The largest distributed denial of service attack was recorded Wednesday and targeted GitHub. The DDoS attack measured 1.3 Tbps of sustained traffic for eight minutes. That shattered a previous DDoS publicly record attack associated with the Mirai botnet in Sept., 2016 that maxed-out at half the intensity (620 Gbps).
Wednesday’s attack is attributed to a form of DDoS attack called a memcached amplification technique.
In the case of memcached amplification attacks, adversaries are able to send a small byte-sized UDP-based packet request to a memcached server. The packets are spoofed to appear as if they were sent from the intended target of the DDoS attack. In response, the memcached server responds by sending the spoofed target a massively disproportionate response.
Memcached servers are a type of server used to bolster responsiveness of database-driven websites by improving the memory caching system.
“Memcached can have an amplification factor of over 50,000, meaning a 203 byte request results in a 100 megabyte response,” explained Akamai, which helped GitHub fend off Wednesday’s DDoS attack. “Because of memcached reflection capabilities, it is highly likely that this record attack will not be the biggest for long,” wrote the Akamai SIRT Alerts team.
The day before the attack on GitHub, Akamai, Arbor Networks and Cloudflare each said they had observed an uptick in attacks using the memchached technique. Each attributed the rise of these attacks to an estimated 88,000 misconfigured memcached servers accessible via the public internet that could easily be recruited in future attacks.
“This massive DDoS attack was possible because organizations operating memcached servers failed to implement some very basic security practices,” said Sammy Migues, principal scientist at Synopsys. “Unless the unwitting operators of these memcached servers take corrective action, it is inevitable that other ill-equipped targets will fall victim to similar DDoS attacks and suffer a much longer outage.”
According to researchers from Cloudflare, memcached servers support for UDP (User Datagram Protocol), an alternative communications protocol to Transmission Control Protocol, is also problematic.
“The (UDP) protocol specification shows that it’s one of the best protocols to use for amplification ever! There are absolutely zero checks, and the data WILL be delivered to the client, with blazing speed! Furthermore, the request can be tiny and the response huge,” Cloudflare researchers noted in a post earlier this week.
“Because of its ability to create such massive attacks, it is likely that attackers will adopt memcached reflection as a favorite tool rapidly. Additionally, as lists of usable reflectors are compiled by attackers, this attack method’s impact has the potential to grow significantly,” Akamai noted.
Unlike the Mirai botnet DDoS attacks against DNS provider Dyn, which caused a massive disruption of services such as Twitter, Spotify, PayPal and knocking the Krebs on Security website offline, the impact was minimal against GitHub this week. “GitHub was commendably prepared to survive an attack much larger than this,” Migues said.
Github detailed the attack in a statement, “Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack. The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35 Tbps via 126.9 million packets per second.”
According to Akamai, the company was able to mitigate the attack by filtering all traffic sourced from UDP port 11211, the default port used by memcached.
“Given the increase in inbound transit bandwidth to over 100 Gbps in one of our facilities, the decision was made to move traffic to Akamai, who could help provide additional edge network capacity,” noted GitHub.
Mitigation, according to experts, includes configuring memcached servers to operate behind a firewall and turning off support for UDP.
“On a more macro level, ISPs need to block spoofed packets from exiting their networks, and protocol developers need to better understand velocity checking and amplification attacks,” Migues said.