A New Breed of DDoS AttackĭDoS isn’t new. I’m quite sure that 2016 will be similarly defined as the year of the distributed denial-of-service (DDoS) attack. The IT industry remembers 2006, for example, as the year of Stuxnet, an infamous worm that drew public attention to the insecurity of supervisory control and data acquisition (SCADA) and programmable logic controller (PLC) systems. “On a more macro level, ISPs need to block spoofed packets from exiting their networks, and protocol developers need to better understand velocity checking and amplification attacks,” Migues said.Some malware incidents will go down in history. Mitigation, according to experts, includes configuring memcached servers to operate behind a firewall and turning off support for UDP. “Given the increase in inbound transit bandwidth to over 100 Gbps in one of our facilities, the decision was made to move traffic to Akamai, who could help provide additional edge network capacity,” noted GitHub. It was an amplification attack using the memcached-based approach described above that peaked at 1.35 Tbps via 126.9 million packets per second.”Īccording to Akamai, the company was able to mitigate the attack by filtering all traffic sourced from UDP port 11211, the default port used by memcached. The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. Github detailed the attack in a statement, “Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack. “GitHub was commendably prepared to survive an attack much larger than this,” Migues said. Unlike the Mirai botnet DDoS attacks against DNS provider Dyn, which caused a massive disruption of services such as Twitter, Spotify, PayPal and knocking the Krebs on Security website offline, the impact was minimal against GitHub this week. Additionally, as lists of usable reflectors are compiled by attackers, this attack method’s impact has the potential to grow significantly,” Akamai noted. “Because of its ability to create such massive attacks, it is likely that attackers will adopt memcached reflection as a favorite tool rapidly. “The (UDP) protocol specification shows that it’s one of the best protocols to use for amplification ever! There are absolutely zero checks, and the data WILL be delivered to the client, with blazing speed! Furthermore, the request can be tiny and the response huge,” Cloudflare researchers noted in a post earlier this week. “Unless the unwitting operators of these memcached servers take corrective action, it is inevitable that other ill-equipped targets will fall victim to similar DDoS attacks and suffer a much longer outage.”Īccording to researchers from Cloudflare, memcached servers support for UDP (User Datagram Protocol), an alternative communications protocol to Transmission Control Protocol, is also problematic. “This massive DDoS attack was possible because organizations operating memcached servers failed to implement some very basic security practices,” said Sammy Migues, principal scientist at Synopsys. Each attributed the rise of these attacks to an estimated 88,000 misconfigured memcached servers accessible via the public internet that could easily be recruited in future attacks. The day before the attack on GitHub, Akamai, Arbor Networks and Cloudflare each said they had observed an uptick in attacks using the memchached technique. “Because of memcached reflection capabilities, it is highly likely that this record attack will not be the biggest for long,” wrote the Akamai SIRT Alerts team. “Memcached can have an amplification factor of over 50,000, meaning a 203 byte request results in a 100 megabyte response,” explained Akamai, which helped GitHub fend off Wednesday’s DDoS attack. Memcached servers are a type of server used to bolster responsiveness of database-driven websites by improving the memory caching system. In response, the memcached server responds by sending the spoofed target a massively disproportionate response. The packets are spoofed to appear as if they were sent from the intended target of the DDoS attack. In the case of memcached amplification attacks, adversaries are able to send a small byte-sized UDP-based packet request to a memcached server. Wednesday’s attack is attributed to a form of DDoS attack called a memcached amplification technique. That shattered a previous DDoS publicly record attack associated with the Mirai botnet in Sept., 2016 that maxed-out at half the intensity (620 Gbps). The DDoS attack measured 1.3 Tbps of sustained traffic for eight minutes. The largest distributed denial of service attack was recorded Wednesday and targeted GitHub.
0 kommentar(er)
