Security Experts:

Largest Ever 1.3Tbps DDoS Attack Includes Embedded Ransom Demands

[UPDATED - New record set at 1.7Tbs] On Tuesday, February 27, three major DDoS mitigation service providers (Akamai, Cloudflare and Arbor) warned that they had seen spikes in a relatively rare form of reflection/amplification DDoS attack via Memcached servers. Each service provider warned that this type of reflection attack had the potential to deliver far larger attacks.

One day later, Wednesday, February 28, GitHub was hit by the largest DDoS attack that had ever been disclosed -- more than twice the size of the Mirai attack of 2016, peaking at 1.3Tbps. And still the potential, in the short term at least, is for even larger attacks.

Amplification attacks are generated when a server can be 'tricked' into sending a larger response than the initial query. Reflection occurs when the requesting IP is spoofed. The result is that multiple servers can be tricked into sending large responses to a single target IP, rapidly overwhelming it with the volume sent.

Memcached servers are particularly vulnerable to such a use whenever they are left accessible from the public internet. In theory, this should never -- or at least very rarely -- happen; in practice there are various estimates of between 50,000 and more than 100,000 vulnerable servers. Because the service was designed for use internally within data centers, it has no inbuilt security and can be easily compromised by attackers.

The purpose of Memcached servers is to cache frequently used data to improve internal access speeds. Its default service is via UDP. Because it can be easily compromised, the data it caches can be configured by the attackers. The result is that small requests to the server can result in very large replies from the cache. Researchers suggest, in theory, the reply could be up to 51,000 times the size of the request. This is the amplification side of the attack -- the ability to amplify a 203-byte request into a 100-megabyte response.

If the requests include a spoofed IP address, the reply can be sent to a different target IP address. This is the redirection side of the attack. If successive requests are made to multiple compromised Memcached servers all delivered to a single target IP, the result is an amplification/redirection DDoS attack such as that delivered against GitHub on 28 February.

This attack was described by GitHub Engineering on Thursday. "The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints." It started at 17.21 UTC when GitHub's network monitoring detected an anomaly in the ratio of ingress to egress traffic. Within 5 minutes GitHub decided to call on Akamai's DDoS mitigation service.

"At 17:26 UTC the command was initiated via our ChatOps tooling to withdraw BGP announcements over transit providers and announce AS36459 exclusively over our links to Akamai." Akamai took over mitigation, and by 17:30, GitHub had recovered. Akamai's own statistics show that the attack peaked at 1.35 Tbps before tailing off; and was followed by a smaller, yet still very large, attack of around 400 Gbps just after 18:00 UTC.

Akamai's own brief report on the incident comments, "Many other organizations have experienced similar reflection attacks since Monday, and we predict many more, potentially larger attacks in the near future. Akamai has seen a marked increase in scanning for open memcached servers since the initial disclosure."

Small DDoS attacks are often delivered as an extortion 'warning', with a demand for payment to prevent a larger attack. Cybereason has noticed that this process was reversed in the GitHub attack -- the attack itself contained the extortion demand: "the same memcached servers used in the largest DDoS attack to date are including a ransom note in the payload that they're serving," it reported on Friday.

The extortion note, which occurs in a line of Python code delivered by the compromised Memcached servers, demands payment of 50 XMR (the symbol for the Monero cryptocurrency). This would have been approximately $15,000. 

"It is a pretty clever trick to embed the ransom demand inside the DOS payload," Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, told SecurityWeek. "It is also fitting with the times that attackers are asking for Monero rather than Bitcoin because Monero disguises the origin, destination and amount of each transaction, making it more suitable for ransoms."

There is no way of knowing whether any of the recent Memcached DDoS victims have paid a Monero ransom.

Memcached attacks are not entirely new, but have been relatively rare before the last ten days. The DDosMon from Qihoo 360 monitors amplification attack vectors and its figures show generally less than 100 attacks per day since at least November 2017. On 24 February this spiked to more than 400 attacks, followed by an increase to more than 700 in the following days. 

It is thought that until recently Memcached attacks were deployed manually by skilled attackers, but that the attack techniques have now been weaponized and made available to all skill-levels via so-called booter/stresser botnets. This is what makes it likely that there will be more and potentially larger Memcached attacks in the future.

But it's not all doom and gloom. The number of vulnerable servers is already decreasing as operators begin to secure their Memcached servers.

"Overall memcached is expected to top the DDoS charts for a relatively short period of time," Ashley Stephenson, CEO, Corero Network Security, told SecurityWeek by email. "Ironically, as we have seen before, the more attackers who try to leverage this vector the weaker the resulting DDoS attacks as the total bandwidth of vulnerable servers is fixed and is shared across the victims. If a single attack could reach 200G, then with only 10 bad actors worldwide trying to use this vector at the same time they may only get 20G each. If there are hundreds of potential bad actors jumping on the memcached bandwagon, this once mighty resource could end up delivering just a trickle of an attack to each intended victim."

UPDATE - New record set at 1.7Tbps - As predicted, the Memcached DDoS methodology has already created a new world record. Netscout Arbor has today confirmed a 1.7Tbps DDoS attack against the customer of a U.S.-based service provider. This attack was recorded by Netscout Arbor’s ATLAS global traffic and threat data system, and is more than 2x the largest Netscout Arbor had previously seen. No further details are yet available.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.