Denial of Service attacks has been present for a long time but the magnitude has risen in recent times. As its said, records are meant to be broken. On February 28, 2018, GitHub website was hit with the largest-ever distributed denial of service (DDoS) attack that peaked at record 1.35 Tbps. Within four days, this record was broken on an unnamed US company with 1.7 Tbps.
How such high frequency attacks are possible ?
Lets have a closer look at what has made such high frequency attacks possible. As you might know, with denial of service an attacker generates high traffic on a web server with an intention to exhaust some of the resources on server to bring the service down or make it unusable for legitimate users. With companies having high bandwidth connections, its not easy to exhaust bandwidth limit easily by a single attacker machine. The other commonly used DDoS techniques include deploying thousands of botnets to attack on the target at same time. This is not convenient or economical for an attacker. The easiest way for an attacker to perform DoS attack is using amplification techniques where an attacker can make a small request on a reflector system which in turn responds with a big response directed towards a victim machine. This is cheaper for attackers than generating the traffic needed for large-scale volumetric attacks using a botnet.
In recent attacks, attackers are using reflection/amplification technique, which exploits a vulnerability in the Memcached protocol. Memcached servers are used for caching in order to improve performance of web applications. A couple of misconfiguration/vulnerability is allowing attackers to abuse these servers and use them as reflectors to attack a target system.
- Memcached server being open on internet. These caching servers are not meant to be accessible over internet but still thousands of memcached servers are wrongly configured to be accessible over internet. Note that memcached does not support authentication.
- UDP protocol enabled on memcached server. Since UDP is easily spoofable, it makes this service vulnerable to use as a reflector.
Below are the steps that an attacker performs to do a DDoS attack :
- Scan UDP enabled memcached servers on internet.
- Send a get request to the server with spoofed source ip as the victim’s ip.
- Server returns much amplified udp response to the victim. A 15-byte request can result in a 750kB response which means an amplification of upto 51,000 times is possible.
What can be done to prevent these attacks ?
If you are an owner or admin for memcached server, you need to ensure that your server is not used as reflector for these attacks.
- Ensure your memcached server is not exposed to the Internet.
- Immediately block all access from the Internet to UDP port 11211 in your firewall.
- Disable UDP on all memcached servers.
- You can upgrade to latest version of memcached, where UDP port is disable by default.
As a website owner, there is not much that you can do to prevent these types of attack. You can block all traffic coming from source port 11211, the default UDP port for memcached server to prevent your resources but this will have no affect on your bandwidth exhaustion as the traffic would have already reached your network. You can talk to your ISP to rate limit traffic from source port 11211 and prevent traffic from entering and exiting your network.
Vulnerable memcached servers are being fixed over the internet but this will take time. So don’t be surprised if we see some new records in near future. Be safe online !!