What is a DDoS amplification attack?

These attacks usually use the UDP protocol. It is a simple connectionless communication model with a minimum protocol mechanism. This means that one of the sides in the communication can send large amounts to the other without restrictions. Without any confirmation, it doesn’t matter if the second side receives the data. 

Due to the way the UDP protocol works, cyber-criminals use it to generate DDoS amplification attacks. The attacker sends a small UDP request with a spoofed IP address of the victim to public services.

The UDP protocol doesn’t require a connection verification between the parties. This is why the public services reply with the requested data to the IP address of the victim. As bigger is the data returned by exploited public service, bigger is the DDoS amplification factor.

In the past few years, hackers have exploited many public DNS resolvers and NTP servers to generate massive DDoS attacks against popular websites and services.

Understanding Memcached

Memcached is a widely-used, open-source caching system that enhances the performance of dynamic web applications by reducing database load. It achieves this by storing data in memory, allowing for rapid retrieval and minimizing the need for repeated database queries. By caching frequently accessed objects such as database query results and session data, Memcached helps applications run more efficiently and respond faster to user requests. Its straightforward design and robust performance have made it a staple in optimizing large-scale web applications. However, without proper configuration and security measures, Memcached can become vulnerable to exploitation, emphasizing the need for diligent management.

Memcached DDoS amplification attack explanation

A Memcached DDoS amplification attack is a malicious exploit where attackers leverage vulnerable Memcached servers to generate overwhelming traffic towards a target. By sending small requests to multiple servers, the attackers receive significantly larger responses, resulting in an amplification effect. This massive traffic surge can cripple the target’s network infrastructure, disrupting service. To mitigate such attacks, organizations should secure their Memcached servers, implement access controls, and utilize robust DDoS mitigation solutions to protect against this highly impactful cyber attack.

How does it work? Step-by step 

1. Identifying vulnerable servers: Attackers scan the internet to locate Memcached servers that are accessible and have User Datagram Protocol traffic enabled. UDP is preferred due to its connectionless nature, making it easier to spoof source IP addresses.

By default Memcached works with enabled UDP support on port 11211. To understand this attack we have reviewed the source code of the database on GitHub.For some reason in the communication settings of the defined a fixed payload of 1400 bytes for the UDP packets.

The basic UDP request sent to Memcached is with size 15 bytes, and the server responds with 1400 bytes. This makes the amplification factor more than 93x! That amplification factor means that with a single server with 1Gbps port and a significant amount of vulnerable servers, the attacker can generate DDoS attacks over 90 Gbps.

2. Spoofing the source IP address: Using various techniques, attackers disguise their own IP address and make it appear as if the attack traffic originates from the targeted victim’s IP address. This ensures that the amplified response traffic is directed towards the victim.

Suggested article: What is DNS Spoofing (DNS poisoning)?

3. Sending small forged requests: Attackers send lightweight and innocuous-looking requests to the vulnerable Memcached servers. These requests typically have a small size, often around 15 bytes, which minimizes the effort required to send them.

4. Amplification of response traffic: Exploiting the Memcached servers’ behavior, which responds to small requests with much larger responses, the attackers achieve an amplification factor that can reach staggering levels. This means that for each small request sent, the server responds with a significantly larger volume of data, often in the range of hundreds or thousands of times larger.

5. Overwhelming the target: The amplified response traffic, generated by the Memcached servers, floods the victim’s network infrastructure with an immense volume of data. This flood of traffic can quickly exhaust the victim’s network bandwidth, computing resources, and cause service disruptions or complete downtime.

How big can it be?

In the realm of cybersecurity, we have witnessed an unprecedented magnification factor, reaching an astonishing 51,200 times the original request size! Picture this: a mere 15-byte request has the potential to unleash a colossal 750 kB response. This mind-boggling amplification factor poses an immense security risk, particularly for web properties ill-equipped to handle the overwhelming deluge of attack traffic. With its significant amplification potential and susceptible servers, Memcached becomes a prime target for malicious actors intent on launching devastating DDoS attacks against a wide array of targets.

Furthermore, according to the GitHub’s February 28th DDoS Incident Report, the largest open source code web service was down due to a Distributed Denial of Service attack that caused intermittent unavailability of their service for a few minutes. The attack exploited a vulnerability in Мemcached, resulting in a volumetric attack that peaked at 1.35Tbps. GitHub successfully mitigated the attack by diverting traffic to Akamai and implementing access control measures, and they are working on improving their automated intervention and expanding their edge network to enhance resilience against future attacks.

How to protect from Memcached DDoS amplification attacks?

Our Anycast Network is protected from such attacks, and we already mitigated more than 20 attacks like this for the last five days.

Тo protect your website, online service, etc you can also implement DDoS protection software. ClouDNS DDoS Protected DNS service can help identify and filter out malicious traffic, thereby minimizing the impact of amplification attacks.

Other way to protect from Memcached DDoS amplification attacks is by regularly monitoring the traffic. We provide robust monitoring solutions which enable the timely detection of abnormal traffic patterns, facilitating early response and mitigation.

Furthermore, with enough network capacity, we can easily filter the attack of the Memcached server responds from UDP port 11211. We can say for sure that all our customers are protected and safe.

The average size of the DDoS attacks we filter was between 50Gbps and 80Gbps. First we expect that value to grow in the next two weeks. Then to drop significantly because the system administrators will take care of the vulnerable servers.

DDoS Protected DNS

Ways to secure a Memcached server

The system administrators of Memcached servers can protect them in one of the following ways:

• Update the configuration of the server to listen only on 127.0.0.1 (localhost). Do this if use the Memcached server only locally and there are no external connections to the server. You can do this with the option –listen 127.0.0.1
• Disable UDP support, if you are not using it. You can do this with the option -U 0
• Add firewall for UDP port 11211, if you need both external connections and UDP support, make sure the server is accessible only by the IPs you need
• Instead of exposing your Memcached server directly to the internet, you can use a caching proxy server
• Restrict access to the Memcached server using access control lists (ACLs) to allow only trusted IP addresses.

Conclusion

By exploiting vulnerable Memcached servers, attackers can unleash a massive flood of traffic, causing widespread disruptions. To defend against these attacks, organizations must secure their Memcached servers, implement strict access controls, and utilize effective DDoS mitigation solutions.

The post DDoS amplification attacks by Memcached appeared first on ClouDNS Blog.

What are the DDoS attacks

Cybercriminals are hijacking many random connected devices around the world. The already corrupted devices are called botnets, it is a network that is waiting for instructions from the person in control. The hacker can instruct them to generate traffic to a specific target. The massive number of those devices cripples the defense of the target and brings it down.

Spamhaus 2013

Back in 2013 this was the biggest attack of its time. The website of anti-spam company Spamhaus was down on 18.03.2013 due to a large layer 3 attack. Their servers couldn’t manage the load. The attack was around 75Gbps and back then this was unimaginable (currently there are some with more than 600Gbps). They manage to stop it by signing for Anycast service.

BBC DDoS Attack 2015

A few years ago, on October 21st, 2016, the DNS provider Dyn was struck by a massive DDoS attack. Their servers were down, and for some time, big websites that they were hosting like Amazon, Netflix, Twitter, Reddit and more were out. The culprit of the attack was a botnet called Mirai which was made mostly from IoT devices. The attack had a cascading effect on internet services globally, drawing attention to the vulnerabilities inherent in centralized DNS providers and spurring investment in DDoS mitigation technologies.

Dyn DDoS attack 2016

A few years ago, on October 21st, 2016, the DNS provider Dyn was struck by a massive DDoS attack. Their servers were down, and for some time, big websites that they were hosting like Amazon, Netflix, Twitter, Reddit and more were out. The guilty of the attack was a botnet called Mirai which was made mostly from IoT devices.

Kerbs on Security 2016

In September 2016 just before the Dyn accident, there was another involving the Mirai botnet. The attack was very strong at around 665 Gbps, but that to the Kerbs’s security, they manage to resist it.

The Mirai botnet responsible for the attack was especially alarming for its utilization of Internet of Things (IoT) devices like cameras and routers. This marked one of the first times a botnet had so effectively leveraged commonly used household devices to orchestrate a large-scale DDoS attack.

Blizzard DDoS attack 2017

If you are a gamer, you probably know Blizzard Entertainment, the brand behind Overwatch, World of Warcraft, StarCraft, and Diablo. This company has experienced many attacks over the last years. Most noticeable was in August 2017. Many gamers were unable to connect to their server and play. These attacks are damaging the image of the company and the satisfaction of their clients.

Memcached attacks of March 2018

March was a horrible month. We saw new attacks with a larger than ever before scale. There were two that set a record, the one that hit Arbor Networks with 1.7Tbps traffic and the other that hit GitHub with 1.35Tbps a few days earlier. They both exploited the UDP port 11211. The UDP doesn’t use verification and that is the reason this was possible.

DDoS amplification attacks by Memcached

The different attacks of 2019

In 2019 we didn’t see huge attacks with +1Tbps power, but it wasn’t safe either. 

Yes, there were some strong attacks of around 0.5 Tbps, but we paid attention more to the number of packets per second. In this kind of attack, the criminals do a little work, and the target does a lot of work. This is why they are called asynchronous. The attackers send small packets and receive big ones. The processing occupies the target’s resources. 

Clients of Imperva had a rough start of the year. First, a strong attack of 500 million packets a second in January. It was considered one of the largest PPS (Packets Per Second) attacks known.

Later, on the 30th of April 2019, another client of theirs got attacked with 580 million PPS.

In September 2019, there was another strong attack that was targeting Wikipedia. The popular site didn’t provide information about the magnitude of the attack, but it was down for several hours on different continents.

The AWS Attack 2020

Amazon Web Services (AWS) fell prey to a DDoS attack in February 2020, which peaked at 2.3 terabits per second. The attack was of the Connectionless Lightweight Directory Access Protocol (CLDAP) Reflection type, a common DDoS attack method that amplifies the traffic. Despite the intensity, Amazon successfully mitigated the attack, preventing any significant interruption to its services.

Cloudflare Attack 2020

In August 2020, Cloudflare, a leading DDoS mitigation service, experienced a significant DDoS attack itself. Peaking at 754 million packets per second, it became one of the largest PPS-focused DDoS attacks in history. Remarkably, Cloudflare was able to thwart the attack in seconds using automated systems. However, the incident underscored the evolving complexity of DDoS attacks, showing that even cybersecurity specialists are not immune.

2023 Trends

What can we expect this year? 

• Attacks with a smaller bandwidth, but intense with a high PPS number. The cybercriminals are changing their strategies.

• Increase in the duration of the attacks. Some, they can go for weeks. DDoS protection solutions should be able to withstand longer than before.  

• More sophisticated attacks. It is not just about the volume anymore. For example, the exploit can happen through a different port. 

• More botnets are emerging. There is already a new version of Mirai, new botnet Cayosin, and the IoT number of devices is increasing, and with this, the number of botnet devices.

According to Cisco’s projections, the global landscape for DDoS attacks is expected to witness a significant escalation, with the number of attacks doubling to approximately 15.4 million by 2023. This alarming surge underscores the growing threat of cyberattacks and emphasizes the imperative for organizations to fortify their cybersecurity measures to safeguard against this evolving menace. Since 2018, DDoS attacks have become increasingly prevalent, highlighting the pressing need for proactive defense strategies in the digital realm.

Source: Cisco Annual Internet Report, 2018–2023

How to protect from DDoS attacks?

You can use a DDoS protected DNS plan. Such a plan will include different DDoS protected servers and many Anycast locations. This will do a load balancing that will help you reduce the traffic and spread it to different servers. This way the intense wave of traffic can be reduced and your servers can withstand the DDoS attack.

Protect from DDoS attacks!

Conclusion

The DDoS attack won’t stop, nor will they be lighter. If your business demands your website to be up 100% of the time, you better be prepared with the right security measures.

The post Most significant DDoS attacks in the recent years (UPDATED 2023) appeared first on ClouDNS Blog.