Sayers Blog

github-ddos-attack-20150331.jpg

Did you order all these large packets?

This week GitHub became the victim of the largest DDOS attack ever recorded due to a new amplification attack being observed in the wild.  This attack, which did not require building a botnet or compromising any servers, was able to generate 1.35TBps of data against the target.  It leveraged UDP responses from memcached servers exposed to the internet to turn small network packets into large ones.

An amplification attack is possible where a request’s source can be spoofed and the request packets are smaller than the responses.  It is common for UDP traffic to be used in an amplification attacks and this has been seen in the past with services such as DNS and NTP.  In this latest attack, the size of the response packets that could be generated were large enough to provide great ammo for the attacker. 

Memcached is a distributed memory caching system used to speed up dynamic database-driven websites.  It was built to be used on the internal network, but a large number of servers have been discovered on the open web.  The server can respond on UDP and allow up to 1MB responses.  It has been seen in practice where a 15 byte request to a memcached server could result in a 750kB response which is a 51,200x amplification.  The attacker’s pebble becomes a boulder for the target.

In this case it was good to see GitHub able to call in support and mitigate this largest ever DDoS, but its size will have others looking for servers to harness in future attacks.  As long as there are memcached UDP services exposed to the web, this will be an attractive DDoS method that needs that outside support to withstand.

 

Additional Sources:

https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

https://arstechnica.com/information-technology/2018/02/in-the-wild-ddoses-use-new-way-to-achieve-unthinkable-sizes/?comments=1

Network Visibility and Risk Assessment Service