Memcrashed: The Dangerous Trend Behind the Biggest DDoS Attack Ever
In November 2017, a group of researchers provided a macroscopic characterization of the DoS ecosystem; they shared their findings at the AMC Internet Measurement Conference in London. The experts collected data from DDoS Protection Services, amplification honeypots, and a DNS measurement platform. The experts' analysis revealed that one-third of all /24 networks recently estimated to be active on the Internet have suffered at least one DoS attack over the last two years.
"Our results reveal the massive scale of the DoS problem, including an eye-opening statistic that one-third of all /24 networks recently estimated to be active on the Internet have suffered at least one DoS attack over the last two years. We also discovered that often targets are simultaneously hit by different types of attacks," reads the research paper published by the experts.
While large-scale attacks like Mirai and Reaper may get the headlines, this amount of DDoS attacking will have real impacts for the victims.
"During this recent two-year period under study, the internet was targeted by nearly 30,000 attacks per day," said Alberto Dainotti, one of the researchers from CAIDA (Center for Applied Internet Data Analysis).
"These absolute numbers are staggering, a thousand times bigger than other reports have shown."
Abusing the memcached protocol
Researchers from several security firms reported that threat actors have started abusing the memcached protocol to power distributed denial-of-service (DDoS) attacks, so-called memcached DDoS attacks.
memcached is a free and open source, high-performance, distributed memory caching system designed to speed up dynamic web applications by alleviating database load. Clients communicate with memcached servers via TCP or UDP on port 11211.
Researchers from Cloudflare, Arbor Networks and security firm Qihoo 360 discovered that recently attackers are abusing the memcached for DDoS amplification attacks. Experts at Cloudflare dubbed this type of attack Memcrashed; the amplification technique could allow attackers to obtain an amplification factor of 51,200.
Chinese experts from Qihoo 360 first warned about such kind of DDoS attacks in November 2017, but the number of memcached attacks started spiking just a few days ago.
Figure 1 - Trend of protocols abused in Reflection attacks
The involvement of memcached servers in DDoS Attacks is simple as effective; the attacker sends a request to the targeted server on port 11211 spoofing the IP address of the victim. The request sent to the server is composed of a few bytes, while the response can be tens of thousands of times bigger, resulting in an amplification attack that has been estimated to be 51,200 times the size of the initial request.
Figure 2 - memcached DDoS Amplification technique
Last week, researchers at Cloudflare started observing memcached DDoS attack of increasing magnitude, they monitored an attack that peaked at 260 Gbps while Arbor Networks reported observing attacks that peaked at 500 Gbps and even more.
"We have observed a considerable uptick in memcached reflection/amplification attacks ranging in size from a few hundred mb/sec up to 500gb/sec and larger. The amplified attack traffic is sourced from UDP/11211, with a packet size of 1428 bytes (1442 bytes with layer-2 Ethernet framing included), and no fragmentation (memcached segments large responses at layer-7, as does ntp)," reads the analysis published by Arbor Networks. "The attacker typically 'primes' a given set of memcached reflectors/amplifiers with arbitrary-length key/value pairs, and then issues memcached queries for those key/value pairs, spoofing the IP addresses of targeted hosts/networks."
"I was surprised to learn that memcached does UDP, but there you go! The protocol specification shows that it is one of the best protocols to use for amplification ever! There are absolutely zero checks, and the data WILL be delivered to the client, with blazing speed! Furthermore, the request can be tiny and the response huge (up to 1MB)," continues the analysis published by Cloudflare.
"Launching such an attack is easy. First the attacker implants a large payload on an exposed memcached server. Then, the attacker spoofs the "get" request message with target Source IP."
According to Cloudflare, most of the memcached DDoS Attacks were launched from servers in North America and Europe; OVH, DigitalOcean, and Sakura host most them.
Figure 3 - memcached DDoS reflection attacks
The experts observed attacks from roughly 5,700 unique IPs associated with memcached servers.
The situation can rapidly get worse because the result of a simple Shodan query shows nearly 88,000 unsecured memcached servers, most of them in the United States, China, and France.
Figure 4. memcached servers exposed online
Github hit by the biggest-ever DDoS attack that peaked 1.35 TBs … maybe
On February 28, 2018, the GitHub's code hosting website was hit by the largest-ever distributed denial of service (DDoS) attack.
The powerful offensive peaked at record 1.35 TBs by exploiting the memcached reflection technique.
The Github website is protected by the anti-DDoS service provided by the firm Akamai that helped it to mitigate the attack and confirmed its impressive magnitude.
"At 17:28 GMT, February 28th, Akamai experienced a 1.3 TBs DDoS attack against one of our customers, a software development company, driven by memcached reflection. This attack was the largest attack seen to date by Akamai, more than twice the size of the September 2016 attacks that announced the botnet and possibly the largest DDoS attack publicly disclosed," reads the analysis published by Akamai.
"Because of memcached reflection capabilities, it is highly likely that this record attack will not be the biggest for long."
Researchers at GitHub declared that the attack was originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.
Figure 5 – DDoS attack against Github
"On Wednesday, February 28, 2018, GitHub.com was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a distributed denial-of-service (DDoS) attack," states an advisory post published by GitHub.
"Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack. The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second."
When the attack hit Github, its engineers decided to mitigate it by routing the huge volume of traffic to Akamai service.
"Given the increase in inbound transit bandwidth to over 100Gbps in one of our facilities, the decision was made to move traffic to Akamai, who could help provide additional edge network capacity. At 17:26 UTC the command was initiated via our ChatOps tooling to withdraw BGP announcements over transit providers and announce AS36459 exclusively over our links to Akamai," continues Github.
"Routes reconverged in the next few minutes and access control lists mitigated the attack at their border. Monitoring of transit bandwidth levels and load balancer response codes indicated a full recovery at 17:30 UTC. At 17:34 UTC routes to internet exchanges were withdrawn as a follow-up to shift an additional 40Gbps away from our edge."
According to GitHub, the first portion of the attack peaked at 1.35Tbps, while a second part peaked 400Gbps after 18:00 UTC.
Figure 6 - First portion of the attack against GitHub
Github said it plans to expand its edge network and mitigate new attack vectors.
World's largest DDoS attack record broken by a new memcached DDoS attack
Experts at Arbor Networks reported that earlier this month a US service provider suffered a 1.7Tbps DDoS attack. The service provider was able to repel the attack thanks to adequate countermeasures, but we can consider it an exception because a so huge volume of traffic can take off the majority of websites online. The anti-DDoS firm confirmed that also in this case attackers exploited unsecured memcached database servers to amplify attacks.
ATLAS observed the previous record DDoS attack in 2016; it was a 650Gbps attack towards a target in Brazil.
Unfortunately, the availability online of unsecured memcached servers will allow threat actors to power similar attacks in the future.
"While the internet community is coming together to shut down access to the many open memcached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit," continues the post published by Arbor Networks.
"It is critically important for companies to take the necessary steps to protect themselves."
memcached DDoS attacks drive RDoS extortion practice
In the wake of the recent memcached DDoS attack against Github, cybercriminals already started to blackmail companies asking for a ransom demand in Monero to avoid being attacked.
Researchers from Akamai, observed crooks gaining access to memcached servers and leaving short messages inside these packets instead involving them in DDoS attacks.
"memcached has become the new kid on the block in the DDoS world, with widespread and rapid adoption by attackers pushing attacks of all sizes across organizations and industries. As with most powerful attacks, it didn't take long for attackers to come up with ways to turn the threat into a business opportunity," reads the analysis published by Akamai.
"If you look closely, you can see that buried in that attack traffic appears to be an extortion attempt. The attackers insist that the victim pay 50 ($16,000+) Monero (XMR) to the wallet address they've so graciously included. This appears to be in line with similar tactics used with extortion emails. Multiple targets are sent the same message in hopes that any of them will pay the ransom."
Figure 7 - Ransom request left on memcached server
One of the extortion attempts monitored by Akamai was conducted by a gang that is asking victims to pay 50 Monero (roughly $17,200), the attackers drop payloads onto the memcached server they intend to target.
"While most attackers are filling these records with junk, it appears these attackers have decided to load up their payloads with payment amount and wallet address information in the hopes of duping desperate victims into forking over their cold hard crypto-cash," continues the post.
This form of extortion is dubbed ransom DDoS (RDoS), it first appeared in the threat landscape in 2015 with the criminal gang called DD4BC. The group was sending send emails to many companies, threatening to launch DDoS attacks unless they paid a ransom fee.
The DD4BC gang carried out at least 114 DDoS attacks with an average peak bandwidth of around 13.34 Gbps on its customers since April 2015.
The group attempted to extort money from financial companies and other business by threatening to hit them with DDoS attacks that could interfere with their operations.
In one case, the DDoS attack flooded the target with over 56.2 Gbps of traffic, in June 2015 they powered at least 8 DDoS attacks that had peak bandwidths of more than 23 Gbps.
The DD4BC group targeted Financial services in 58 percent of the DDoS attacks, banks and credit unions in 35 percent of the attacks, currency exchanges in 13 percent while the rest were payment processing firms.
The group was dismantled by authorities, some members were arrested, but other members continued the offensives under different names such as Armada Collective and XMR Squad.
Back to the present, researchers consider the availability of unsecured memcached servers a serious threat could be exploited attacker to launch powerful attacks.
"If a victim were to deposit the requested amount into the wallet, we doubt the attackers would even know which victim the payment originated from, let alone stop their attacks as a result. Even if they could identify who'd sent the payment, we doubt they'd cease attacking their victim as it was never really about the money anyways," concluded Akamai.
The RDoS observed by the researchers demonstrate that cybercrime always attempts to monetize any opportunity, the media coverage of the attack against GitHub and the memcached reflection technique are creating the good conditions to earn money without risks.
Two PoC exploits for memcached DDoS attacks have been released online
At the time of writing, two distinct proofs-of-concept (PoC) attack code for memcached amplification technique have been released online. This is very dangerous because anyone can use them to launch memcached DDoS attacks
One of PoC code exploits is written in Python scripting language and relies on the Shodan search engine API to obtain an updated a list of vulnerable memcached servers and then involve them in memcached DDoS attacks.
The second exploit code is written in C programming and uses a pre-compiled list of vulnerable memcached servers. The author also published the file memecache-amp-03-05-2018-rd.list that is a list of vulnerable memcached servers as of 03-05-2018.
A Kill Switch for memcached DDoS attacks
While two PoC exploits for memcached DDoS attacks have been released online, experts at security firm Corero Network announced they have discovered a 'kill switch' to address the memcached vulnerability.
The firm revealed that the exploitation of the issue in memcached servers could also allow attackers to modify or steal data from (i.e., including confidential database records, website customer information, emails, API data, Hadoop information and more.).
The most interesting discovery made by the researchers is the kill switch, the company reported it to national security agencies.
"Corero Network Security has today disclosed the existence of a practical "kill switch" countermeasure for the memcached vulnerability, responsible for some of the largest DDoS attacks ever recorded, to national security agencies," reads the announcement published by Corero Network Security.
"At the same time, the company has revealed that the vulnerability is more extensive than originally reported – and can also be used by attackers to steal or modify data from the vulnerable memcached servers."
According to the experts, there are currently over 95,000 servers worldwide allowing connections on TCP or UDP port 11211 from the internet, an army of machines that could be involved in memcached DDoS attacks.
"Ironically, the memcached utility was intended to cache frequently-used web pages and data to boost legitimate performance. But this utility has now been weaponized to exploit its performance boosting potential for illegitimate purposes," said Ashley Stephenson.
With over 95,000 servers worldwide allowing connections on TCP or UDP port 11211 from the Internet, the potential for abuse by attackers is significant.
Corero researchers pointed out that the memcached protocol was designed to be used without logins or passwords, the attacker can trigger the vulnerability to "modify the data and reinsert it into the cache."
The "flush_all" countermeasure invalidates a vulnerable server's cache, including the large, potentially malicious payload planted there by attackers; it is effective in any attack scenario.
The 'kill switch' discovered by Corero would allow sending a command back to an attacking server to halt the DDoS attack, no side effects have been observed.
DDoS attacks abusing memcached servers are possible because organizations operating them fail in implementing basic security practices.
Unfortunately, threat actors in the wild will abuse misconfigured memcached servers in future attacks because many of them are still exposed on the Internet.
Cloudflare recommends disabling UDP support unless it is needed and isolating memcached servers from the Internet. Internet service providers must fix vulnerable protocols and prevent IP spoofing.
"Internet Service Providers – In order to defeat such attacks in future, we need to fix vulnerable protocols and also IP spoofing. As long as IP spoofing is permissible on the internet, we'll be in trouble," concluded Cloudflare.
"Developers – Please please please: Stop using UDP. If you must, please don't enable it by default. If you do not know what an amplification attack is I hereby forbid you from ever typing SOCK_DGRAM into your editor."