attack can have a severe negative impact. Let’s examine the most common consequences:

• Data Breaches: One of the most serious consequences of DNS attacks is the potential for data breaches. When attackers successfully manipulate DNS records, they can gain unauthorized access to sensitive information. That means putting personal and financial data at risk, leading to identity theft, financial losses, and reputational damage.
• Business Disruption: Downtime resulting from attacks can have catastrophic effects on businesses. Whether it’s an e-commerce website unable to process transactions or a critical online service experiencing disruptions, the financial damage can be severe. Beyond obvious financial losses, prolonged downtime can have a negative impact on customer trust and loyalty.
• Reputation Damage: DNS attacks not only affect the proper functionality of digital services but can also tear apart an organization’s reputation. Customers, partners, and stakeholders may lose trust in a business’s ability to protect sensitive information, leading to long-term consequences for brand image and market position.

Common Targets of DNS Attacks

Understanding the potential victims of DNS attacks is crucial for implementing robust cybersecurity measures. The following examples are often targeted:

• Enterprises and Organizations: Large corporations and organizations are often targets due to the vast amount of sensitive data they store. DNS attacks can compromise data integrity, leading to financial losses and reputational damage.
• Internet Service Providers (ISPs): ISPs play a key role in managing and directing internet traffic. Attacks on their DNS infrastructure can result in widespread service disruptions, affecting countless users.
• Government Agencies: Governments keep vast amounts of confidential information critical to national security. DNS attacks on government agencies can lead to data breaches and compromise sensitive data.
• E-commerce Platforms: Online retailers are also an attractive target for attacks as they handle numerous financial transactions and store customer details. A successful attack can disrupt services, leading to financial losses and crashing customer trust.
• Critical Infrastructure: Industries such as energy, transportation, and healthcare rely on interconnected systems. DNS attacks on such critical infrastructure can impact public safety and fundamental services.
• Financial Institutions: Financial institutions dealing with sensitive transactions and client data are also often targets of attacks. A successful assault on their DNS can result in phishing attacks, leading to identity theft or fraudulent transactions, causing extreme financial damage.

Conclusion

It is really important to know about DNS attack types and how to protect us from them so your business experiences fewer shocks. Smooth sail for your business. You don’t want to suffer brand damages, lawsuits that cost millions of dollars or losing clients because of downtime. To avoid them we recommend you take a look of our DDoS protected DNS service, and test our FREE 30-day trial!

 Prevent DDoS attacks!

The post 5 DNS Attacks that could affect you appeared first on ClouDNS Blog.