Clavister Blog Staff

Memcrashed? Meeting the growing DDoS threat

In Blog post by Clavister Blog Staff

In late February, code hosting platform GitHub fell victim to the largest DDoS attack yet recorded.  The platform, used by upwards of 4.5million developers every day, was hit by a staggering 1.35 terabits of traffic per second, which took it offline temporarily.

Botnets tend to be involved in such large-scale attacks. Indeed, when Dyn DNS fell victim to the second-largest DDoS attack on record in October 2016, tens of millions of IP addresses associated with the Mirai botnet were part of the attack.

But this latest attack on GitHub did not involve botnets:  the perpetrators used a new technique to launch the mega-scale attack.  They targeted servers running Memcached, which is free and open-source software that’s often used to speed up dynamic database-driven websites.  Memcached caches data and objects in RAM to reduce the number of times an external data source (such as a database or API) must be read.

Unfortunately, the way Memcached works enables it to be exploited for massively amplified attacks:  a simple request using just 15 bytes of data can trigger a 750 kilobyte response to a spoofed IP address.

Despite the unprecedented volume of traffic hitting it, GitHub escaped with only a temporary outage of just 10 minutes. The site was quickly back up and running thanks to its dedicated anti-DDoS defences, but it could have been much worse.

But it’s another worrying sign that DDoS attack volumes are escalating.  Kaspersky Lab’s recent IT Security Risks Survey 2017, which polled over 5000 businesses in 29 countries, found that the costs of reacting to a DDoS attack in 2017 for enterprises had increased over half a million dollars, from $1.6 million in 2016 to $2.3 million in 2017 on average per attack.

When asked about the specific consequences resulting from a DDoS attack, most organizations (33%) claim that the cost incurred in fighting the attack and restoring services is the main burden, while 25% cited money spent investing in an offline or back-up system while online services were unavailable.

The research also found that the attack rate is accelerating, with 33% of organizations facing a DDoS attack in 2017, compared to 17% in 2016. Even so, the report found that organizations are undereducated about taking steps to protect themselves. For instance, they often expect third parties such as ISPs to protect their businesses.

The simple fact is, every organization has to take responsibility to defend itself against DDoS attacks.  This means using the basics of DDoS mitigation, including bandwidth management, load balancing and intelligent network segmentation across their infrastructures.  Organizations should also consider using external defensive services such as  data scrubbing, as GitHub did, which enabled them to quickly switch off the DDoS attack traffic.

They can also protect themselves against the Memcached attack vector with these three simple steps:

  1. Place all Memcached servers behind a firewall, to protect them against exposure to the wider Internet
  2. Block all access from the Internet to port 11211 on every perimeter firewall
  3. Disable UDP for all servers using Memcached

Of course, threat actors try to stay one step ahead of organizations to maximise the possibility that their attack will make an impact on the intended victim.  But with a solid anti-DDoS defensive strategy, you can keep pace with attackers and protect your business against this growing threat.